Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
jvybihal Respected Contributor.
Respected Contributor.
158 views

Move resource to subcontainer OR create it in correct subcontainer from policy

Jump to solution

As title says, i am looking for a way to move resource to subcontainer, that I created in Designer and then deployed it. Maybe I am missing something or moving is still not supported (as some thread I found, from 2013 said)?

I tried moving it via LDAP/iManager, but the UserApp was not happy, it started showing duplicate resources, and those old ones were impossible to delete from web interface. 😕

 

As a matter of fact, I could not need to move resources in the first place, if I somehow manage it to be created in the right place via policy. I use Create Resource from policy, but there is not such setting to set destination subcontainer. Right?

Weird, it's possible to set container when importing resources from CSV in Designer, which is great, except this way, I can not set User Groups entitlements with it.

Am I correct? Any ideas how to around it? I read I could somehow use workflows, make SOAP calls, but that seems to be too much hassle for such basic things as creating resource.

 

<small rant>

Honestly, the whole bulk creating roles/resources is missing some comfort if you ask me. I did not really find an easy way to bulk import resources WITH valued entitlemets. And assigning them all in UserApp (Designer says me, it's read-only there) seems like so huge waste of time, when I can just provide all the info upfront in structured file.

Found PowerRole while searching, it's the closest thing I found to achieve this. But still, I would expect the product be able to do this? Or people are not doing such sort of thing? I still hope I am missing something, and it's actually possible. I just did not found it yet *fingers-crossed*

</small rant>

 

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Knowledge Partner
Knowledge Partner

Re: Move resource to subcontainer OR create it in correct subcontainer from policy

Jump to solution

I had just asked this question about moving Roles to one of the IDM Devs from India.  He thinks that a Role should be able to move, without issue. I.e. The DB does not know where it is as a string, it is only eDir which can resolve a move.

Now he did say the Permindex used to search for Roles and Resources will be goofed up, so stop Tomcat, delete the permindex and restart Tomcat and it should work. 

I wonder if your duplicate rseources is a Permindex issue?

 

You also asked about the Create Resurce tag. I believe you either have to set the EntityKey with full DN value or else it is not possible. (Was a missing feature in the token).

As for PowerROle, I like the guys, and have seen a demo, but I am not 100% sure I agree with the approahc they took under the covers.  We have discussed this, and ended up disagreeing.

I have updated Fernando's scripts for Bash Shell RBPM commands and added in a more full functional Create Resouce.  Then I have a wrapper script that passes each line of a spreadsheet (CSV really, using semicolons instead of commas) to the same command so I can bulk load resources and set the values if needed.

 

View solution in original post

6 Replies
Knowledge Partner
Knowledge Partner

Re: Move resource to subcontainer OR create it in correct subcontainer from policy

Jump to solution

I had just asked this question about moving Roles to one of the IDM Devs from India.  He thinks that a Role should be able to move, without issue. I.e. The DB does not know where it is as a string, it is only eDir which can resolve a move.

Now he did say the Permindex used to search for Roles and Resources will be goofed up, so stop Tomcat, delete the permindex and restart Tomcat and it should work. 

I wonder if your duplicate rseources is a Permindex issue?

 

You also asked about the Create Resurce tag. I believe you either have to set the EntityKey with full DN value or else it is not possible. (Was a missing feature in the token).

As for PowerROle, I like the guys, and have seen a demo, but I am not 100% sure I agree with the approahc they took under the covers.  We have discussed this, and ended up disagreeing.

I have updated Fernando's scripts for Bash Shell RBPM commands and added in a more full functional Create Resouce.  Then I have a wrapper script that passes each line of a spreadsheet (CSV really, using semicolons instead of commas) to the same command so I can bulk load resources and set the values if needed.

 

View solution in original post

jvybihal Respected Contributor.
Respected Contributor.

Re: Move resource to subcontainer OR create it in correct subcontainer from policy

Jump to solution

Thanks @geoffc so much for your reply. I did not have a chance last night to write here my new observations.

You are correct, I searched userappdb I did not find any traces of defined roles and resources (searching the duplicity). I tried to restart tomcat, and voilá, they were gone. Docs also mention the permindex, so I guess that's it. I am glad to know, that Roles and Resources are edirectory-only defined.

 

For the do-create-resource, the "EntityKey" does not seem to be documented? Or how would I set it?

 

While I was extensively searching for import solutions, I stumbled upon the Bash Shell RBPM scripts - probably it was your article. I did not read much into it, because at that time it looked outdated to me, and I believed there must be solution inside of the product. Now, with more information, I will deffinitely revisit that, because it sounds like something that could really provide functions and some kind of admin comfort. Thanks again.

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Move resource to subcontainer OR create it in correct subcontainer from policy

Jump to solution

With 4.8,  <do-create-resource> now has a sub-container  parameter.

