Anonymous_User Absent Member.
Absent Member.
421 views

How to replace a policy set in a packaged driver?

This seems like it should be possible, but I'm not seeing it.

I'm working on a driver, it doesn't really matter which one, but it's one
where NetIQ has packaged it. There is some default functionality that I
need to replace. The reason doesn't matter.

So if NetIQ shipped the packaged driver with NOVLFOOBAR-sub-mp-Baz as a
policy set that does something I don't want, and I want to *replace* it
with my own policy set, how do I do that?

What I want to do is develop and install a package, call it something
like "NIU Customizations". This package would then contain my own version
of this policy set, NIUFOOBAR-sub-mp-Baz. On installation, the NOVLFOOBAR-
sub-mp-Baz policy set would be unlinked, and the replacement NIUFOOBAR-
sub-mp-Baz policy set would be linked in its place. On un-installation of
my customized package, the reverse would be true, unlinking the NIU
version and re-linking the NetIQ policy back in to place.

Linking my policy is easy. What I can't find a way to do is to un-link
theirs.

I know that I could fork the whole driver, but I don't want to do that.
Most of the NetIQ packaged driver does what I need, and I want to be able
to continue to get their updates and apply them the way they're designed.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
Labels (1)
0 Likes
9 Replies
Anonymous_User Absent Member.
Absent Member.

Re: How to replace a policy set in a packaged driver?

David Gersic wrote:

> So if NetIQ shipped the packaged driver with NOVLFOOBAR-sub-mp-Baz as a
> policy set that does something I don't want, and I want to replace it
> with my own policy set, how do I do that?


You can't (really)

> What I want to do is develop and install a package, call it something
> like "NIU Customizations". This package would then contain my own version
> of this policy set, NIUFOOBAR-sub-mp-Baz. On installation, the NOVLFOOBAR-
> sub-mp-Baz policy set would be unlinked, and the replacement NIUFOOBAR-
> sub-mp-Baz policy set would be linked in its place. On un-installation of
> my customized package, the reverse would be true, unlinking the NIU
> version and re-linking the NetIQ policy back in to place.
>
> Linking my policy is easy. What I can't find a way to do is to un-link
> theirs.


Unlinking of a packaged object permitted by the GUI as far as I know (unless you own the package and are in package developer mode)

> I know that I could fork the whole driver, but I don't want to do that.


That's what we end up doing (if we chose to use packages)

> Most of the NetIQ packaged driver does what I need, and I want to be able
> to continue to get their updates and apply them the way they're designed.


How would NetIQ handle any changes to the package object you have unlinked?

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to replace a policy set in a packaged driver?

On Thu, 14 Aug 2014 15:18:36 +0000, Alex McHugh wrote:

> David Gersic wrote:
>
>> So if NetIQ shipped the packaged driver with NOVLFOOBAR-sub-mp-Baz as a
>> policy set that does something I don't want, and I want to replace it
>> with my own policy set, how do I do that?

>
> You can't (really)


Boo.


>> What I want to do is develop and install a package, call it something
>> like "NIU Customizations". This package would then contain my own
>> version of this policy set, NIUFOOBAR-sub-mp-Baz. On installation, the
>> NOVLFOOBAR- sub-mp-Baz policy set would be unlinked, and the
>> replacement NIUFOOBAR- sub-mp-Baz policy set would be linked in its
>> place. On un-installation of my customized package, the reverse would
>> be true, unlinking the NIU version and re-linking the NetIQ policy back
>> in to place.
>>
>> Linking my policy is easy. What I can't find a way to do is to un-link
>> theirs.

>
> Unlinking of a packaged object permitted by the GUI as far as I know
> (unless you own the package and are in package developer mode)


Yeah, I know. Training wheels off, I'm in package developer mode.


>> I know that I could fork the whole driver, but I don't want to do that.

>
> That's what we end up doing (if we chose to use packages)


Boo...


>> Most of the NetIQ packaged driver does what I need, and I want to be
>> able to continue to get their updates and apply them the way they're
>> designed.

>
> How would NetIQ handle any changes to the package object you have
> unlinked?


The policy set object is still there, so they can change it all they
want. It just won't actually do anything.

So in this case I'm working on the O365 driver. I do *not* want the
Subscriber Matching Policy to attempt to match on Display Name.

In the "NetIQ knows best" default mode, it matches on Display Name. In
order to disable that, I need to change the default. I can disable the
rule in the policy. I can insert my own rule(s) to replace it. But I
don't want to fork the entire package just for that.

Bah.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to replace a policy set in a packaged driver?

