Highlighted
Absent Member.
Absent Member.
1051 views

Entitlements issue in the IDM.4.5 User Application


Hi all,

i have an issue to assign a resource with an entitlement. The request is
still in the running state. I found it is entitlement issue but it is
strange because i installed a newest version of IDM4.5 with the patches
and i deployed LDAP driver. Also i used newest version of Designer and
all packages are updated.
I found the following error in the traces of Role and Resource Service
Driver:


-<nds dtdversion="4.0" ndsversion="8.x">
<source>
<product edition="Advanced" version="4.5.0.2">DirXML</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<nrf:resrequest
dn="O=system\OU=services\OU=idm\CN=driverset\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=ResourceRequests\CN=201503
12095634-6241066a88b348e388711678ae9c5a56-0" event-id="0"
xmlns:nrf="urn:dirxml:nrf"/>
</input>
</nds>
[03/12/15 09:56:34.672]:Role and Resource Service Driver
ST:SubscriptionShim.execute() returned:
[03/12/15 09:56:34.672]:Role and Resource Service Driver ST:
<nds dtdversion="4.0">
<source>
<product instance="Role and Resource Service Driver"
version="4.5.0.0">NetIQ Role Service Driver</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="0" level="error">Error processing request
DN:
O=system\OU=services\OU=idm\CN=driverset\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=ResourceRequests\CN=2015031209
5634-6241066a88b348e388711678ae9c5a56-0
Reason: java.lang.Exception: Error. Entitlement
parameter value is not in the expected JSON format, defined by the
entitleme
nt configuration setting named parameter-format. This can occur from
malformed JSON in the parameter value, or an entitlement was provision
ed with a legacy parameter value before the entitlement parameter
support was upgraded to IDM4.
DN:
O=system\OU=services\OU=idm\CN=driverset\CN=PostgreSQL ACME
Schema\CN=Account
Agent: UA
Parameter Value: </status>
</output>
</nds>-

Also, I read the Geoffrey`s blog http://tinyurl.com/la52w5b to
understand it and l read the TID '7009911'
(https://www.novell.com/support/kb/doc.php?id=7009911) too but it is not
clear for me how can i solve this issue 😞

Do you have any idea what could be wrong and how can i solve it?
Many thanks!

Milan


--
mjuricek
------------------------------------------------------------------------
mjuricek's Profile: https://forums.netiq.com/member.php?userid=1616
View this thread: https://forums.netiq.com/showthread.php?t=53088

Labels (1)
0 Likes
9 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Entitlements issue in the IDM.4.5 User Application

Go look at your nrfResource object. Read the nrfEntitlementRef attribute.

What is the value, inside the path component, inside the <param></param>
node of that component?

(This value, is the DirXML-EntitlementRef that will be added to each
user who is granted the Resource).

That stuff inside <param/> should be JSON. Alas, empty, is apparently
invalid JSON.

If you have no value in this entitlement, just define it as a valued
entitlement and give it a silly value. (I vote for something funny like
42). So that the JSON should become {"ID":"42"} or somesuch which is valid.

If your implement entitlement in the actual driver stuff is not using
the value, then it does not matter what you put in there.

Be nice if there was an official way to specify an empty value that RRSD
would accept.


