Knowledge Partner
Knowledge Partner
308 views

Get list of all Users assigned a role?

We know that the UA query interface has an inherent design issue, in
that it queries the entire table without paging. The paging setting is
only for the display, not for the query.

Thus if you have more than the query limit of values, there is no way in
the UI to display it all.

Yes, you can filter, but what if your filter set is still higher than
the query limit?

I was wondering if anyone had a good thought on how to get back the
entire set of "X" assigned to "Y" in UA?

For example, all users assigned RoleY.

I can look at the directory, at nrfAssignedRoles (Since these were all
USER_TO_ROLE assignments. Look at I think nrfMemberOf for
GROUP_TO_ROLE, and nrfContained (?) for CONTAINER_TO_ROLE). But that
does not reflect truly the UA view, per Steve. Must use SOAP.

So how in SOAP via UA mechanisms could you get back all the assignees?
Can you page the query in the SOAP call?
Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Get list of all Users assigned a role?

On 5/4/16 10:20 AM, Geoffrey Carman wrote:
> We know that the UA query interface has an inherent design issue, in
> that it queries the entire table without paging. The paging setting is
> only for the display, not for the query.
>
> Thus if you have more than the query limit of values, there is no way in
> the UI to display it all.
>
> Yes, you can filter, but what if your filter set is still higher than
> the query limit?
>
> I was wondering if anyone had a good thought on how to get back the
> entire set of "X" assigned to "Y" in UA?
>
> For example, all users assigned RoleY.
>
> I can look at the directory, at nrfAssignedRoles (Since these were all
> USER_TO_ROLE assignments. Look at I think nrfMemberOf for
> GROUP_TO_ROLE, and nrfContained (?) for CONTAINER_TO_ROLE). But that
> does not reflect truly the UA view, per Steve. Must use SOAP.
>
> So how in SOAP via UA mechanisms could you get back all the assignees?
> Can you page the query in the SOAP call?

Greetings Geoffrey,
I currently do not remember talk to you about this. With that
said, what you have outlined is not all of the ways that a Role can be
"assigned" to user.

1) Direct
2) Inherit (the current role is a child or grandchild of an assigned role)
3) A Member of a Group
4) A Member of a Dynamic Group
5) A Member of a Container


Looking at nrfMemberOf will not give you all of the Role Assignments for
a user.


To truly understand the role assignments on the user, you need to query
for the five (5) possible ways.



--
Sincerely,
Steven Williams
Lead Software Engineer
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: Get list of all Users assigned a role?


>> So how in SOAP via UA mechanisms could you get back all the assignees?
>> Can you page the query in the SOAP call?


> what you have outlined is not all of the ways that a Role can be
> "assigned" to user.
>
> 1) Direct
> 2) Inherit (the current role is a child or grandchild of an assigned role)
> 3) A Member of a Group
> 4) A Member of a Dynamic Group
> 5) A Member of a Container
>
>
> Looking at nrfMemberOf will not give you all of the Role Assignments for
> a user.
>
>
> To truly understand the role assignments on the user, you need to query
> for the five (5) possible ways.


You will note my question was one of mechanisms to query, and your
answer was, you have to query 5 ways, without explaining any of the
possible ways.

So let me ask again. There are two kinds of interesting queries:
1) Show me all the roles this object (User, group, etc) is assigned?
2) Show me all the objects that are assigned to this Role.

You can imagine, since Roles are functionally a permission model, that
there is both interest in knowing what is directly assigned and what is
'effective' permissions.

What tools do we have available to accomplish these tasks?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Get list of all Users assigned a role?

On 5/5/2016 12:03 PM, Geoffrey Carman wrote:
>
>>> So how in SOAP via UA mechanisms could you get back all the assignees?
>>> Can you page the query in the SOAP call?

>
>> what you have outlined is not all of the ways that a Role can be
>> "assigned" to user.
>>
>> 1) Direct
>> 2) Inherit (the current role is a child or grandchild of an assigned
>> role)
>> 3) A Member of a Group
>> 4) A Member of a Dynamic Group
>> 5) A Member of a Container
>>
>>
>> Looking at nrfMemberOf will not give you all of the Role Assignments for
>> a user.
>>
>>
>> To truly understand the role assignments on the user, you need to query
>> for the five (5) possible ways.