In earlier versions, you will can make a SOAP request: https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin/data/resource-web-service-interface.html

jvybihal Respected Contributor.
Respected Contributor.

Re: Move resource to subcontainer OR create it in correct subcontainer from policy

Jump to solution

Thanks for the info. It is not visible in Designer strings, good to know that 'sub-container' exists, will test that.

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: Move resource to subcontainer OR create it in correct subcontainer from policy

Jump to solution

Is the token using the REST api?

 

From the dtd: LDAP DN of sub container in which resource needs to be created. This is available only while using REST api

0 Likes
jvybihal Respected Contributor.
Respected Contributor.

Re: Move resource to subcontainer OR create it in correct subcontainer from policy

Jump to solution

@joakim_ganse wrote:

Is the token using the REST api

I don't think so.

I tried to test it and force rest from policy, it reqired osp-clientid from me. I ended up with this:

 

 

<do-create-resource id="cn=uaadmin,ou=sa,o=data" osp-clientid="rbpm" resource-name="$resourceName$" time-out="0" url="~UAProvURL~" use-rest="true">
	<arg-password>
		<token-named-password name="rr-pass"/>
	</arg-password>
	<arg-string name="description">
		<token-local-variable name="groupDescription"/>
	</arg-string>
	<arg-string name="display-name">
		<token-local-variable name="groupDisplayName"/>
	</arg-string>
	<arg-string name="owner">
		<token-text xml:space="preserve">cn=Vybihal,ou=users,o=data</token-text>
	</arg-string>
	<arg-string name="entitlement-dn">
		<token-text xml:space="preserve">cn=Skupina,cn=Active Directory Driver,cn=driverset1,o=system</token-text>
	</arg-string>
	<arg-string name="entitlement-value">
		<token-text xml:space="preserve">{&quot;ID&quot;:&quot;</token-text>
		<token-local-variable name="groupGUID"/>
		<token-text xml:space="preserve">&quot;,&quot;ID2&quot;:&quot;</token-text>
		<token-src-dn/>
		<token-text xml:space="preserve">&quot;}</token-text>
	</arg-string>
	<arg-string name="sub-container">
		<token-text xml:space="preserve">cn=sub,cn=test,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system</token-text>
	</arg-string>
	<arg-string name="locale">
		<token-text xml:space="preserve">en</token-text>
	</arg-string>
</do-create-resource>

 

 

Note the attributes use-rest="true" and osp-clientid="rbpm". But it did not get me there. There is a bug, and with these attributes the driver does not start with this error:

 

DirXML Log Event -------------------
     Driver:   \UNISIDM\system\driverset1\Active Directory Driver
     Channel:  Subscriber
     Status:   Error
     Message:  Code(-9127) Error in vnd.nds.stream://UNISIDM/system/driverset1/Active+Directory+Driver/Create+Resource+from+group#XmlData:42 : Missing 'arg-password' element.

 

Which is weird, because the element is present. The sub-container element does not work.

 

Log from my webserver when doing do-create-resource from policy. Does not look liek REST call to me:

172.16.21.131 - - [18/Nov/2019:16:11:09 +0100] "GET /IDMDCS-CORE/rpt/idvs/guid/DF2FDEC1-3A1A-46f7-8245-C1DE2FDF1A3A HTTP/1.1" 401 104 "-" "Java/1.8.0_222"
172.16.21.131 - cn=uaadmin,ou=sa,o=data [18/Nov/2019:16:11:15 +0100] "POST /IDMProv/resource/service HTTP/1.1" 200 509 "-" "Jakarta Commons-HttpClient/3.1"
172.16.21.131 - dcsdrv [18/Nov/2019:16:11:15 +0100] "POST /osp/a/idm/auth/oauth2/grant HTTP/1.1" 400 111 "-" "Java/1.8.0_222"
172.16.21.131 - - [18/Nov/2019:16:11:15 +0100] "GET /IDMDCS-CORE/rpt/idvs/guid/DF2FDEC1-3A1A-46f7-8245-C1DE2FDF1A3A HTTP/1.1" 401 104 "-" "Java/1.8.0_222"
172.16.21.131 - cn=uaadmin,ou=sa,o=data [18/Nov/2019:16:11:15 +0100] "POST /IDMProv/resource/service HTTP/1.1" 200 527 "-" "Jakarta Commons-HttpClient/3.1"
172.16.21.131 - cn=uaadmin,ou=sa,o=data [18/Nov/2019:16:11:16 +0100] "POST /IDMProv/rest/access/index/permissions HTTP/1.1" 200 275 "-" "RPT-HTTPClient/0.3-2L"
172.16.21.131 - cn=uaadmin,ou=sa,o=data [18/Nov/2019:16:11:16 +0100] "POST /IDMProv/rest/access/index/permissions HTTP/1.1" 200 274 "-" "RPT-HTTPClient/0.3-2L"
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.