On 3/12/2015 7:54 AM, mjuricek wrote:
>
> Hi all,
>
> i have an issue to assign a resource with an entitlement. The request is
> still in the running state. I found it is entitlement issue but it is
> strange because i installed a newest version of IDM4.5 with the patches
> and i deployed LDAP driver. Also i used newest version of Designer and
> all packages are updated.
> I found the following error in the traces of Role and Resource Service
> Driver:
>
>
> -<nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.5.0.2">DirXML</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <input>
> <nrf:resrequest
> dn="O=system\OU=services\OU=idm\CN=driverset\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=ResourceRequests\CN=201503
> 12095634-6241066a88b348e388711678ae9c5a56-0" event-id="0"
> xmlns:nrf="urn:dirxml:nrf"/>
> </input>
> </nds>
> [03/12/15 09:56:34.672]:Role and Resource Service Driver
> ST:SubscriptionShim.execute() returned:
> [03/12/15 09:56:34.672]:Role and Resource Service Driver ST:
> <nds dtdversion="4.0">
> <source>
> <product instance="Role and Resource Service Driver"
> version="4.5.0.0">NetIQ Role Service Driver</product>
> <contact>NetIQ Corporation</contact>
> </source>
> <output>
> <status event-id="0" level="error">Error processing request
> DN:
> O=system\OU=services\OU=idm\CN=driverset\CN=UserApplication\CN=AppConfig\CN=RoleConfig\CN=ResourceRequests\CN=2015031209
> 5634-6241066a88b348e388711678ae9c5a56-0
> Reason: java.lang.Exception: Error. Entitlement
> parameter value is not in the expected JSON format, defined by the
> entitleme
> nt configuration setting named parameter-format. This can occur from
> malformed JSON in the parameter value, or an entitlement was provision
> ed with a legacy parameter value before the entitlement parameter
> support was upgraded to IDM4.
> DN:
> O=system\OU=services\OU=idm\CN=driverset\CN=PostgreSQL ACME
> Schema\CN=Account
> Agent: UA
> Parameter Value: </status>
> </output>
> </nds>-
>
> Also, I read the Geoffrey`s blog http://tinyurl.com/la52w5b to
> understand it and l read the TID '7009911'
> (https://www.novell.com/support/kb/doc.php?id=7009911) too but it is not
> clear for me how can i solve this issue 😞
>
> Do you have any idea what could be wrong and how can i solve it?
> Many thanks!
>
> Milan
>
>


0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Entitlements issue in the IDM.4.5 User Application


so I changed the entitlement as valued, set the values and i read the
nrfEntitlementRef in the Role and Resource Service Driver.
The value is:

-1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
version="1.0" encoding="UTF-8"?><ref>
<src>UA</src>
<id/>
<param>TestValue</param>
</ref>-

Is it ok? Because It does not work too.
M.


--
mjuricek
------------------------------------------------------------------------
mjuricek's Profile: https://forums.netiq.com/member.php?userid=1616
View this thread: https://forums.netiq.com/showthread.php?t=53088

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Entitlements issue in the IDM.4.5 User Application


Ok... when I set the value in the JASON format in the UA - in my
resource, it is working.
It looks like a bug!

Milan


--
mjuricek
------------------------------------------------------------------------
mjuricek's Profile: https://forums.netiq.com/member.php?userid=1616
View this thread: https://forums.netiq.com/showthread.php?t=53088

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Entitlements issue in the IDM.4.5 User Application

On 3/12/2015 9:54 AM, mjuricek wrote:
>
> so I changed the entitlement as valued, set the values and i read the
> nrfEntitlementRef in the Role and Resource Service Driver.
> The value is:
>
> -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
> version="1.0" encoding="UTF-8"?><ref>
> <src>UA</src>
> <id/>
> <param>TestValue</param>
> </ref>-
>
> Is it ok? Because It does not work too.


No it is not Ok. TestValue is not valid JSON, which is the message you
were getting.

I gave a specific JSON example, which would probably suffice.


0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Entitlements issue in the IDM.4.5 User Application

On 03/12/2015 11:33 AM, Geoffrey Carman wrote:
> On 3/12/2015 9:54 AM, mjuricek wrote:
>>
>> so I changed the entitlement as valued, set the values and i read the
>> nrfEntitlementRef in the Role and Resource Service Driver.
>> The value is:
>>
>> -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
>>
>> version="1.0" encoding="UTF-8"?><ref>
>> <src>UA</src>
>> <id/>
>> <param>TestValue</param>
>> </ref>-
>>
>> Is it ok? Because It does not work too.

>
> No it is not Ok. TestValue is not valid JSON, which is the message you
> were getting.
>
> I gave a specific JSON example, which would probably suffice.
>
>

Greetings,
We do not re-evaluate assigned Resources when one makes a change in
regards to Entitlements or Request Parameters

Once you create a Resource and have assigned it to a user or associated
it to Role then you can not do the following:

a) Add an Entitlement
b) Remove an Entitlement
b) Change the value of an Entitlement
c) Change the format of an Entitlement
d) Add new Request Parameters
e) Remove Request Parameters
g) Modify Request Parameter


If you need to make any of the above changes, then you have to:

1) Remove the Resource from be associated to any and all Roles
2) Manually revoke any users that were directly assigned
3) Make the necessary changes
4) Re-associate the Resource to the Role(s)
5) Assign any users that were directly Assigned.


Failure to follow the above steps will result in many different kinds of
problems with Revocation.