>
> You will note my question was one of mechanisms to query, and your
> answer was, you have to query 5 ways, without explaining any of the
> possible ways.
>
> So let me ask again. There are two kinds of interesting queries:
> 1) Show me all the roles this object (User, group, etc) is assigned?
> 2) Show me all the objects that are assigned to this Role.
>
> You can imagine, since Roles are functionally a permission model, that
> there is both interest in knowing what is directly assigned and what is
> 'effective' permissions.
>
> What tools do we have available to accomplish these tasks?
>
>


Looking at a user from a driver I've used:

nrfAssignedRoles, nrfInheritedRoles, nrfContainerRoles and nrfGroupRoles
to try and determine the whole set of roles assigned. Not sure if these
would cover roles assigned by dynamic groups, need to test them.

My approach has been to use the query token to read the 4 attributes,
saving the whole thing in a nodeset, then using xpath to extract just
the role FDNs and play with them. Assuming the nodeset variable was
named var_user, the XPATH to return a nodeset with the role dns from any
of the 4 attributes above would be (one line, ignore line breaks from
the nntp client):

$var_user/attr[ @attr-name="nrfAssignedRoles" or
@attr-name="nrfInheritedRoles" or @attr-name="nrfContainerRoles" or
@attr-name="nrfGroupRoles" ]/value[ @type="structured" ]/component[
@name="volume" ]/text()

Also on the docs seems like one of the soap calls could be helpful. From
URL https://www.netiq.com/documentation/idm45/agpro/data/bdux8cm.html we
have:

"getAssignedIdentities

Returns returns the list of identities having a particular role DN."

Guess we need someone to test the above and write a coolsolution about
it, I wonder who (.. Geoff ...) would be so kind to do so ^_^

Cheers,

-Fernando
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Get list of all Users assigned a role?

On 5/6/2016 3:16 PM, Fernando Freitas wrote:
> On 5/5/2016 12:03 PM, Geoffrey Carman wrote:
>>
>>>> So how in SOAP via UA mechanisms could you get back all the assignees?
>>>> Can you page the query in the SOAP call?

>>
>>> what you have outlined is not all of the ways that a Role can be
>>> "assigned" to user.
>>>
>>> 1) Direct
>>> 2) Inherit (the current role is a child or grandchild of an assigned
>>> role)
>>> 3) A Member of a Group
>>> 4) A Member of a Dynamic Group
>>> 5) A Member of a Container
>>>
>>>
>>> Looking at nrfMemberOf will not give you all of the Role Assignments for
>>> a user.
>>>
>>>
>>> To truly understand the role assignments on the user, you need to query
>>> for the five (5) possible ways.

>>
>> You will note my question was one of mechanisms to query, and your
>> answer was, you have to query 5 ways, without explaining any of the
>> possible ways.
>>
>> So let me ask again. There are two kinds of interesting queries:
>> 1) Show me all the roles this object (User, group, etc) is assigned?
>> 2) Show me all the objects that are assigned to this Role.
>>
>> You can imagine, since Roles are functionally a permission model, that
>> there is both interest in knowing what is directly assigned and what is
>> 'effective' permissions.
>>
>> What tools do we have available to accomplish these tasks?
>>
>>

>
> Looking at a user from a driver I've used:
>
> nrfAssignedRoles, nrfInheritedRoles, nrfContainerRoles and nrfGroupRoles
> to try and determine the whole set of roles assigned. Not sure if these
> would cover roles assigned by dynamic groups, need to test them.
>
> My approach has been to use the query token to read the 4 attributes,
> saving the whole thing in a nodeset, then using xpath to extract just
> the role FDNs and play with them. Assuming the nodeset variable was
> named var_user, the XPATH to return a nodeset with the role dns from any
> of the 4 attributes above would be (one line, ignore line breaks from
> the nntp client):
>
> $var_user/attr[ @attr-name="nrfAssignedRoles" or
> @attr-name="nrfInheritedRoles" or @attr-name="nrfContainerRoles" or
> @attr-name="nrfGroupRoles" ]/value[ @type="structured" ]/component[
> @name="volume" ]/text()
>
> Also on the docs seems like one of the soap calls could be helpful. From
> URL https://www.netiq.com/documentation/idm45/agpro/data/bdux8cm.html we
> have:
>
> "getAssignedIdentities
>
> Returns returns the list of identities having a particular role DN."
>
> Guess we need someone to test the above and write a coolsolution about
> it, I wonder who (.. Geoff ...) would be so kind to do so ^_^
>
> Cheers,
>
> -Fernando


Addendum: in the 4 attributes outlined above (again, no dynamic group)
I've always seen the values of the same roles in the nrfMemberOf .
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Get list of all Users assigned a role?