David Gersic wrote:

> So in this case I'm working on the O365 driver. I do not want the
> Subscriber Matching Policy to attempt to match on Display Name.
>
> In the "NetIQ knows best" default mode, it matches on Display Name. In
> order to disable that, I need to change the default. I can disable the
> rule in the policy. I can insert my own rule(s) to replace it. But I
> don't want to fork the entire package just for that.


If it's just such a little change, I'd probably disable the policies after the
pkg install so it shows as customized in Designer (littel black * icon
overlay). Customized policies do not get changed during package updates, so
this is also a means of preventing issues whenever NetIQ releases a new version
(only once you revert your customizations the policy will be updated to the
current package version, not go back to the version you had when customizing
it).

Maybe a combination of disabling NetIQ policies (all rules contained in the
policy, otherwise you get version mix-up through NetIQ updates) and adding your
custom code (either from scratch or based on the earlier disabled policy) will
work for you.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to replace a policy set in a packaged driver?

On Thu, 14 Aug 2014 16:15:56 +0000, Lothar Haeger wrote:

> David Gersic wrote:
>
>> So in this case I'm working on the O365 driver. I do not want the
>> Subscriber Matching Policy to attempt to match on Display Name.
>>
>> In the "NetIQ knows best" default mode, it matches on Display Name. In
>> order to disable that, I need to change the default. I can disable the
>> rule in the policy. I can insert my own rule(s) to replace it. But I
>> don't want to fork the entire package just for that.

>
> If it's just such a little change, I'd probably disable the policies
> after the pkg install so it shows as customized in Designer (littel
> black * icon overlay). Customized policies do not get changed during
> package updates, so this is also a means of preventing issues whenever
> NetIQ releases a new version (only once you revert your customizations
> the policy will be updated to the current package version, not go back
> to the version you had when customizing it).


I thought about that, yeah, but some of these aren't little changes. And
this is still a source of possible problems, since it can't be done from
the package installer.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to replace a policy set in a packaged driver?

On 8/14/2014 11:00 AM, David Gersic wrote:
> This seems like it should be possible, but I'm not seeing it.


I agree it seems like an obvious need. But you are not seeing it, since
it is absent.

> I'm working on a driver, it doesn't really matter which one, but it's one
> where NetIQ has packaged it. There is some default functionality that I
> need to replace. The reason doesn't matter.
>
> So if NetIQ shipped the packaged driver with NOVLFOOBAR-sub-mp-Baz as a
> policy set that does something I don't want, and I want to *replace* it
> with my own policy set, how do I do that?


You clone the NetIQ package, you remove NOVLFOOBAR-sub-mp-Baz from your
NUI copy, and use that instead of the NetIQ one.

Then your next package delivers your custom content.

Then when NetIQ releases an update to the NOVLFOOBAR package, you are
responsible to review the changes and update your package to match.

Not optimal.

The problem is, if you could unlink one of theirs, you have dirtied
theirs and there is no way to 'make that cool'.

Now, if you have sub-mp-Matching from a 3.61 config, you can add a NUI
pack that adds it, and now suddenly that 3.61 object is managed by the
4.0 package. Then you could make a V1.0.1 of your NUI pack that removes
that. So the upgrade from 1.0.0, to 1.0.1 would removce the policy.
The downgrade from 1.0.1 to 1.0.0 would put it back. But the removal of
1.0.1 would not help.


> What I want to do is develop and install a package, call it something
> like "NIU Customizations". This package would then contain my own version
> of this policy set, NIUFOOBAR-sub-mp-Baz. On installation, the NOVLFOOBAR-
> sub-mp-Baz policy set would be unlinked, and the replacement NIUFOOBAR-
> sub-mp-Baz policy set would be linked in its place. On un-installation of
> my customized package, the reverse would be true, unlinking the NIU
> version and re-linking the NetIQ policy back in to place.
>
> Linking my policy is easy. What I can't find a way to do is to un-link
> theirs.
>
> I know that I could fork the whole driver, but I don't want to do that.
> Most of the NetIQ packaged driver does what I need, and I want to be able
> to continue to get their updates and apply them the way they're designed.
>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to replace a policy set in a packaged driver?

On Thu, 14 Aug 2014 15:22:04 +0000, Geoffrey Carman wrote:

> On 8/14/2014 11:00 AM, David Gersic wrote:
>> This seems like it should be possible, but I'm not seeing it.

