moldin Absent Member.
Absent Member.
748 views

Entitlements not removed when role is deleted

Hi,

I have discovered that entitlements are not removed from users when I delete a role which they are assigned.
Is this working as designed or is it an error?

IDM 4.5.5 build 43016
Labels (1)
0 Likes
10 Replies
Knowledge Partner
Knowledge Partner

Re: Entitlements not removed when role is deleted

moldin wrote:

> I have discovered that entitlements are not removed from users when I
> delete a role which they are assigned.
> Is this working as designed or is it an error?


You should revoke any existing assignments before deleting a role. If the UI
lets you delete a role that is still assigned, I'd say this is an error, as it
should require you (or offer) to revoke the assignments first.

If you delete roles through a driver, LDAP or iManager, that's probably not
supported at all.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
moldin Absent Member.
Absent Member.

Re: Entitlements not removed when role is deleted

Thank you.
It is through the UI the roles are deleted and there are no warnings or anything when the they are assigned to users.

I do have drivers that delete roles but they always check for assignments and breaks if they find some. It is very difficult to put the same strict logic into colleagues and 1st line support 🙂
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Entitlements not removed when role is deleted

On 8/14/18 4:44 AM, moldin wrote:
>
> Thank you.
> It is through the UI the roles are deleted and there are no warnings or
> anything when the they are assigned to users.
>
> I do have drivers that delete roles but they always check for
> assignments and breaks if they find some. It is very difficult to put
> the same strict logic into colleagues and 1st line support 🙂
>
>

Greetings,
The entitlement will not be deleted from the user. The status of
the assignment of the Entitlement will be changed on the user when they
have been removed.

I gather that you have Role -> Resource -> Entitlement?

Also, does the user have this same Entitlement with the same value
via another means (meaning from another Resource assignment)? If yes,
then the Entitlement assignment would still be active.



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Entitlements not removed when role is deleted

On 8/14/2018 11:15 AM, Steven Williams wrote:
> On 8/14/18 4:44 AM, moldin wrote:
>>
>> Thank you.
>> It is through the UI the roles are deleted and there are no warnings or
>> anything when the they are assigned to users.
>>
>> I do have drivers that delete roles but they always check for
>> assignments and breaks if they find some. It is very difficult to put
>> the same strict logic into colleagues and 1st line support 🙂
>>
>>

> Greetings,
>     The entitlement will not be deleted from the user.  The status of
> the assignment of the Entitlement will be changed on the user when they
> have been removed.
>
>    I gather that you have Role -> Resource -> Entitlement?
>
>    Also, does the user have this same Entitlement with the same value
> via another means (meaning from another Resource assignment)?  If yes,
> then the Entitlement assignment would still be active.


I suspect that an element of the disconnect, is that when you delete an
Entitlement object, all references on users go poof.

I think the addition of abstractions leads to the confusion.

The link of an Entitlement to a user is a DirXMl-EntitlementRef
attribute reference, which is PATH syntax and includes a DN refernce to
the Entitlement. Delete the entitlement all references to it disappear
(as they should).

A Resource is linked to an Entitlement by nrfEntitlementRef attribute,
which is PATH syntax and if you delete the entitlement it goes poof.

But the entitlement has no reference pointing back at the Resource.

A Role is linked to a Resource by a nrfResourceAssociation object which
has a DN reference to the Role, and a DN reference to the Resource.

The Role does not have a PATH/DN syntax attribute pointing at the
Resource.

So when you delete a Role, or Resource, while some of the attributes
clear away, it does not filter all the way down to a user.

I expect the question really is, should RRSD clean this up for us?





0 Likes
Knowledge Partner
Knowledge Partner

Re: Entitlements not removed when role is deleted

Geoffrey Carman <geoffreycarmanNOSPAM@NOSPAMgmail.com> wrote:
>
> The Role does not have a PATH/DN syntax attribute pointing at the
> Resource.
>
> So when you delete a Role, or Resource, while some of the attributes
> clear away, it does not filter all the way down to a user.
>


Have noticed this also. Thought this was mostly due to roles being bolted
on afterwards.

> I expect the question really is, should RRSD clean this up for us?
>


I personally don’t think it should. Revoked entitlements should stick
around until the entitlement object is removed. Revoked entitlements can
still mean something in context of a resync after a restore of a target
system.



Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Entitlements not removed when role is deleted

geoffc;2485733 wrote:
On 8/14/2018 11:15 AM, Steven Williams wrote:
> On 8/14/18 4:44 AM, moldin wrote:
>>
>> Thank you.
>> It is through the UI the roles are deleted and there are no warnings or
>> anything when the they are assigned to users.
>>
>> I do have drivers that delete roles but they always check for
>> assignments and breaks if they find some. It is very difficult to put
>> the same strict logic into colleagues and 1st line support 🙂
>>
>>

> Greetings,
> Â*Â*Â* The entitlement will not be deleted from the user.Â* The status of
> the assignment of the Entitlement will be changed on the user when they
> have been removed.
>
> Â*Â* I gather that you have Role -> Resource -> Entitlement?
>
> Â*Â* Also, does the user have this same Entitlement with the same value
> via another means (meaning from another Resource assignment)?Â* If yes,
> then the Entitlement assignment would still be active.


I suspect that an element of the disconnect, is that when you delete an
Entitlement object, all references on users go poof.

I think the addition of abstractions leads to the confusion.

The link of an Entitlement to a user is a DirXMl-EntitlementRef
attribute reference, which is PATH syntax and includes a DN refernce to
the Entitlement. Delete the entitlement all references to it disappear
(as they should).

A Resource is linked to an Entitlement by nrfEntitlementRef attribute,
which is PATH syntax and if you delete the entitlement it goes poof.

But the entitlement has no reference pointing back at the Resource.

A Role is linked to a Resource by a nrfResourceAssociation object which
has a DN reference to the Role, and a DN reference to the Resource.

The Role does not have a PATH/DN syntax attribute pointing at the
Resource.

So when you delete a Role, or Resource, while some of the attributes
clear away, it does not filter all the way down to a user.

I expect the question really is, should RRSD clean this up for us?


Yes RRSD should clean this up and it does clean it up if the role is deleted from the UI.
In IDM 4.7.2 with the latest RRSD driver anyway.
It actually does not delete the role, it flags it to be nrfStatus 15. RRSD takes this change and process it revoking all assignments and doing the actual delete.
We found this out by accident when doing (wrongly in test) an LDAP delete of an Role and the delete did not clear up.
It can clear up the delete even if it is deleted by LDAP but that seems to be more by accident so not to be trusted.
Going through the RRSD driver trace was interesting comparing the UI delete with the LDAP delete.
We had a group that was outside the visibility scope but the group was assigned the role we deleted. This created an Java error in the RRSD driver and made us investigate how it actually does work.
Deleting a role that was assigned to a group inside the visibility scope ( witch is normal) did work and cleared things up but I'm sure this was not really intended and is probably not supported.

We use the new token in the driver for Create Role and realize there is no token for Delete Role so while waiting for that I will flag the role to nrfStatus 15 since that works from the driver perspective and is the same thing as what the UI does.

In the UI it should work and does work for us.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Entitlements not removed when role is deleted

joakim ganse wrote:

> there is
> no token for Delete Role so while waiting for that I will flag the role
> to nrfStatus 15 since that works from the driver perspective and is the
> same thing as what the UI does.


That is interesting to know. Thanks a lot for sharing!

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Entitlements not removed when role is deleted

Just found out that these values does not exist in 4.5.
It does exist in 4.7 but I have not looked in 4.6 yet.

I expect this to be dependent on the version of the RRSD driver
0 Likes
Not applicable

Re: Entitlements not removed when role is deleted

Hi All,

There is already bug for this observation which will be addressed in the next release

Reason : dirxml-entitlementref attribute doesn't get updated when assigned resource is being deleted

Thanks & Regards,
SivaSaran.K.R
0 Likes
moldin Absent Member.
Absent Member.

Re: Entitlements not removed when role is deleted

Maybe I was not clear in my description of the issue; sorry about that.

The assignment is as you suggest user -> role -> Resource -> Entitlement
Neither resource or entitlement are granted in other ways than this single role.
When the role is deleted (by mistake) the user keeps both the resource and hence the entitlement.

It would be nice if deleting a role is prohibited if it has assigments
or
if some logic removes the resource and entitlement from assignee.


stevewdj;2485724 wrote:
On 8/14/18 4:44 AM, moldin wrote:
>
> Thank you.
> It is through the UI the roles are deleted and there are no warnings or
> anything when the they are assigned to users.
>
> I do have drivers that delete roles but they always check for
> assignments and breaks if they find some. It is very difficult to put
> the same strict logic into colleagues and 1st line support 🙂
>
>

Greetings,
The entitlement will not be deleted from the user. The status of
the assignment of the Entitlement will be changed on the user when they
have been removed.

I gather that you have Role -> Resource -> Entitlement?

Also, does the user have this same Entitlement with the same value
via another means (meaning from another Resource assignment)? If yes,
then the Entitlement assignment would still be active.



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.