Vice Admiral
Vice Admiral
870 views

REST driver entitlements on user creation

Hello,

I am building a REST driver with user and userrole endpoints. I have everything working with entitlements (account and role) except the case when a user is granted a role entitlement before they are given the account entitlement. In this case I haven't been able to add the roles because the user isn't created yet.

I have been trying to copy how the AD driver does it in NOVLADENTEX-itp-EntitlementsImpl which is talked about here: https://www.netiq.com/documentation/idm45/idm_entitlements/data/bfpqcdb.html

The issue I am running into with this approach is that when we do "add source attribute value" in the input transform it does not go out the output transform. It appears to send the xml directly to the shim. Is this expected?

What would be the correct way to approach this problem?

Here is a driver startup and trace of giving a user the account entitlement: https://pastebin.com/2R1hk6u0

Thanks,
Jeremiah
Labels (1)
0 Likes
7 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

jrmhscht <jrmhscht@no-mx.forums.microfocus.com> wrote:
>

Hello,
>
> I am building a REST driver with user and userrole endpoints. I have

everything working with entitlements (account and role) except the case
when a user is granted a role entitlement before they are given the
account entitlement. In this case I haven't been able to add the roles
because the user isn't created yet.
>
> I have been trying to copy how the AD driver does it in

NOVLADENTEX-itp-EntitlementsImpl which is talked about here:
https://www.netiq.com/documentation/idm45/idm_entitlements/data/bfpqcdb.html
>
> The issue I am running into with this approach is that when we do "add

source attribute value" in the input transform it does not go out the
output transform. It appears to send the xml directly to the shim. Is
this expected?
>


Yes, remember what namespace you are in (app,not eDir)

> What would be the correct way to approach this problem?
>


Various approaches, for example: use

0. Construct the write-back change with driver-op-data and payload. Should
work if the shim handles channel write-back. Because your command runs in
itp it won’t go though otp and get auto translated.

1. In command transform when=after to schedule the modify after the add. M

2. From add association in itp, Tag the user in IDV with a specific attr,
then have a job that runs every 10 mins and looks for such users and
re-triggers the relevant role entitlement change.

3. From add association in itp, construct a sync op and injection it into
event cache (there is a jar for this, I have written an ecmascript version.
Have submitted an enchantment request to get this as a more officially
supported mechanism).

Likely other ideas also.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Vice Admiral
Vice Admiral

Thanks for the info. I tried your option 1 and was getting a timeout from the API. I may need to revisit that and try find out why it was timing out. Is there a way to delay the "after" operation by a second or two?

I was thinking about option 3 earlier and wasn't sure how to go about it. Are you able to share your ecmascript?

Thanks,
Jeremiah
0 Likes
Vice Admiral
Vice Admiral

To me that sounds like you have to do it the hard way. When a user role is added check whether user exists and if not then create the user containing enough data for the actual user add to pick it up.
__________
Pekka Kuronen
Pegasi Oy / pegasi.fi
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

kuronen wrote:

>
> To me that sounds like you have to do it the hard way. When a user role
> is added check whether user exists and if not then create the user
> containing enough data for the actual user add to pick it up.


This is an excellent point and if that is possible do that.
However, one often has a "chicken and the egg" situation where the user has to
exist in target system before they can be assigned roles and other memberships.
The AD approach is great for that.

--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

jrmhscht <jrmhscht@no-mx.forums.microfocus.com> wrote:
>

Thanks for the info. I tried your option 1 and was getting a timeout
from the API.

So it is actually sent and the web server borks Or is it the shim? I
vaguely recall that SOAP or REST had issues with multiple commands to shim
in same event. Would only process the first one.

>I may need to revisit that and try find out why it was

timing out. Is there a way to delay the "after" operation by a second
or two?
>


Not any good way.

> I was thinking about option 3 earlier and wasn't sure how to go about

it. Are you able to share your ecmascript?
>


I’d been hoping that the eventual inclusion of this functionality in a more
supported way would negate the need to share my script. There is a JAR and
cool solution published. The JAR includes source code which i just adapted
to ECMAScript.

I don’t have time to write it up right now. Maybe in a week or so.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Vice Admiral
Vice Admiral

I believe it is doing the PUT but the web service times out. I am waiting to work with the developer to troubleshoot that more.

I took a look at the jar and may use it, but I'm trying to decide if I want to deal with custom jars on the servers from a maintenance point of view.

We'll see what I learn from the api developer next week first. I would be interested in your script, but don't worry to much about it.

Thanks!
0 Likes
Commander
Commander

I know this is an old thread but I am struggling to accomplish the same thing as the OP. Can you provide a quick overview of how you would go about implementing option "0" ("Construct the write-back change with driver-op-data and payload") that you suggested?

From add association in itp, I can set a source attribute value but that results in an modify operation. For the life of me, I cant figure out how to create the driver-operation-data element in the ITP policy.

Any advice is appreciated. Thanks in advance!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.