tschloesser Outstanding Contributor.
Outstanding Contributor.
534 views

Question regarding PCRS

Working with IDM for a very long time now, I never really used the PCRS omn any driver. However in a current project it might be useful, but I have to admit, I do not understand this "new" feature by 100%

At the end the only thing I really need is an automated creation of resources for any group available in Active directory in a certain sub-container and if possible following a given naming standard.
Maybe it would be great, if a resource would be deleted automatically as well - but I have not thought 'out that to long!

Browsing the limited information/documentation on PCRS I found, that this service can do much more, which I do not really need. So my question is, can PCRS be configured in a way that it fulfills only my requirements, or would it be a better approch to code some policies on my own to handle the resources only?

What I do not want is, that any assignment to users is controlled from the target system - this should only be done through the role management in IDM.

BTW: I know that IDM 4.7 is shipping with an new and more powerful service/feature CPRS, butr at this time we are not able to get to 4.7 for some reasons 😞

Kind regards,

Thorsten
Labels (1)
0 Likes
8 Replies
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: Question regarding PCRS

Hello Thorsten,

I already did some tests with IDM 4.7 PCSR.

This new feature is mainly (only) useful if you want to provision the resources from the target system:
- For example, when group membership change in AD, Identity App portal get the list of new users and you decide if you want to publish it in the ressource.
(you must define manually the involved resources)

I did not see any feature that create the resource from the AD group.

For that, you need at least IDM 4.6 that provide the "create resource" action where you can set the entitlement value from the AD GUID of the group. I did a simple rule that do that easily.

With this you can create the resource with the naming you want and not follow "strange" naming as PCSR did with previous version.

Hope this will help you.

Regards


Sylvain
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question regarding PCRS

On 5/15/2018 5:34 AM, sma wrote:
>
> Hello Thorsten,
>
> I already did some tests with IDM 4.7 PCSR.
>
> This new feature is mainly (only) useful if you want to provision the
> resources from the target system:
> - For example, when group membership change in AD, Identity App portal
> get the list of new users and you decide if you want to publish it in
> the ressource.
> (you must define manually the involved resources)
>
> I did not see any feature that create the resource from the AD group.
>
> For that, you need at least IDM 4.6 that provide the "create resource"
> action where you can set the entitlement value from the AD GUID of the
> group. I did a simple rule that do that easily.
>
> With this you can create the resource with the naming you want and not
> follow "strange" naming as PCSR did with previous version.


Have you figured out how to use Create Resource to create it in a
subcontainer in the Resource containers? You need to specify the entire
DN in entityKey in the SOAP call.

I am working through this as well. Just redo the Entitlement Query,
find the data that is used for the Entitlement value, and make the
Resource with that proper JSON formatted entitlement Reference value.


This should really be built in, since it is kind of a pain to manually
make them all.


0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: Question regarding PCRS

No, I used the following rule and unfortunately there is no option for the resource container:

<
<rule>
<description>Create resource when new group is ADDED </description>
<conditions>
<and>
<if-operation mode="nocase" op="equal">add</if-operation>
<if-class-name mode="nocase" op="equal">Group</if-class-name>
<if-src-dn op="in-container">~drv.group.container~</if-src-dn>
</and>
</conditions>
<actions>
<do-set-local-variable name="groupGUID" scope="policy">
<arg-string>
<token-association/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="groupName" scope="policy">
<arg-string>
<token-src-name/>
</arg-string>
</do-set-local-variable>
<do-set-local-variable name="resourceName" scope="policy">
<arg-string>
<token-text xml:space="preserve">AD_Group_Resource_</token-text>
<token-local-variable name="groupName"/>
</arg-string>
</do-set-local-variable>
<do-create-resource id="cn=uaadmin,ou=users,o=data" resource-name="$resourceName$" time-out="0" url="~UAProvURL~">
<arg-password>
<token-text xml:space="preserve">novell</token-text>
</arg-password>
<arg-string name="description">
<token-text xml:space="preserve">AD_Group_Resource_</token-text>
<token-local-variable name="groupName"/>
</arg-string>
<arg-string name="display-name">
<token-text xml:space="preserve">AD_Group_Resource_</token-text>
<token-local-variable name="groupName"/>
</arg-string>
<arg-string name="entitlement-dn">
<token-text xml:space="preserve">cn=Group,cn=Active Directory Driver,cn=driverset,ou=services,o=system</token-text>
</arg-string>
<arg-string name="entitlement-value">
<token-text xml:space="preserve">{"ID":"</token-text>
<token-local-variable name="groupGUID"/>
<token-text xml:space="preserve">","ID2":"CN=</token-text>
<token-local-variable name="groupName"/>
<token-text xml:space="preserve">,OU=groups,OU=test,DC=demotest,DC=com"}</token-text>
</arg-string>
</do-create-resource>
</actions>
</rule>

