Knowledge Partner
Knowledge Partner
317 views

Re: SAP GRC - Password expiration and input Stylesheets

> I am using SAP Portal driver for user provisioning (adds, modifies and
> password synchronization) to SAP GRC, not other events are needed.
> In a modify password or also an add event, the password is always set
> as expired at SAP GRC, so the users have to change their passwords
> everytime the driver syncronize a new one from the eDir.
> The base policy NOVLPORTB-otp-passwordChange tries to set a
> sapnewpassword and sapoldpassword but it doesn't works, it always
> requires a new password change.
> Is there any way to bypass this setting with the driver?


Looking at D4.02, I see there is a 1.01 package of the SAP Portal driver.

Not sure which one you are running (Base package anyway).

Show us some trace of this rule misfiring, and lets see if it is easily
fixable?


> I also would appreciate if anyone know if a newer version of the sap
> portal driver is about to come, because for example the input stylesheet
> NOVLPORTB-its-SPMLInputTransform only match the searchResponse nodes and
> all the other ones are not even handle and sometimes the structure of
> the SPML response are not similar and it makes it really difficult to
> manage errors for notifications.
>
> thanks in advanced
>
>



Labels (1)
0 Likes
1 Reply
Knowledge Partner
Knowledge Partner

Re: SAP GRC - Password expiration and input Stylesheets

I need to find the time to pop in such a driver into my Designer and
look at what it is trying to do.

Looks like it setting old and new to the same generated password, except
that the values look different?

Edit the policy to make it NOT add the is-sensitive=true so you can see
the passwords for testing.


On 7/3/2012 10:36 AM, sbenavidez wrote:
>
> geoffc;2204751 Wrote:
>>> I am using SAP Portal driver for user provisioning (adds, modifies

>> and
>>> password synchronization) to SAP GRC, not other events are needed.
>>> In a modify password or also an add event, the password is always

>> set
>>> as expired at SAP GRC, so the users have to change their passwords
>>> everytime the driver syncronize a new one from the eDir.
>>> The base policy NOVLPORTB-otp-passwordChange tries to set a
>>> sapnewpassword and sapoldpassword but it doesn't works, it always
>>> requires a new password change.
>>> Is there any way to bypass this setting with the driver?

>>
>> Looking at D4.02, I see there is a 1.01 package of the SAP Portal
>> driver.
>>
>> Not sure which one you are running (Base package anyway).
>>
>> Show us some trace of this rule misfiring, and lets see if it is
>> easily
>> fixable?
>>
>>
>>> I also would appreciate if anyone know if a newer version of the sap
>>> portal driver is about to come, because for example the input

>> stylesheet
>>> NOVLPORTB-its-SPMLInputTransform only match the searchResponse nodes