>
> I agree it seems like an obvious need. But you are not seeing it, since
> it is absent.
>
>> I'm working on a driver, it doesn't really matter which one, but it's
>> one where NetIQ has packaged it. There is some default functionality
>> that I need to replace. The reason doesn't matter.
>>
>> So if NetIQ shipped the packaged driver with NOVLFOOBAR-sub-mp-Baz as a
>> policy set that does something I don't want, and I want to *replace* it
>> with my own policy set, how do I do that?

>
> You clone the NetIQ package, you remove NOVLFOOBAR-sub-mp-Baz from your
> NUI copy, and use that instead of the NetIQ one.
>
> Then your next package delivers your custom content.
>
> Then when NetIQ releases an update to the NOVLFOOBAR package, you are
> responsible to review the changes and update your package to match.
>
> Not optimal.


I get that I then have to ensure that changes work. That's part of the
price of customization.


> The problem is, if you could unlink one of theirs, you have dirtied
> theirs and there is no way to 'make that cool'.


Design limitation. Packages need a way to remove things. Right now,
they're only capable of adding things. Bah.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
Knowledge Partner
Knowledge Partner

Re: How to replace a policy set in a packaged driver?


>> The problem is, if you could unlink one of theirs, you have dirtied
>> theirs and there is no way to 'make that cool'.

>
> Design limitation. Packages need a way to remove things. Right now,
> they're only capable of adding things. Bah.


Agreed. There are two elements to your requirment there:
1) Remove an un-packaged element. Deliver 'unlinkage'.
2) Deliver unlinkage of some other packages linked content.

1 is easier than 2 to deliver.




0 Likes
Knowledge Partner
Knowledge Partner

Re: How to replace a policy set in a packaged driver?

David Gersic wrote:

> What I want to do is develop and install a package, call it something
> like "NIU Customizations". This package would then contain my own version
> of this policy set, NIUFOOBAR-sub-mp-Baz. On installation, the NOVLFOOBAR-
> sub-mp-Baz policy set would be unlinked, and the replacement NIUFOOBAR-
> sub-mp-Baz policy set would be linked in its place. On un-installation of
> my customized package, the reverse would be true, unlinking the NIU
> version and re-linking the NetIQ policy back in to place.


Does not work, there's no way to replace an individual item of a package
through another package. Packages as they are implemented now are purely
additive. If you want to remove stuff, you have to remove the package it is
contained in.

All you can do to work around this sometimes is link your custom code in front
of the standard stuff and make sure the std stuff does not get in your way
later. Often not possible, which is one reason why we develop all our packages
from scratch (some based on copies of the NetIQ stuff, though).

There are more reasons for creating your own stuff, the bottom line is: the
NetIQ packages can be useful as templates or in environments without deeper
customization requirements (think IDM BE customers who just want their
usernames/passwords in sync between Edir and AD). If you want to do IDM with
all it's possibilites the std packages will rather get into your way than be
useful, IMHO.
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: How to replace a policy set in a packaged driver?

On Thu, 14 Aug 2014 15:25:07 +0000, Lothar Haeger wrote:

> David Gersic wrote:
>
>> What I want to do is develop and install a package, call it something
>> like "NIU Customizations". This package would then contain my own
>> version of this policy set, NIUFOOBAR-sub-mp-Baz. On installation, the
>> NOVLFOOBAR- sub-mp-Baz policy set would be unlinked, and the
>> replacement NIUFOOBAR- sub-mp-Baz policy set would be linked in its
>> place. On un-installation of my customized package, the reverse would
>> be true, unlinking the NIU version and re-linking the NetIQ policy back
>> in to place.

>
> Does not work, there's no way to replace an individual item of a package
> through another package. Packages as they are implemented now are purely
> additive. If you want to remove stuff, you have to remove the package it
> is contained in.


Well, at least I'm not missing anything. Thanks.


> All you can do to work around this sometimes is link your custom code in
> front of the standard stuff and make sure the std stuff does not get in
> your way later. Often not possible, which is one reason why we develop
> all our packages from scratch (some based on copies of the NetIQ stuff,
> though).


Yeah, I can see how that might work, sometimes, depending on what the
base code does, but it's not going to work in this case.


> There are more reasons for creating your own stuff, the bottom line is:
> the NetIQ packages can be useful as templates or in environments without
> deeper customization requirements (think IDM BE customers who just want
> their usernames/passwords in sync between Edir and AD). If you want to
> do IDM with all it's possibilites the std packages will rather get into
> your way than be useful, IMHO.


I'll have to think about this some more. I was hoping to keep my
customizations to a minimum that could be simply added on top of NetIQ's
base, but that's not going to work for me. I need to replace some of
NetIQ's base with my own. I was hoping not to have to fork all of their
work just to make my own changes.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.