Anonymous_User Absent Member.
Absent Member.
377 views

Issue with picklist and workflow...!


Hi Guys,

Using:
Identity Manager Roles Based Provisioning Module Version 4.0.1 Patch C
Build Revision 38774

Recenlty I have added another picklist for our two resource selection on
create user workflow for ease of use.
Now, what is happening is that, when I login to UA using admin user, I
am able to see the entries in the picklist as follows:
168
But, when the other normal user logs, who has the rights to access and
use the workflow, get the following:
169

Could be this just a cosmetic issue or do I need to add up some rights
for the user so that he can use this picklist?

Any ideas?

-ddgaikwad


+----------------------------------------------------------------------+
|Filename: Image-004.jpg |
|Download: https://forums.netiq.com/attachment.php?attachmentid=169 |
+----------------------------------------------------------------------+

--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=50853

Labels (1)
0 Likes
8 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Issue with picklist and workflow...!

ddgaikwad wrote:

>
>
> Could be this just a cosmetic issue or do I need to add up some rights
> for the user so that he can use this picklist?
>


We've had a similar problem. However our issue was with roles.
The user lacks the correct rights to read attributes (for example nrfCategoryKey or nrfLocalizedName) on the resource objects. Check any rights set further up the tree and any inherited rights filter.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Issue with picklist and workflow...!


Thank you for the pointer..

One more clarification, I need to check the rights on the two options
that I am trying to add right?
But, funny this is that, those two resources are not visible on the new
picklist, but they are visible on the old picklist which is on the same
form!

-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=50853

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Issue with picklist and workflow...!

ddgaikwad wrote:

>
> One more clarification, I need to check the rights on the two options
> that I am trying to add right?


I added rights further up the tree, allowing them to inherit down to the role objects.

> But, funny this is that, those two resources are not visible on the new
> picklist, but they are visible on the old picklist which is on the same
> form!


That is odd. This is often cached, flush the userapp cache and try again.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Issue with picklist and workflow...!


Did a cache flush and also added the inherit rights, it still does show
the other picklist empty...?

Am I missing something here?

-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=50853

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Issue with picklist and workflow...!

ddgaikwad wrote:

>
> Did a cache flush and also added the inherit rights, it still does show
> the other picklist empty...?


What exact rights did you set?

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Issue with picklist and workflow...!


Wen to the root.
Modify trustees.
[Public]
Add property, nrfCategoryKey and nrfLocalizedName.
Read and compare, with inherit.
Click Done.
Apply and ok.

-ddgaikwad


--
ddgaikwad
------------------------------------------------------------------------
ddgaikwad's Profile: https://forums.netiq.com/member.php?userid=5917
View this thread: https://forums.netiq.com/showthread.php?t=50853

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Issue with picklist and workflow...!

ddgaikwad wrote:

> Modify trustees.
> [Public]
> Add property, nrfCategoryKey and nrfLocalizedName.
> Read and compare, with inherit.


either:

Set logging to debug for com.novell.srvprv.impl.vdata.model in userapp

or

Do an ldap trace on the edirectory side while the query is being executed.

Then look at the LDAP filter and return attributes specified.

Any attributes specified in the filter will need compare rights.
Any attributes specified to be returned will need read rights.

my guess is that you may need compare for objectClass (at least)

For simpler testing, execute the same LDAP filter/query via a standard ldap browser (with the credentials of a problem user) to verify that the permissions are right.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Issue with picklist and workflow...!

On 05/22/2014 04:36 AM, Alex McHugh wrote:
> ddgaikwad wrote:
>
>> Modify trustees.
>> [Public]
>> Add property, nrfCategoryKey and nrfLocalizedName.
>> Read and compare, with inherit.

>
> either:
>
> Set logging to debug for com.novell.srvprv.impl.vdata.model in userapp
>
> or
>
> Do an ldap trace on the edirectory side while the query is being executed.
>
> Then look at the LDAP filter and return attributes specified.
>
> Any attributes specified in the filter will need compare rights.
> Any attributes specified to be returned will need read rights.
>
> my guess is that you may need compare for objectClass (at least)
>
> For simpler testing, execute the same LDAP filter/query via a standard ldap browser (with the credentials of a problem user) to verify that the permissions are right.
>

Greetings,
You have to keep the following in mind:

A) Browse Rights
B) Where the code is being called to perform the query
C) Who you are logged in as

=================================
A) As I have posted a few times, here are the steps that I utilize to
lock down Public Browse for Workflows and Roles/Resources:

Here is what I do:

In iManager block "Public Browse" rights

1.a) Go to "Rights > Modify Trustees"

1.b) Browse to the RoleDefs container,
For Example:"RoleDefs.AppConfig.User
Application Driver.driverset1.system"

Press "OK"

1.c) Press "Add Trustee" and select [Public]

1.d) Press the "Assigned Rights" link next the the added trustee

1.e) Remove the "[All Attributes Rights]" line and check the "Browse"
checkbox for the "[Entry Rights]" line. All assigned rights are
unchecked and only "Inherit" is checked.

Press "Done".

2) Repeat the steps on the RequestDefs container


=================================

B) I have also outlined this a few times as well. Where the code is
being executed to perform the look-up retrieval.

Runs as the "Admin" user
-pre-activity of the Start or Approval Activity
-Map Activity

Runs as the logged in user
-Any of the form actions (onload, onchange)

=================================

C) Therefore, who is logged matters based upon A & B above. If you
have properly locked down Public Browse rights, and the loading of the
Resources is happening within the form, then the logged in user must be
a Trustee (or inherited Trustee) of the Resources in order for them to
see them.




--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.