>> and
>>> all the other ones are not even handle and sometimes the structure

>> of
>>> the SPML response are not similar and it makes it really difficult

>> to
>>> manage errors for notifications.
>>>
>>> thanks in advanced
>>>
>>>

>
>
> thanks geoffc for your answer,
>
> I forgot to say I�m using IDM 4.0.1 with the SAP Portal Driver 1.01
> without changes. I attached here the log of an add event.
> From what I see, it is considered that the passwords are always expired
> in SAP (rule NOVLPORTB-otp-passwordChange), but the user is created with
> the expired random generated password and not the eDir one.
> On the other hand, the response seems to have some errors, but when you
> look at the policy NOVLPORTB-itp-addAssociation you find out that this
> xml response structure is expected, but is not always in this way, so
> it�s really complicated to handle errors or success events
> notifications.
> Can anyone give me hand?
>
>
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add cached-time="20120703134421.026Z" class-name="sapuser"
> dest-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> timestamp="1341323060#2">
> <add-attr attr-name="CN">
> <value>user_test</value>
> </add-attr>
> <add-attr attr-name="firstname">
> <value timestamp="1341323060#2" type="string">user </value>
> </add-attr>
> <add-attr attr-name="password"><!-- content suppressed -->
> </add-attr>
> <add-attr attr-name="lastname">
> <value timestamp="1341322680#3" type="string">test</value>
> </add-attr>
> <add-attr attr-name="logonname">
> <value timestamp="1341322680#8"
> type="string">user_test</value>
> </add-attr>
> <operation-data AccountTracking-logonname="user_test"
> accountAction="accountEnableByEntitlementGrant" association=""
> guid="N9BJM8SwaEdToTfQSTPEsA=="
> idtype="urn:oasis:names:tc:SPML:1:0#GenericString" objectClass="User"
> sourceDN="\IDM_TREE\Meta\Accounts\People\user_test"
> timestamp="1341323061262" userRDN="user_test">
> <entitlement-impl id="" name="UserAccount"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test" src="UA"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> state="1">{"ID":"PortalUserAccount"}</entitlement-impl>
> </operation-data>
> </add>
> </input>
> </nds>
> [07/03/12 10:44:21.265]:SAP Portal GRC ST:Applying policy:
> %+C%14CNOVLPORTB-otp-passwordChange%-C.
> [07/03/12 10:44:21.265]:SAP Portal GRC ST: Applying to add #1.
> [07/03/12 10:44:21.265]:SAP Portal GRC ST: Evaluating selection
> criteria for rule 'Do a set on password if necessary (not using
> entitlements)'.
> [07/03/12 10:44:21.266]:SAP Portal GRC ST: (if-operation equal
> "add") = TRUE.
> [07/03/12 10:44:21.266]:SAP Portal GRC ST: (if-global-variable
> 'drv.entitlement.UserAccount' equal "false") = FALSE.
> [07/03/12 10:44:21.266]:SAP Portal GRC ST: Rule rejected.
> [07/03/12 10:44:21.266]:SAP Portal GRC ST: Evaluating selection
> criteria for rule 'Do a set on password if necessary (no
> entitlements)'.
> [07/03/12 10:44:21.266]:SAP Portal GRC ST: (if-operation equal
> "add") = TRUE.
> [07/03/12 10:44:21.267]:SAP Portal GRC ST: (if-global-variable
> 'drv.entitlement.UserAccount' not-available) = FALSE.
> [07/03/12 10:44:21.267]:SAP Portal GRC ST: Rule rejected.
> [07/03/12 10:44:21.267]:SAP Portal GRC ST: Evaluating selection
> criteria for rule 'Do a set on password if necessary. (using
> entitlements)'.
> [07/03/12 10:44:21.267]:SAP Portal GRC ST: (if-operation equal
> "add") = TRUE.
> [07/03/12 10:44:21.267]:SAP Portal GRC ST: (if-global-variable
> 'drv.entitlement.UserAccount' equal "true") = TRUE.
> [07/03/12 10:44:21.267]:SAP Portal GRC ST: Rule selected.
> [07/03/12 10:44:21.268]:SAP Portal GRC ST: Applying rule 'Do a set
> on password if necessary. (using entitlements)'.
> [07/03/12 10:44:21.268]:SAP Portal GRC ST: Action:
> do-add-dest-attr-value("sapnewpassword",token-attr("nspmDistributionPassword")).
> [07/03/12 10:44:21.268]:SAP Portal GRC ST:
> arg-string(token-attr("nspmDistributionPassword"))
> [07/03/12 10:44:21.268]:SAP Portal GRC ST:
> token-attr("nspmDistributionPassword")
> [07/03/12 10:44:21.268]:SAP Portal GRC ST: Query from
> policy
> [07/03/12 10:44:21.269]:SAP Portal GRC ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <query class-name="sapuser"
> dest-dn="\IDM_TREE\Meta\Accounts\People\user_test" dest-entry-id="37471"
> scope="entry">
> <read-attr attr-name="nspmDistributionPassword"/>