At least, we can select a category which may help to organize the resources.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question regarding PCRS

On 5/15/2018 9:24 AM, sma wrote:
>
> No, I used the following rule and unfortunately there is no option for
> the resource container:
>
> <
> <rule>
> <description>Create resource when new group is ADDED </description>
> <conditions>
> <and>
> <if-operation mode="nocase" op="equal">add</if-operation>
> <if-class-name mode="nocase" op="equal">Group</if-class-name>
> <if-src-dn op="in-container">~drv.group.container~</if-src-dn>
> </and>
> </conditions>
> <actions>
> <do-set-local-variable name="groupGUID" scope="policy">
> <arg-string>
> <token-association/>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="groupName" scope="policy">
> <arg-string>
> <token-src-name/>
> </arg-string>
> </do-set-local-variable>
> <do-set-local-variable name="resourceName" scope="policy">
> <arg-string>
> <token-text xml:space="preserve">AD_Group_Resource_</token-text>
> <token-local-variable name="groupName"/>
> </arg-string>
> </do-set-local-variable>
> <do-create-resource id="cn=uaadmin,ou=users,o=data"
> resource-name="$resourceName$" time-out="0" url="~UAProvURL~">
> <arg-password>
> <token-text xml:space="preserve">novell</token-text>
> </arg-password>
> <arg-string name="description">
> <token-text xml:space="preserve">AD_Group_Resource_</token-text>
> <token-local-variable name="groupName"/>
> </arg-string>
> <arg-string name="display-name">
> <token-text xml:space="preserve">AD_Group_Resource_</token-text>
> <token-local-variable name="groupName"/>
> </arg-string>
> <arg-string name="entitlement-dn">
> <token-text xml:space="preserve">cn=Group,cn=Active Directory
> Driver,cn=driverset,ou=services,o=system</token-text>
> </arg-string>
> <arg-string name="entitlement-value">
> <token-text xml:space="preserve">{"ID":"</token-text>
> <token-local-variable name="groupGUID"/>
> <token-text xml:space="preserve">","ID2":"CN=</token-text>
> <token-local-variable name="groupName"/>
> <token-text
> xml:space="preserve">,OU=groups,OU=test,DC=demotest,DC=com"}</token-text>
> </arg-string>
> </do-create-resource>
> </actions>
> </rule>
>
> At least, we can select a category which may help to organize the
> resources.


I have yet to test it, but want to see if I specify an <arg-string
name="entityKey"> with the full DN if that works... Depends if the
underlying engine code says add a node for each arg-string with the
value, or if they are hard coded...



