Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Anonymous_User Absent Member.
Absent Member.
1650 views

Invoke an external script from IDM


Hi,

We have a requirement to trigger a script on a remote server from IDM
workflow. Can you please let us know how we can connect & execute script
on the remote server.
The script is a powershell script on some remote windows server.
We need to pass few arguments like username & additional details to the
script.
Also, if possible get status of script execution and any error/logging
information.

I posted in UserApp threads and have been asked to post in engine
drivers forum to install a scripting driver and invoke.
Please let me know the process of doing this and what are the
requirements in doing so.


--
Rajasekhar88
------------------------------------------------------------------------
Rajasekhar88's Profile: https://forums.netiq.com/member.php?userid=11739
View this thread: https://forums.netiq.com/showthread.php?t=55708

Labels (1)
0 Likes
16 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Invoke an external script from IDM

Rajasekhar88 wrote:

> We have a requirement to trigger a script on a remote server from IDM
> workflow. Can you please let us know how we can connect & execute
> script on the remote server.
> The script is a powershell script on some remote windows server.
> We need to pass few arguments like username & additional details to
> the script.
> Also, if possible get status of script execution and any error/logging
> information.
>
> I posted in UserApp threads and have been asked to post in engine
> drivers forum to install a scripting driver and invoke.
> Please let me know the process of doing this and what are the
> requirements in doing so.


You should use the Scripting Driver + Script Service (preferably)

Documentation on the scripting driver is here.

https://www.netiq.com/documentation/idm45drivers/bi_impl_scripting/data/bi_impl_scripting.html

Note that the scripting driver is licensed separately.

The scripting driver is able to return information (status, error
details etc) back to IDM where it can be saved and retrieved by the
UserApp.

AN overall design might be:

1. Workflow sets an attribute (or maybe triggers an entitlement grant)
on the user.
2. This triggers the scripting driver to react
2.1 Policy in the scripting driver collects/appends the additional info
(username ++) to the in-progress transaction
2.2 Transaction sent to remote server (where scripting driver remote
loader is installed) and parsed/executed by a customisable PowerShell
script.
2.3 PowerShell script returns success/failure + error details - overall
status is returned to the IDM engine (via Scripting Driver). Status is
written to an attribute on the user where it can be retrieved by
UserApp as required.
0 Likes
florianz1 Absent Member.
Absent Member.

Re: Invoke an external script from IDM


or you use
- a delimited-text-driver, outputting (and possibly consuming) .csv's or
..xml's.
- start a script at regular intervals, taking those as input (and
possibly creating output for the driver to consume)

florian


--
florianz
------------------------------------------------------------------------
florianz's Profile: https://forums.netiq.com/member.php?userid=309
View this thread: https://forums.netiq.com/showthread.php?t=55708


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Invoke an external script from IDM

florianz wrote:

> - a delimited-text-driver, outputting (and possibly consuming) .csv's
> or .xml's.
> - start a script at regular intervals, taking those as input (and
> possibly creating output for the driver to consume)


Why re-architect what is already built with the Scripting Driver?

Another option is to use the (extremely limited) PowerShell support in
the AD driver, this at least is one of the core drivers so no extra
license required.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Invoke an external script from IDM

On 04/13/2016 08:35 AM, Alex McHugh wrote:
> florianz wrote:
>
>> - a delimited-text-driver, outputting (and possibly consuming) .csv's
>> or .xml's.
>> - start a script at regular intervals, taking those as input (and
>> possibly creating output for the driver to consume)

>
> Why re-architect what is already built with the Scripting Driver?


Because more people pay for the Tools integration module than the
Scripting ones, so it'd be no net new cost, and if they're clever enough
to use the Generic File Driver instead (which is free/CoolSolution) then
there's no new cost at all regardless, under current licensing models.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Knowledge Partner
Knowledge Partner

Re: Invoke an external script from IDM

ab <ab@no-mx.forums.microfocus.com> wrote:
> On 04/13/2016 08:35 AM, Alex McHugh wrote:
>
> Because more people pay for the Tools integration module than the
> Scripting ones, so it'd be no net new cost, and if they're clever enough
> to use the Generic File Driver instead (which is free/CoolSolution) then
> there's no new cost at all regardless, under current licensing models.
>


All true. Prefer to not reinvent the wheel.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Invoke an external script from IDM

Alex Mchugh wrote:

> Prefer to not reinvent the wheel.


I very much prefer Stefaan's reinvented wheel over the original. And that's not
only for it's price tag...

The scripting driver is great feature-wise (if only they would simplify
multi-instance and add non-root support on Linux...) and worth it's money if
you have to integrate something no shim exists for. But if all you need is it
fill a gap in another shim's feature list, it's often too expensive, IMHO.

--
http://www.is4it.de/en/solution/identity-access-management/
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Invoke an external script from IDM

Lothar Haeger <lothar.haeger@is4it.de> wrote:
>
> The scripting driver is great feature-wise (if only they would simplify
> multi-instance


I believe that there have been some recent improvements for multi instance
on Windows/powershell. Still need to test that though.

> and add non-root support on Linux...) and worth it's money if
> you have to integrate something no shim exists for. But if all you need is it
> fill a gap in another shim's feature list, it's often too expensive, IMHO.
>


Agreed.