> </query>
> </input>
> </nds>
> [07/03/12 10:44:21.269]:SAP Portal GRC ST: Pumping XDS to
> eDirectory.
> [07/03/12 10:44:21.269]:SAP Portal GRC ST: Performing
> operation query for \IDM_TREE\Meta\Accounts\People\user_test.
> [07/03/12 10:44:21.270]:SAP Portal GRC ST: --JCLNT--
> \IDM_TREE\Meta\Services\DriverSet1\SAP Portal Driver GRC : Duplicating :
> context = 141557923, tempContext = 141557920
> [07/03/12 10:44:21.272]:SAP Portal GRC ST: --JCLNT--
> \IDM_TREE\Meta\Services\DriverSet1\SAP Portal Driver GRC : Calling free
> on tempContext = 141557920
> [07/03/12 10:44:21.272]:SAP Portal GRC ST: Query from policy
> result
> [07/03/12 10:44:21.272]:SAP Portal GRC ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <instance class-name="User"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471">
> <attr attr-name="nspmDistributionPassword"><!-- content
> suppressed -->
> </attr>
> </instance>
> <status level="success"></status>
> </output>
> </nds>
> [07/03/12 10:44:21.273]:SAP Portal GRC ST: Token Value:
> "Qwerty1234".
> [07/03/12 10:44:21.273]:SAP Portal GRC ST: Arg Value:
> "Qwerty1234".
> [07/03/12 10:44:21.274]:SAP Portal GRC ST: Action:
> do-set-xml-attr("is-sensitive","add-attr[@attr-name='sapnewpassword']","true").
> [07/03/12 10:44:21.274]:SAP Portal GRC ST: arg-string("true")
> [07/03/12 10:44:21.274]:SAP Portal GRC ST: token-text("true")
> [07/03/12 10:44:21.274]:SAP Portal GRC ST: Arg Value: "true".
> [07/03/12 10:44:21.274]:SAP Portal GRC ST: Action:
> do-set-local-variable("generatedPassword",scope="driver",token-xpath("es:createPassword4(8,
> 4, 4)")).
> [07/03/12 10:44:21.274]:SAP Portal GRC ST:
> arg-string(token-xpath("es:createPassword4(8, 4, 4)"))
> [07/03/12 10:44:21.275]:SAP Portal GRC ST:
> token-xpath("es:createPassword4(8, 4, 4)")
> [07/03/12 10:44:21.275]:SAP Portal GRC ST: Token Value:
> "s96xB6d1".
> [07/03/12 10:44:21.276]:SAP Portal GRC ST: Arg Value:
> "s96xB6d1".
> [07/03/12 10:44:21.276]:SAP Portal GRC ST: Action:
> do-set-dest-password(class-name="User",token-local-variable("generatedPassword")).
> [07/03/12 10:44:21.276]:SAP Portal GRC ST:
> arg-string(token-local-variable("generatedPassword"))
> [07/03/12 10:44:21.276]:SAP Portal GRC ST:
> token-local-variable("generatedPassword")
> [07/03/12 10:44:21.276]:SAP Portal GRC ST: Token Value: "--
> suppressed --".
> [07/03/12 10:44:21.276]:SAP Portal GRC ST: Arg Value: "--
> suppressed --".
> [07/03/12 10:44:21.277]:SAP Portal GRC ST: Action:
> do-add-dest-attr-value("sapoldpassword",token-local-variable("generatedPassword")).
> [07/03/12 10:44:21.277]:SAP Portal GRC ST:
> arg-string(token-local-variable("generatedPassword"))
> [07/03/12 10:44:21.277]:SAP Portal GRC ST:
> token-local-variable("generatedPassword")
> [07/03/12 10:44:21.277]:SAP Portal GRC ST: Token Value:
> "s96xB6d1".
> [07/03/12 10:44:21.277]:SAP Portal GRC ST: Arg Value:
> "s96xB6d1".
> [07/03/12 10:44:21.277]:SAP Portal GRC ST: Action:
> do-set-xml-attr("is-sensitive","add-attr[@attr-name='sapoldpassword']","true").
> [07/03/12 10:44:21.278]:SAP Portal GRC ST: arg-string("true")
> [07/03/12 10:44:21.278]:SAP Portal GRC ST: token-text("true")
> [07/03/12 10:44:21.278]:SAP Portal GRC ST: Arg Value: "true".
> [07/03/12 10:44:21.278]:SAP Portal GRC ST: Action:
> do-strip-op-attr("password").
> [07/03/12 10:44:21.286]:SAP Portal GRC ST: Action:
> do-strip-op-attr("nspmDistributionPassword").
> [07/03/12 10:44:21.286]:SAP Portal GRC ST: Action: do-break().
> [07/03/12 10:44:21.286]:SAP Portal GRC ST:Policy returned:
> [07/03/12 10:44:21.287]:SAP Portal GRC ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add cached-time="20120703134421.026Z" class-name="sapuser"
> dest-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> timestamp="1341323060#2">
> <add-attr attr-name="CN">
> <value>user_test</value>
> </add-attr>
> <add-attr attr-name="firstname">
> <value timestamp="1341323060#2" type="string">user </value>
> </add-attr>
> <add-attr attr-name="lastname">
> <value timestamp="1341322680#3" type="string">test</value>
> </add-attr>
> <add-attr attr-name="logonname">
> <value timestamp="1341322680#8"
> type="string">user_test</value>
> </add-attr>
> <add-attr attr-name="sapnewpassword" is-sensitive="true"><!--
> content suppressed -->
> </add-attr>
> <add-attr attr-name="sapoldpassword" is-sensitive="true"><!--
> content suppressed -->