--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Entitlements issue in the IDM.4.5 User Application

On 03/12/2015 01:18 PM, Steven Williams wrote:
> On 03/12/2015 11:33 AM, Geoffrey Carman wrote:
>> On 3/12/2015 9:54 AM, mjuricek wrote:
>>>
>>> so I changed the entitlement as valued, set the values and i read the
>>> nrfEntitlementRef in the Role and Resource Service Driver.
>>> The value is:
>>>
>>> -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
>>>
>>>
>>> version="1.0" encoding="UTF-8"?><ref>
>>> <src>UA</src>
>>> <id/>
>>> <param>TestValue</param>
>>> </ref>-
>>>
>>> Is it ok? Because It does not work too.

>>
>> No it is not Ok. TestValue is not valid JSON, which is the message you
>> were getting.
>>
>> I gave a specific JSON example, which would probably suffice.
>>
>>

> Greetings,
> We do not re-evaluate assigned Resources when one makes a change in
> regards to Entitlements or Request Parameters
>
> Once you create a Resource and have assigned it to a user or associated
> it to Role then you can not do the following:
>
> a) Add an Entitlement
> b) Remove an Entitlement
> b) Change the value of an Entitlement
> c) Change the format of an Entitlement
> d) Add new Request Parameters
> e) Remove Request Parameters
> g) Modify Request Parameter
>
>
> If you need to make any of the above changes, then you have to:
>
> 1) Remove the Resource from be associated to any and all Roles
> 2) Manually revoke any users that were directly assigned
> 3) Make the necessary changes
> 4) Re-associate the Resource to the Role(s)
> 5) Assign any users that were directly Assigned.
>
>
> Failure to follow the above steps will result in many different kinds of
> problems with Revocation.
>
>

I also forgot to outline that you can have issues with assignment
depending upon what was changed.

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Highlighted
New Member.

Re: Entitlements issue in the IDM.4.5 User Application


Steven Williams;255262 Wrote:
> On 03/12/2015 01:18 PM, Steven Williams wrote:
> > On 03/12/2015 11:33 AM, Geoffrey Carman wrote:
> >> On 3/12/2015 9:54 AM, mjuricek wrote:
> >>>
> >>> so I changed the entitlement as valued, set the values and i read

> the
> >>> nrfEntitlementRef in the Role and Resource Service Driver.
> >>> The value is:
> >>>
> >>>

> -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
> >>>
> >>>
> >>> version="1.0" encoding="UTF-8"?><ref>
> >>> <src>UA</src>
> >>> <id/>
> >>> <param>TestValue</param>
> >>> </ref>-
> >>>
> >>> Is it ok? Because It does not work too.
> >>
> >> No it is not Ok. TestValue is not valid JSON, which is the message

> you
> >> were getting.
> >>
> >> I gave a specific JSON example, which would probably suffice.
> >>
> >>

> > Greetings,
> > We do not re-evaluate assigned Resources when one makes a change

> in
> > regards to Entitlements or Request Parameters
> >
> > Once you create a Resource and have assigned it to a user or

> associated
> > it to Role then you can not do the following:
> >
> > a) Add an Entitlement
> > b) Remove an Entitlement
> > b) Change the value of an Entitlement
> > c) Change the format of an Entitlement
> > d) Add new Request Parameters
> > e) Remove Request Parameters
> > g) Modify Request Parameter
> >
> >
> > If you need to make any of the above changes, then you have to:
> >
> > 1) Remove the Resource from be associated to any and all Roles
> > 2) Manually revoke any users that were directly assigned
> > 3) Make the necessary changes
> > 4) Re-associate the Resource to the Role(s)
> > 5) Assign any users that were directly Assigned.
> >
> >
> > Failure to follow the above steps will result in many different kinds

> of
> > problems with Revocation.
> >
> >

> I also forgot to outline that you can have issues with assignment
> depending upon what was changed.
>
> --
>
> Sincerely,
> Steven Williams
> Lead Software Engineer
> NetIQ


Hi, same problem is happening to me.

When I define a NO VALUED Entitlement for a Resource Object and I try to
assign it to a user it gives the error outlined by mjuricek. If I add
the tag param in JSON format directly on the attribute nrfEntitlementRef
on the resource object (it doesn't matter the value) it works.