--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Invoke an external script from IDM


Got to know that we can implement Powershell Cmdlets in AD driver
policy

http://tinyurl.com/lwxodn5

I have written a custom policy eg. if the user telephone number is
changed to some xxxxxxx trigger an action like running powershell
commandlet in remoteloader AD.
But I guess there is some mistake I am making which is why I could see
nothing is executed or I am not looking at proper place. Can you help me
plz

<if-op-attr mode="numeric" name="MobileNum"
op="equal">xxxxxxxx</if-op-attr>
</conditions>
<actions>
<do-set-dest-attr-value name="PSExecute">
<arg-value type="string">
<token-text xml:space="preserve">"Get-Command Get-Process >
C:\Temp\testing.log"</token-text>
</arg-value>
</do-set-dest-attr-value>
</actions>


--
Rajasekhar88
------------------------------------------------------------------------
Rajasekhar88's Profile: https://forums.netiq.com/member.php?userid=11739
View this thread: https://forums.netiq.com/showthread.php?t=55708

0 Likes
Knowledge Partner
Knowledge Partner

Re: Invoke an external script from IDM

Rajasekhar88 wrote:

> http://tinyurl.com/lwxodn5
>
> I have written a custom policy eg. if the user telephone number is
> changed to some xxxxxxx trigger an action like running powershell
> commandlet in remoteloader AD.


To quote from your reference above: "PowerShell includes a wide variety of
cmdlets and functions. However, the Active Directory driver only supports
Active Directory and Exchange PowerShell modules and cmdlets."

Get-Process and Get-Command both do not belong to AD/Exchange modules/cmdlets.

--
http://www.is4it.de/en/solution/identity-access-management/
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Invoke an external script from IDM


The link http://www.is4it.de/en/solution/identity-access-management/
isn't showing any information for me.

Can't we write some custom Cmdlets and execute from IDM using this AD
Remote Loader Driver?


--
Rajasekhar88
------------------------------------------------------------------------
Rajasekhar88's Profile: https://forums.netiq.com/member.php?userid=11739
View this thread: https://forums.netiq.com/showthread.php?t=55708

0 Likes
Knowledge Partner
Knowledge Partner

Re: Invoke an external script from IDM

Rajasekhar88 wrote:

> The link http://www.is4it.de/en/solution/identity-access-management/
> isn't showing any information for me.


I was refering to your own link: http://tinyurl.com/lwxodn5

> Can't we write some custom Cmdlets and execute from IDM using this AD
> Remote Loader Driver?


No. This is wwhat the scripting driver is meant to be used for.

--
http://www.is4it.de/en/solution/identity-access-management/
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Invoke an external script from IDM


You can but it's not as pretty.

The scripting driver is far better suitedfor this but this is a rule I
have in the AD driver for creating home directories din the creation
process.
The acual script is a home made ps script that is local to the RL box.

> <do-set-dest-attr-value name="PSexecute" when="after">
> <arg-value type="string">
> <token-text xml:space="preserve">Invoke-Expression</token-text>
> <token-text xml:space="preserve"> -command </token-text>
> <token-text xml:space="preserve"> "</token-text>
> <token-global-variable name="idv.dit.data.PShomedirScript"/>
> <token-text xml:space="preserve"> -dirPath </token-text>
> <token-global-variable name="idv.dit.data.homedir"/>
> <token-text xml:space="preserve"> -name </token-text>
> <token-local-variable name="varADname"/>
> <token-text xml:space="preserve"> -domain </token-text>
> <token-global-variable name="drv.domain.name"/>
> <token-text xml:space="preserve">"</token-text>
> </arg-value>
> </do-set-dest-attr-value>



--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=55708

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Invoke an external script from IDM


joakim_ganse;266931 Wrote:
> You can but it's not as pretty.
>
> The scripting driver is far better suitedfor this but this is a rule I
> have in the AD driver for creating home directories din the creation
> process.
> The acual script is a home made ps script that is local to the RL box.


Awesome joakim_ganse 🙂
That's what we were looking for and hope it will work. I'll keep posted
and clarify any doubts


--
Rajasekhar88
------------------------------------------------------------------------
Rajasekhar88's Profile: https://forums.netiq.com/member.php?userid=11739
View this thread: https://forums.netiq.com/showthread.php?t=55708

0 Likes
Knowledge Partner
Knowledge Partner

Re: Invoke an external script from IDM

Lothar Haeger <lothar.haeger@is4it.de> wrote:
> Rajasekhar88 wrote:
>
>> http://tinyurl.com/lwxodn5
>>
>> I have written a custom policy eg. if the user telephone number is
>> changed to some xxxxxxx trigger an action like running powershell
>> commandlet in remoteloader AD.

>
> To quote from your reference above: "PowerShell includes a wide variety of
> cmdlets and functions. However, the Active Directory driver only supports
> Active Directory and Exchange PowerShell modules and cmdlets."
>
> Get-Process and Get-Command both do not belong to AD/Exchange modules/cmdlets.
>



Not entirely true. One can explicitly load other modules but it must be
done each and every time you call a powershell command.

Essentially you have to jump through hoops to make this functionality
useful for anything aside from AD/Exchange. This is by design.
--
If you find this post helpful and are logged into the web interface, show
your appreciation and click on the star below...
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.