> </add-attr>
> <password><!-- content suppressed --></password>
> <operation-data AccountTracking-logonname="user_test"
> accountAction="accountEnableByEntitlementGrant" association=""
> guid="N9BJM8SwaEdToTfQSTPEsA=="
> idtype="urn:oasis:names:tc:SPML:1:0#GenericString" objectClass="User"
> sourceDN="\IDM_TREE\Meta\Accounts\People\user_test"
> timestamp="1341323061262" userRDN="user_test">
> <entitlement-impl id="" name="UserAccount"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test" src="UA"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> state="1">{"ID":"PortalUserAccount"}</entitlement-impl>
> </operation-data>
> </add>
> </input>
> </nds>
> [07/03/12 10:44:21.289]:SAP Portal GRC ST:Applying policy:
> %+C%14CNOVLPORTB-otp-Special Attribute Handling Output Trans%-C.
> [07/03/12 10:44:21.290]:SAP Portal GRC ST: Applying to add #1.
> [07/03/12 10:44:21.290]:SAP Portal GRC ST:Policy returned:
> [07/03/12 10:44:21.290]:SAP Portal GRC ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add cached-time="20120703134421.026Z" class-name="sapuser"
> dest-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> timestamp="1341323060#2">
> <add-attr attr-name="CN">
> <value>user_test</value>
> </add-attr>
> <add-attr attr-name="firstname">
> <value timestamp="1341323060#2" type="string">user </value>
> </add-attr>
> <add-attr attr-name="lastname">
> <value timestamp="1341322680#3" type="string">test</value>
> </add-attr>
> <add-attr attr-name="logonname">
> <value timestamp="1341322680#8"
> type="string">user_test</value>
> </add-attr>
> <add-attr attr-name="sapnewpassword" is-sensitive="true"><!--
> content suppressed -->
> </add-attr>
> <add-attr attr-name="sapoldpassword" is-sensitive="true"><!--
> content suppressed -->
> </add-attr>
> <password><!-- content suppressed --></password>
> <operation-data AccountTracking-logonname="user_test"
> accountAction="accountEnableByEntitlementGrant" association=""
> guid="N9BJM8SwaEdToTfQSTPEsA=="
> idtype="urn:oasis:names:tc:SPML:1:0#GenericString" objectClass="User"
> sourceDN="\IDM_TREE\Meta\Accounts\People\user_test"
> timestamp="1341323061262" userRDN="user_test">
> <entitlement-impl id="" name="UserAccount"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test" src="UA"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> state="1">{"ID":"PortalUserAccount"}</entitlement-impl>
> </operation-data>
> </add>
> </input>
> </nds>
> [07/03/12 10:44:21.293]:SAP Portal GRC ST:Applying XSLT policy:
> %+C%14CNOVLPORTB-ots-copyData%-C.
> [07/03/12 10:44:21.293]:SAP Portal GRC ST:Policy returned:
> [07/03/12 10:44:21.294]:SAP Portal GRC ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add cached-time="20120703134421.026Z" class-name="sapuser"
> dest-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> timestamp="1341323060#2">
> <add-attr attr-name="CN">
> <value>user_test</value>
> </add-attr>
> <add-attr attr-name="firstname">
> <value timestamp="1341323060#2" type="string">user </value>
> </add-attr>
> <add-attr attr-name="lastname">
> <value timestamp="1341322680#3" type="string">test</value>
> </add-attr>
> <add-attr attr-name="logonname">
> <value timestamp="1341322680#8"
> type="string">user_test</value>
> </add-attr>
> <add-attr attr-name="sapnewpassword" is-sensitive="true"><!--
> content suppressed -->
> </add-attr>
> <add-attr attr-name="sapoldpassword" is-sensitive="true"><!--
> content suppressed -->
> </add-attr>
> <password><!-- content suppressed --></password>
> <operation-datacopy AccountTracking-logonname="user_test"
> accountAction="accountEnableByEntitlementGrant" association=""
> guid="N9BJM8SwaEdToTfQSTPEsA=="
> idtype="urn:oasis:names:tc:SPML:1:0#GenericString" objectClass="User"
> sourceDN="\IDM_TREE\Meta\Accounts\People\user_test"
> timestamp="1341323061262" userRDN="user_test"
> xmlns:es="http://www.novell.com/nxsl/ecmascript"/>
> </add>
> </input>
> </nds>
> [07/03/12 10:44:21.296]:SAP Portal GRC ST:Applying XSLT policy:
> %+C%14CNOVLPORTB-ots-SPMLOutputTransform%-C.
> [07/03/12 10:44:21.296]:SAP Portal GRC ST:Policy returned:
> [07/03/12 10:44:21.297]:SAP Portal GRC ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add cached-time="20120703134421.026Z" class-name="sapuser"
> dest-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> timestamp="1341323060#2">
> <add-attr attr-name="CN">
> <value>user_test</value>