0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: Question regarding PCRS

On 15.05.18 16:49, Geoffrey Carman wrote:
> On 5/15/2018 9:24 AM, sma wrote:
>>
>> No, I used the following rule and unfortunately there is no option for
>> the resource container:
>>
>> <
>>     <rule>
>>         <description>Create resource when new group is ADDED
>> </description>
>>         <conditions>
>>             <and>
>>                 <if-operation mode="nocase" op="equal">add</if-operation>
>>                 <if-class-name mode="nocase"
>> op="equal">Group</if-class-name>
>>                 <if-src-dn
>> op="in-container">~drv.group.container~</if-src-dn>
>>             </and>
>>         </conditions>
>>         <actions>
>>             <do-set-local-variable name="groupGUID" scope="policy">
>>                 <arg-string>
>>                     <token-association/>
>>                 </arg-string>
>>             </do-set-local-variable>
>>             <do-set-local-variable name="groupName" scope="policy">
>>                 <arg-string>
>>                     <token-src-name/>
>>                 </arg-string>
>>             </do-set-local-variable>
>>             <do-set-local-variable name="resourceName" scope="policy">
>>                 <arg-string>
>>                     <token-text
>> xml:space="preserve">AD_Group_Resource_</token-text>
>>                     <token-local-variable name="groupName"/>
>>                 </arg-string>
>>             </do-set-local-variable>
>>             <do-create-resource id="cn=uaadmin,ou=users,o=data"
>> resource-name="$resourceName$" time-out="0" url="~UAProvURL~">
>>                 <arg-password>
>>                     <token-text xml:space="preserve">novell</token-text>
>>                 </arg-password>
>>                 <arg-string name="description">
>>                     <token-text
>> xml:space="preserve">AD_Group_Resource_</token-text>
>>                     <token-local-variable name="groupName"/>
>>                 </arg-string>
>>                 <arg-string name="display-name">
>>                     <token-text
>> xml:space="preserve">AD_Group_Resource_</token-text>
>>                     <token-local-variable name="groupName"/>
>>                 </arg-string>
>>                 <arg-string name="entitlement-dn">
>>                     <token-text
>> xml:space="preserve">cn=Group,cn=Active Directory
>> Driver,cn=driverset,ou=services,o=system</token-text>
>>                 </arg-string>
>>                 <arg-string name="entitlement-value">
>>                     <token-text xml:space="preserve">{"ID":"</token-text>
>>                     <token-local-variable name="groupGUID"/>
>>                     <token-text
>> xml:space="preserve">","ID2":"CN=</token-text>
>>                     <token-local-variable name="groupName"/>
>>                     <token-text
>> xml:space="preserve">,OU=groups,OU=test,DC=demotest,DC=com"}</token-text>
>>                 </arg-string>
>>             </do-create-resource>
>>         </actions>
>>     </rule>
>>
>> At least, we can select a category which may help to organize the
>> resources.

>
> I have yet to test it, but want to see if I specify an <arg-string
> name="entityKey"> with the full DN if that works...  Depends if the
> underlying engine code says add a node for each arg-string with the
> value, or if they are hard coded...
>
>
>


Geoffrey,

There might be a bug in do-create-resource which causes it to not be
able to create resources in sub containers. But if you do find a way to
make it then please let us know.


Casper


0 Likes
Knowledge Partner
Knowledge Partner

Re: Question regarding PCRS

> Geoffrey,
>
> There might be a bug in do-create-resource which causes it to not be
> able to create resources in sub containers. But if you do find a way to
> make it then please let us know.


If it were not for the bug, what would be the way to specify a specific
subcontainer?
0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: Question regarding PCRS

On 16.05.18 00:56, Geoffrey Carman wrote:
>> Geoffrey,
>>
>> There might be a bug in do-create-resource which causes it to not be
>> able to create resources in sub containers. But if you do find a way
>> to make it then please let us know.

>
> If it were not for the bug, what would be the way to specify a specific
> subcontainer?


I think to remember that the SOAP call is using the full DN, where as
do-create-role has an additional parameter (which is not there for
do-create-resource) ..

I'm not really the right person to have an opinion about this.

Looking at this again, it could be that providing the full DN would
work, did you try it?



Casper
0 Likes
Knowledge Partner
Knowledge Partner

Re: Question regarding PCRS

On 5/16/2018 2:26 PM, Casper Pedersen wrote:
> On 16.05.18 00:56, Geoffrey Carman wrote:
>>> Geoffrey,
>>>
>>> There might be a bug in do-create-resource which causes it to not be
>>> able to create resources in sub containers. But if you do find a way
>>> to make it then please let us know.

>>
>> If it were not for the bug, what would be the way to specify a
>> specific subcontainer?

>
> I think to remember that the SOAP call is using the full DN, where as
> do-create-role has an additional parameter (which is not there for
> do-create-resource) ..
>
> I'm not really the right person to have an opinion about this.
>
> Looking at this again, it could be that providing the full DN would
> work, did you try it?


I tried entityKey as a string with the full DN and it not work.

You think that on the main page, perhaps the full LDAP DN might work?
Ok, will try that.

And yes, the SOAP API for Role has an option for containers. SteveW in
the past has explained that as you noted it is missing for Resources and
that the way to do it is to use the EntityKey node with the full DN
(Thus my attempt that failed).



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.