ORIGINAL nrfEntitlementRef attribute value (not working):
-cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
encoding="UTF-8"?><ref>
<src>UA</src>
<id/>
<param/>
</ref>-

MODIFIED nrfEntitlementRef attribute value (working):
-cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
encoding="UTF-8"?><ref>
<src>UA</src>
<id/>
<param>{"ID":"NADA"}</param>
</ref>-

The ORIGINAL attribute value works correctly on IDM 4.02. Is there any
fix for this on IDM 4.5?

Regards.


--
--
Facundo Orsi
--
------------------------------------------------------------------------
orsifacundo's Profile: https://forums.netiq.com/member.php?userid=734
View this thread: https://forums.netiq.com/showthread.php?t=53088

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Entitlements issue in the IDM.4.5 User Application

On 2/17/2016 10:04 AM, orsifacundo wrote:
>
> Steven Williams;255262 Wrote:
>> On 03/12/2015 01:18 PM, Steven Williams wrote:
>>> On 03/12/2015 11:33 AM, Geoffrey Carman wrote:
>>>> On 3/12/2015 9:54 AM, mjuricek wrote:
>>>>>
>>>>> so I changed the entitlement as valued, set the values and i read

>> the
>>>>> nrfEntitlementRef in the Role and Resource Service Driver.
>>>>> The value is:
>>>>>
>>>>>

>> -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
>>>>>
>>>>>
>>>>> version="1.0" encoding="UTF-8"?><ref>
>>>>> <src>UA</src>
>>>>> <id/>
>>>>> <param>TestValue</param>
>>>>> </ref>-
>>>>>
>>>>> Is it ok? Because It does not work too.
>>>>
>>>> No it is not Ok. TestValue is not valid JSON, which is the message

>> you
>>>> were getting.
>>>>
>>>> I gave a specific JSON example, which would probably suffice.
>>>>
>>>>
>>> Greetings,
>>> We do not re-evaluate assigned Resources when one makes a change

>> in
>>> regards to Entitlements or Request Parameters
>>>
>>> Once you create a Resource and have assigned it to a user or

>> associated
>>> it to Role then you can not do the following:
>>>
>>> a) Add an Entitlement
>>> b) Remove an Entitlement
>>> b) Change the value of an Entitlement
>>> c) Change the format of an Entitlement
>>> d) Add new Request Parameters
>>> e) Remove Request Parameters
>>> g) Modify Request Parameter
>>>
>>>
>>> If you need to make any of the above changes, then you have to:
>>>
>>> 1) Remove the Resource from be associated to any and all Roles
>>> 2) Manually revoke any users that were directly assigned
>>> 3) Make the necessary changes
>>> 4) Re-associate the Resource to the Role(s)
>>> 5) Assign any users that were directly Assigned.
>>>
>>>
>>> Failure to follow the above steps will result in many different kinds

>> of
>>> problems with Revocation.
>>>
>>>

>> I also forgot to outline that you can have issues with assignment
>> depending upon what was changed.
>>
>> --
>>
>> Sincerely,
>> Steven Williams
>> Lead Software Engineer
>> NetIQ

>
> Hi, same problem is happening to me.
>
> When I define a NO VALUED Entitlement for a Resource Object and I try to
> assign it to a user it gives the error outlined by mjuricek. If I add
> the tag param in JSON format directly on the attribute nrfEntitlementRef
> on the resource object (it doesn't matter the value) it works.
>
> ORIGINAL nrfEntitlementRef attribute value (not working):
> -cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
> encoding="UTF-8"?><ref>
> <src>UA</src>
> <id/>
> <param/>
> </ref>-
>
> MODIFIED nrfEntitlementRef attribute value (working):
> -cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
> encoding="UTF-8"?><ref>
> <src>UA</src>
> <id/>
> <param>{"ID":"NADA"}</param>
> </ref>-
>
> The ORIGINAL attribute value works correctly on IDM 4.02. Is there any
> fix for this on IDM 4.5?


I think we heard that to use an unvalued entitlement, you need to set a
value of {} as null. However, the better way to do it is in
entitlementConfiguration define this entitlement as legacy format, not idm4.