> </add-attr>
> <add-attr attr-name="firstname">
> <value timestamp="1341323060#2" type="string">user </value>
> </add-attr>
> <add-attr attr-name="lastname">
> <value timestamp="1341322680#3" type="string">test</value>
> </add-attr>
> <add-attr attr-name="logonname">
> <value timestamp="1341322680#8"
> type="string">user_test</value>
> </add-attr>
> <add-attr attr-name="sapnewpassword" is-sensitive="true"><!--
> content suppressed -->
> </add-attr>
> <add-attr attr-name="sapoldpassword" is-sensitive="true"><!--
> content suppressed -->
> </add-attr>
> <password><!-- content suppressed --></password>
> <operation-datacopy AccountTracking-logonname="user_test"
> accountAction="accountEnableByEntitlementGrant" association=""
> guid="N9BJM8SwaEdToTfQSTPEsA=="
> idtype="urn:oasis:names:tc:SPML:1:0#GenericString" objectClass="User"
> sourceDN="\IDM_TREE\Meta\Accounts\People\user_test"
> timestamp="1341323061262" userRDN="user_test"
> xmlns:es="http://www.novell.com/nxsl/ecmascript"/>
> </add>
> </input>
> </nds>
> [07/03/12 10:44:21.299]:SAP Portal GRC ST:Submitting document to
> subscriber shim:
> [07/03/12 10:44:21.299]:SAP Portal GRC ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add cached-time="20120703134421.026Z" class-name="sapuser"
> dest-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> timestamp="1341323060#2">
> <add-attr attr-name="CN">
> <value>user_test</value>
> </add-attr>
> <add-attr attr-name="firstname">
> <value timestamp="1341323060#2" type="string">user </value>
> </add-attr>
> <add-attr attr-name="lastname">
> <value timestamp="1341322680#3" type="string">test</value>
> </add-attr>
> <add-attr attr-name="logonname">
> <value timestamp="1341322680#8"
> type="string">user_test</value>
> </add-attr>
> <add-attr attr-name="sapnewpassword" is-sensitive="true"><!--
> content suppressed -->
> </add-attr>
> <add-attr attr-name="sapoldpassword" is-sensitive="true"><!--
> content suppressed -->
> </add-attr>
> <password><!-- content suppressed --></password>
> <operation-datacopy AccountTracking-logonname="user_test"
> accountAction="accountEnableByEntitlementGrant" association=""
> guid="N9BJM8SwaEdToTfQSTPEsA=="
> idtype="urn:oasis:names:tc:SPML:1:0#GenericString" objectClass="User"
> sourceDN="\IDM_TREE\Meta\Accounts\People\user_test"
> timestamp="1341323061262" userRDN="user_test"
> xmlns:es="http://www.novell.com/nxsl/ecmascript"/>
> </add>
> </input>
> </nds>
> [07/03/12 10:44:21.304]:SAP Portal GRC ST:SAP Portal Driver GRC: Value
> of boolean flag 'remove-existing' is : false
> [07/03/12 10:44:21.304]:SAP Portal GRC ST:SAP Portal Driver GRC:
> HTTPSubscriberTransport.send()
> [07/03/12 10:44:21.305]:SAP Portal GRC ST:SAP Portal Driver GRC:
> Preparing HTTP POST connection to
> http://10.1.20.24:50000/spml/spmlservice
> [07/03/12 10:44:21.305]:SAP Portal GRC ST:SAP Portal Driver GRC:
> Setting the following HTTP request properties:
> [07/03/12 10:44:21.305]:SAP Portal GRC ST:SAP Portal Driver GRC:
> Authorization: <credentials suppressed>
> [07/03/12 10:44:21.305]:SAP Portal GRC ST:SAP Portal Driver GRC:
> SOAPAction: #batchRequest
> [07/03/12 10:44:21.305]:SAP Portal GRC ST:SAP Portal Driver GRC:
> Content-Type: text/xml; charset=utf-8
> [07/03/12 10:44:21.306]:SAP Portal GRC ST:SAP Portal Driver GRC:
> Cookie: saplb_*=(J2EE1117500)1117550;
> JSESSIONID=(J2EE1117500)ID0862382350DB11249023567347325881End
> [07/03/12 10:44:21.306]:SAP Portal GRC ST:SAP Portal Driver GRC: Did
> HTTP POST with 1834 bytes of data to
> http://10.1.20.24:50000/spml/spmlservice
> [07/03/12 10:44:21.669]:SAP Portal GRC ST:SAP Portal Driver GRC:
> Response code and message: 200 OK
> [07/03/12 10:44:21.672]:SAP Portal GRC ST:SubscriptionShim.execute()
> returned:
> [07/03/12 10:44:21.673]:SAP Portal GRC ST:
> <nds dtdversion="2.0">
> <source>
> <product build="20100202_131201" instance="SAP Portal Driver GRC"
> version="3.6.1">Novell Identity Manager Driver 3.6.1 for SAP
> Portal</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <batchResponse errorCode="urn:oasis:names:tc:SPML:1:0#customError"
> requestID="request-1341323061262user_test"
> result="urn:oasis:names:tc:SPML:1:0#failure"
> xmlns="urn:oasis:names:tc:SPML:1:0"
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
> <errorMessage xmlns="">Exception when processing a single
> request, check log file</errorMessage>
> <status