On 05.05.2016 19:52, Steven Williams wrote:
> On 5/4/16 10:20 AM, Geoffrey Carman wrote:
>> We know that the UA query interface has an inherent design issue, in
>> that it queries the entire table without paging. The paging setting is
>> only for the display, not for the query.
>>
>> Thus if you have more than the query limit of values, there is no way in
>> the UI to display it all.
>>
>> Yes, you can filter, but what if your filter set is still higher than
>> the query limit?
>>
>> I was wondering if anyone had a good thought on how to get back the
>> entire set of "X" assigned to "Y" in UA?
>>
>> For example, all users assigned RoleY.
>>
>> I can look at the directory, at nrfAssignedRoles (Since these were all
>> USER_TO_ROLE assignments. Look at I think nrfMemberOf for
>> GROUP_TO_ROLE, and nrfContained (?) for CONTAINER_TO_ROLE). But that
>> does not reflect truly the UA view, per Steve. Must use SOAP.
>>
>> So how in SOAP via UA mechanisms could you get back all the assignees?
>> Can you page the query in the SOAP call?

> Greetings Geoffrey,
> I currently do not remember talk to you about this. With that
> said, what you have outlined is not all of the ways that a Role can be
> "assigned" to user.
>
> 1) Direct
> 2) Inherit (the current role is a child or grandchild of an assigned role)
> 3) A Member of a Group
> 4) A Member of a Dynamic Group
> 5) A Member of a Container
>
>
> Looking at nrfMemberOf will not give you all of the Role Assignments for
> a user.


Hmm, then which role assignments a user is to supposed to have do *not*
show up in the user's
a) nrfMemberOf
b) securityEquals
?

> To truly understand the role assignments on the user, you need to query
> for the five (5) possible ways.



--
Norbert
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Get list of all Users assigned a role?

On 5/6/16 2:58 AM, Norbert Klasen wrote:
> On 05.05.2016 19:52, Steven Williams wrote:
>> On 5/4/16 10:20 AM, Geoffrey Carman wrote:
>>> We know that the UA query interface has an inherent design issue, in
>>> that it queries the entire table without paging. The paging setting is
>>> only for the display, not for the query.
>>>
>>> Thus if you have more than the query limit of values, there is no way in
>>> the UI to display it all.
>>>
>>> Yes, you can filter, but what if your filter set is still higher than
>>> the query limit?
>>>
>>> I was wondering if anyone had a good thought on how to get back the
>>> entire set of "X" assigned to "Y" in UA?
>>>
>>> For example, all users assigned RoleY.
>>>
>>> I can look at the directory, at nrfAssignedRoles (Since these were all
>>> USER_TO_ROLE assignments. Look at I think nrfMemberOf for
>>> GROUP_TO_ROLE, and nrfContained (?) for CONTAINER_TO_ROLE). But that
>>> does not reflect truly the UA view, per Steve. Must use SOAP.
>>>
>>> So how in SOAP via UA mechanisms could you get back all the assignees?
>>> Can you page the query in the SOAP call?

>> Greetings Geoffrey,
>> I currently do not remember talk to you about this. With that
>> said, what you have outlined is not all of the ways that a Role can be
>> "assigned" to user.
>>
>> 1) Direct
>> 2) Inherit (the current role is a child or grandchild of an assigned
>> role)
>> 3) A Member of a Group
>> 4) A Member of a Dynamic Group
>> 5) A Member of a Container
>>
>>
>> Looking at nrfMemberOf will not give you all of the Role Assignments for
>> a user.

>
> Hmm, then which role assignments a user is to supposed to have do *not*
> show up in the user's
> a) nrfMemberOf
> b) securityEquals
> ?
>
>> To truly understand the role assignments on the user, you need to query
>> for the five (5) possible ways.

>
>

Greetings,
A quick look shows that Dynamic Group membership (you are apart of
DG and a Role is assigned to the DG). In this case both nrfMemberOf and
securityEquals will not reflect.

--
Sincerely,
Steven Williams
Lead Software Engineer
Micro Focus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.