0 Likes
Highlighted
New Member.

Re: Entitlements issue in the IDM.4.5 User Application


geoffc;265294 Wrote:
> On 2/17/2016 10:04 AM, orsifacundo wrote:
> >
> > Steven Williams;255262 Wrote:
> >> On 03/12/2015 01:18 PM, Steven Williams wrote:
> >>> On 03/12/2015 11:33 AM, Geoffrey Carman wrote:
> >>>> On 3/12/2015 9:54 AM, mjuricek wrote:
> >>>>>
> >>>>> so I changed the entitlement as valued, set the values and i read
> >> the
> >>>>> nrfEntitlementRef in the Role and Resource Service Driver.
> >>>>> The value is:
> >>>>>
> >>>>>
> >>

> -1\T=ACME\O=system\OU=services\OU=idm\CN=driverset\CN=ApacheDS-LDAPDriver\CN=Account<?xml
> >>>>>
> >>>>>
> >>>>> version="1.0" encoding="UTF-8"?><ref>
> >>>>> <src>UA</src>
> >>>>> <id/>
> >>>>> <param>TestValue</param>
> >>>>> </ref>-
> >>>>>
> >>>>> Is it ok? Because It does not work too.
> >>>>
> >>>> No it is not Ok. TestValue is not valid JSON, which is the message
> >> you
> >>>> were getting.
> >>>>
> >>>> I gave a specific JSON example, which would probably suffice.
> >>>>
> >>>>
> >>> Greetings,
> >>> We do not re-evaluate assigned Resources when one makes a

> change
> >> in
> >>> regards to Entitlements or Request Parameters
> >>>
> >>> Once you create a Resource and have assigned it to a user or
> >> associated
> >>> it to Role then you can not do the following:
> >>>
> >>> a) Add an Entitlement
> >>> b) Remove an Entitlement
> >>> b) Change the value of an Entitlement
> >>> c) Change the format of an Entitlement
> >>> d) Add new Request Parameters
> >>> e) Remove Request Parameters
> >>> g) Modify Request Parameter
> >>>
> >>>
> >>> If you need to make any of the above changes, then you have to:
> >>>
> >>> 1) Remove the Resource from be associated to any and all Roles
> >>> 2) Manually revoke any users that were directly assigned
> >>> 3) Make the necessary changes
> >>> 4) Re-associate the Resource to the Role(s)
> >>> 5) Assign any users that were directly Assigned.
> >>>
> >>>
> >>> Failure to follow the above steps will result in many different

> kinds
> >> of
> >>> problems with Revocation.
> >>>
> >>>
> >> I also forgot to outline that you can have issues with assignment
> >> depending upon what was changed.
> >>
> >> --
> >>
> >> Sincerely,
> >> Steven Williams
> >> Lead Software Engineer
> >> NetIQ

> >
> > Hi, same problem is happening to me.
> >
> > When I define a NO VALUED Entitlement for a Resource Object and I try

> to
> > assign it to a user it gives the error outlined by mjuricek. If I add
> > the tag param in JSON format directly on the attribute

> nrfEntitlementRef
> > on the resource object (it doesn't matter the value) it works.
> >
> > ORIGINAL nrfEntitlementRef attribute value (not working):
> > -cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
> > encoding="UTF-8"?><ref>
> > <src>UA</src>
> > <id/>
> > <param/>
> > </ref>-
> >
> > MODIFIED nrfEntitlementRef attribute value (working):
> > -cn=RACFAccount,cn=RACF,cn=driverset1,o=system#1#<?xml version="1.0"
> > encoding="UTF-8"?><ref>
> > <src>UA</src>
> > <id/>
> > <param>{"ID":"NADA"}</param>
> > </ref>-
> >
> > The ORIGINAL attribute value works correctly on IDM 4.02. Is there any
> > fix for this on IDM 4.5?

>
> I think we heard that to use an unvalued entitlement, you need to set a
> value of {} as null. However, the better way to do it is in
> entitlementConfiguration define this entitlement as legacy format, not
> idm4.


Thanks Geoffrey, it worked.

In my case I had to change a policy that came with the "Permission
collection and reconciliation service" package that hardcoded "idm4" on
the parameter-format property of the EntitlementConfiguration object so
each time I restarted the driver it put that value back to "idm4" so
valueless entitlement objects wouldn't work.

Regards.


--
--
Facundo Orsi
--
------------------------------------------------------------------------
orsifacundo's Profile: https://forums.netiq.com/member.php?userid=734
View this thread: https://forums.netiq.com/showthread.php?t=53088

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.