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> level="success"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">
> <operation-data>
> <errorMessage>
> <identifier
> type="urn:oasis:names:tc:SPML:1:0#GenericString" xmlns="">
> <id>USER.PRIVATE_DATASOURCE.un:user_test</id>
> </identifier>
> <operation-data parent-node-1="addResponse" xmlns="">
> <return-to-me cached-time="20120703134421.026Z"
> class-name="sapuser" command="add"
> dest-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> timestamp="1341323060#2"/>
> </operation-data>
> </errorMessage>
> </operation-data>
> </status>
> <add-association
> dest-dn="\IDM_TREE\Meta\Accounts\People\user_test" dest-entry-id="37471"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> src-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">USER.PRIVATE_DATASOURCE.un:user_test</add-association>
> <status event-id="" level="error" type="app-general"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">urn:oasis:names:tc:SPML:1:0#noSuchIdentifier;
> No valid id to modify defined<operation-data>
> <errorMessage/>
> </operation-data>
> </status>
> </batchResponse>
> </output>
> </nds>
> [07/03/12 10:44:21.678]:SAP Portal GRC ST:Applying input transformation
> policies.
> [07/03/12 10:44:21.678]:SAP Portal GRC ST:Applying XSLT policy:
> %+C%14CNOVLPORTB-its-SPMLInputTransform%-C.
> [07/03/12 10:44:21.679]:SAP Portal GRC ST:Policy returned:
> [07/03/12 10:44:21.680]:SAP Portal GRC ST:
> <nds dtdversion="2.0">
> <source>
> <product build="20100202_131201" instance="SAP Portal Driver GRC"
> version="3.6.1">Novell Identity Manager Driver 3.6.1 for SAP
> Portal</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <batchResponse errorCode="urn:oasis:names:tc:SPML:1:0#customError"
> requestID="request-1341323061262user_test"
> result="urn:oasis:names:tc:SPML:1:0#failure"
> xmlns="urn:oasis:names:tc:SPML:1:0"
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
> <errorMessage xmlns="">Exception when processing a single
> request, check log file</errorMessage>
> <status
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> level="success"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">
> <operation-data>
> <errorMessage>
> <identifier
> type="urn:oasis:names:tc:SPML:1:0#GenericString" xmlns="">
> <id>USER.PRIVATE_DATASOURCE.un:user_test</id>
> </identifier>
> <operation-data parent-node-1="addResponse" xmlns="">
> <return-to-me cached-time="20120703134421.026Z"
> class-name="sapuser" command="add"
> dest-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> timestamp="1341323060#2"/>
> </operation-data>
> </errorMessage>
> </operation-data>
> </status>
> <add-association
> dest-dn="\IDM_TREE\Meta\Accounts\People\user_test" dest-entry-id="37471"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> src-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">USER.PRIVATE_DATASOURCE.un:user_test</add-association>
> <status event-id="" level="error" type="app-general"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">urn:oasis:names:tc:SPML:1:0#noSuchIdentifier;
> No valid id to modify defined<operation-data>
> <errorMessage/>
> </operation-data>
> </status>
> </batchResponse>
> </output>
> </nds>
> [07/03/12 10:44:21.683]:SAP Portal GRC ST:Applying policy:
> %+C%14CNOVLAUDTENTC-itp-SendEntitlementsEvents%-C.
> [07/03/12 10:44:21.683]:SAP Portal GRC ST: Applying to batchResponse
> #1.
> [07/03/12 10:44:21.684]:SAP Portal GRC ST: Evaluating selection
> criteria for rule '00031200 - Account Create By Entitlement Grant'.
> [07/03/12 10:44:21.684]:SAP Portal GRC ST: (if-operation equal
> "status") = FALSE.
> [07/03/12 10:44:21.684]:SAP Portal GRC ST: Rule rejected.
> [07/03/12 10:44:21.684]:SAP Portal GRC ST: Evaluating selection
> criteria for rule '00031201 - Account Delete By Entitlement Revoke'.
> [07/03/12 10:44:21.684]:SAP Portal GRC ST: (if-operation equal
> "status") = FALSE.
> [07/03/12 10:44:21.684]:SAP Portal GRC ST: (if-operation equal
> "status") = FALSE.
> [07/03/12 10:44:21.685]:SAP Portal GRC ST: Rule rejected.
> [07/03/12 10:44:21.685]:SAP Portal GRC ST: Evaluating selection
> criteria for rule '00031202 - Account Disable By Entitlement Revoke'.
> [07/03/12 10:44:21.685]:SAP Portal GRC ST: (if-operation equal
> "status") = FALSE.
> [07/03/12 10:44:21.685]:SAP Portal GRC ST: Rule rejected.
> [07/03/12 10:44:21.685]:SAP Portal GRC ST: Evaluating selection
> criteria for rule '00031203 - Account Enable By Entitlement Grant'.
> [07/03/12 10:44:21.686]:SAP Portal GRC ST: (if-operation equal
> "status") = FALSE.
> [07/03/12 10:44:21.686]:SAP Portal GRC ST: Rule rejected.
> [07/03/12 10:44:21.686]:SAP Portal GRC ST: Evaluating selection
> criteria for rule 'Generate Audit Event'.
> [07/03/12 10:44:21.686]:SAP Portal GRC ST: (if-operation equal
> "status") = FALSE.
> [07/03/12 10:44:21.686]:SAP Portal GRC ST: Rule rejected.
> [07/03/12 10:44:21.686]:SAP Portal GRC ST:Policy returned:
> [07/03/12 10:44:21.687]:SAP Portal GRC ST:
> <nds dtdversion="2.0">
> <source>
> <product build="20100202_131201" instance="SAP Portal Driver GRC"
> version="3.6.1">Novell Identity Manager Driver 3.6.1 for SAP
> Portal</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <batchResponse errorCode="urn:oasis:names:tc:SPML:1:0#customError"
> requestID="request-1341323061262user_test"
> result="urn:oasis:names:tc:SPML:1:0#failure"
> xmlns="urn:oasis:names:tc:SPML:1:0"
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
> <errorMessage xmlns="">Exception when processing a single
> request, check log file</errorMessage>
> <status
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> level="success"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">
> <operation-data>
> <errorMessage>
> <identifier
> type="urn:oasis:names:tc:SPML:1:0#GenericString" xmlns="">
> <id>USER.PRIVATE_DATASOURCE.un:user_test</id>
> </identifier>
> <operation-data parent-node-1="addResponse" xmlns="">
> <return-to-me cached-time="20120703134421.026Z"
> class-name="sapuser" command="add"
> dest-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> timestamp="1341323060#2"/>
> </operation-data>
> </errorMessage>
> </operation-data>
> </status>
> <add-association
> dest-dn="\IDM_TREE\Meta\Accounts\People\user_test" dest-entry-id="37471"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> src-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">USER.PRIVATE_DATASOURCE.un:user_test</add-association>
> <status event-id="" level="error" type="app-general"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">urn:oasis:names:tc:SPML:1:0#noSuchIdentifier;
> No valid id to modify defined<operation-data>
> <errorMessage/>
> </operation-data>
> </status>
> </batchResponse>
> </output>
> </nds>
> [07/03/12 10:44:21.690]:SAP Portal GRC ST:Applying policy:
> %+C%14CNOVLPORTENT-itp-InitEntitlementConfigurationResource%-C.
> [07/03/12 10:44:21.691]:SAP Portal GRC ST: Applying to batchResponse
> #1.
> [07/03/12 10:44:21.691]:SAP Portal GRC ST: Evaluating selection
> criteria for rule 'Make sure we only run once and when we're ready'.
> [07/03/12 10:44:21.691]:SAP Portal GRC ST: (if-local-variable
> 'objectClass' match ".+") = TRUE.
> [07/03/12 10:44:21.691]:SAP Portal GRC ST: (if-local-variable
> 'entConfigInitialized' equal "true") = TRUE.
> [07/03/12 10:44:21.691]:SAP Portal GRC ST: Rule selected.
> [07/03/12 10:44:21.691]:SAP Portal GRC ST: Applying rule 'Make sure
> we only run once and when we're ready'.
> [07/03/12 10:44:21.692]:SAP Portal GRC ST: Action: do-break().
> [07/03/12 10:44:21.692]:SAP Portal GRC ST:Policy returned:
> [07/03/12 10:44:21.692]:SAP Portal GRC ST:
> <nds dtdversion="2.0">
> <source>
> <product build="20100202_131201" instance="SAP Portal Driver GRC"
> version="3.6.1">Novell Identity Manager Driver 3.6.1 for SAP
> Portal</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <batchResponse errorCode="urn:oasis:names:tc:SPML:1:0#customError"
> requestID="request-1341323061262user_test"
> result="urn:oasis:names:tc:SPML:1:0#failure"
> xmlns="urn:oasis:names:tc:SPML:1:0"
> xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
> <errorMessage xmlns="">Exception when processing a single
> request, check log file</errorMessage>
> <status
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> level="success"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">
> <operation-data>
> <errorMessage>
> <identifier
> type="urn:oasis:names:tc:SPML:1:0#GenericString" xmlns="">
> <id>USER.PRIVATE_DATASOURCE.un:user_test</id>
> </identifier>
> <operation-data parent-node-1="addResponse" xmlns="">
> <return-to-me cached-time="20120703134421.026Z"
> class-name="sapuser" command="add"
> dest-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="O=Meta\OU=Accounts\OU=People\CN=user_test"
> src-dn="\IDM_TREE\Meta\Accounts\People\user_test" src-entry-id="37471"
> timestamp="1341323060#2"/>
> </operation-data>
> </errorMessage>
> </operation-data>
> </status>
> <add-association
> dest-dn="\IDM_TREE\Meta\Accounts\People\user_test" dest-entry-id="37471"
> event-id="storm-meta1#20120703134420#1#1:3f8b9e90-723b-4ee6-d587-909e8b3f3b72"
> qualified-src-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> src-dn="USER.PRIVATE_DATASOURCE.un:user_test"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">USER.PRIVATE_DATASOURCE.un:user_test</add-association>
> <status event-id="" level="error" type="app-general"
> xmlns:ncs="http://www.novell.com/nxsl/java/com.novell.ncs.dirxml.utilities.Utils">urn:oasis:names:tc:SPML:1:0#noSuchIdentifier;
> No valid id to modify defined<operation-data>
> <errorMessage/>
> </operation-data>
> </status>
> </batchResponse>
> </output>
> </nds>
> [07/03/12 10:44:21.695]:SAP Portal GRC ST:Applying policy:
> %+C%14CNOVLPORTB-itp-addAssociation%-C.
> [07/03/12 10:44:21.695]:SAP Portal GRC ST: Applying to batchResponse
> #1.
> [07/03/12 10:44:21.695]:SAP Portal GRC ST: Evaluating selection
> criteria for rule 'add association'.
> [07/03/12 10:44:21.696]:SAP Portal GRC ST: (if-xpath true
> "status[1]/@level='success'") = TRUE.
> [07/03/12 10:44:21.696]:SAP Portal GRC ST: (if-xpath true
> "status[1]/*[local-name()='operation-data']/*[local-name()='errorMessage']/*[local-name()='operation-data']/*[local-name()='return-to-me']/@command='add'")
> = TRUE.
> [07/03/12 10:44:21.696]:SAP Portal GRC ST: Rule selected.
> [07/03/12 10:44:21.696]:SAP Portal GRC ST: Applying rule 'add
> association'.
> [07/03/12 10:44:21.696]:SAP Portal GRC ST: Action:
> do-add-association(direct="true",arg-dn(token-xpath("status[1]/*[local-name()='operation-data']/*[local-name()='errorMessage']/*[local-name()='operation-data']/*[local-name()='return-to-me']/@src-dn")),arg-association(token-xpath("status[1]/*[local-name()='operation-data']/*[local-name()='errorMessage']/*[local-name()='identifier']/*[local-name()='id']"))).
> [07/03/12 10:44:21.697]:SAP Portal GRC ST:
> arg-association(token-xpath("status[1]/*[local-name()='operation-data']/*[local-name()='errorMessage']/*[local-name()='identifier']/*[local-name()='id']"))
> [07/03/12 10:44:21.697]:SAP Portal GRC ST:
> token-xpath("status[1]/*[local-name()='operation-data']/*[local-name()='errorMessage']/*[local-name()='identifier']/*[local-name()='id']")
> [07/03/12 10:44:21.698]:SAP Portal GRC ST: Token Value:
> "USER.PRIVATE_DATASOURCE.un:user_test".
> [07/03/12 10:44:21.698]:SAP Portal GRC ST: Arg Value:
> "USER.PRIVATE_DATASOURCE.un:user_test".
> [07/03/12 10:44:21.698]:SAP Portal GRC ST:
> arg-dn(token-xpath("status[1]/*[local-name()='operation-data']/*[local-name()='errorMessage']/*[local-name()='operation-data']/*[local-name()='return-to-me']/@src-dn"))
> [07/03/12 10:44:21.698]:SAP Portal GRC ST:
> token-xpath("status[1]/*[local-name()='operation-data']/*[local-name()='errorMessage']/*[local-name()='operation-data']/*[local-name()='return-to-me']/@src-dn")
> [07/03/12 10:44:21.699]:SAP Portal GRC ST: Token Value:
> "\IDM_TREE\Meta\Accounts\People\user_test".
> [07/03/12 10:44:21.699]:SAP Portal GRC ST: Arg Value:
> "\IDM_TREE\Meta\Accounts\People\user_test".
> [07/03/12 10:44:21.699]:SAP Portal GRC ST: Direct command from policy
> [07/03/12 10:44:21.699]:SAP Portal GRC ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <add-association
> dest-dn="\IDM_TREE\Meta\Accounts\People\user_test">USER.PRIVATE_DATASOURCE.un:user_test</add-association>
> </input>
> </nds>
> [07/03/12 10:44:21.700]:SAP Portal GRC ST: Pumping XDS to eDirectory.
> [07/03/12 10:44:21.700]:SAP Portal GRC ST: Performing operation
> add-association for \IDM_TREE\Meta\Accounts\People\user_test.
> [07/03/12 10:44:21.704]:SAP Portal GRC ST: Processing returned
> document.
> [07/03/12 10:44:21.704]:SAP Portal GRC ST: Processing operation
> <status> for .
> [07/03/12 10:44:21.704]:SAP Portal GRC ST:
> DirXML Log Event -------------------
> Driver: \IDM_TREE\Meta\Services\DriverSet1\SAP Portal Driver
> GRC
> Channel: Subscriber
> Object: \IDM_TREE\Meta\Accounts\People\user_test
> Status: Success
> [07/03/12 10:44:21.724]:SAP Portal GRC ST: Direct command from policy
> result
> [07/03/12 10:44:21.724]:SAP Portal GRC ST:
>
>



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.