rahultamgadge
New Member.
613 views

Scripting Driver - Fetching unmodified attributes

Hello,

We need some help with scripting driver powershell scripts. Our environment has IDM 4.5.5 and Scripting driver 4.0.2.0.

We are able to fetch modified attributes using Modify.ps1 script in Scripting driver.

For example, upon attribute modification in identity vault, to read/fetch old or new attribute value in Modify.ps1 script, we can do idm_geteventvalue "REMOVE_attributename" or "ADD_attributename"

$firstName= idm_geteventvalue "ADD_givenName"

Now we need to fetch other attributes values those are not modified in that particular transaction. Can someone please help how to fetch unmodified attributes using scripting driver scripts or any filter settings?
Labels (1)
0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: Scripting Driver - Fetching unmodified attributes

On 7/26/2018 5:54 PM, rahultamgadge wrote:
>
> Hello,
>
> We need some help with scripting driver powershell scripts. Our
> environment has IDM 4.5.5 and Scripting driver 4.0.2.0.
>
> We are able to fetch modified attributes using Modify.ps1 script in
> Scripting driver.
>
> For example, upon attribute modification in identity vault, to
> read/fetch old or new attribute value in Modify.ps1 script, we can do
> idm_geteventvalue "REMOVE_attributename" or "ADD_attributename"
>
> $firstName= idm_geteventvalue "ADD_givenName"
>
> Now we need to fetch other attributes values those are not modified in
> that particular transaction. Can someone please help how to fetch
> unmodified attributes using scripting driver scripts or any filter
> settings?


So a driver has two parts normally. The engine itself, which gathers
events from the vault and sends them down the Sub channel to the
application.

The shim itself that gathers events from the application and sends them
down the Pub channel.

But both of those channels, once either end generates the events,
processes it in Policies and Stylesheets.

You are focuses on the Shim side here and inside the shim. The scripting
driver is different than most since you can configure the shim itself
via scripts.

To fetch an unchanged attribute would probably have a policy in the
engine, which requests via Source Attribute or a Query token the data
you are looking for.



0 Likes
Knowledge Partner
Knowledge Partner

Re: Scripting Driver - Fetching unmodified attributes

rahultamgadge;2484790 wrote:
Hello,

We need some help with scripting driver powershell scripts. Our environment has IDM 4.5.5 and Scripting driver 4.0.2.0.

We are able to fetch modified attributes using Modify.ps1 script in Scripting driver.

For example, upon attribute modification in identity vault, to read/fetch old or new attribute value in Modify.ps1 script, we can do idm_geteventvalue "REMOVE_attributename" or "ADD_attributename"

$firstName= idm_geteventvalue "ADD_givenName"

Now we need to fetch other attributes values those are not modified in that particular transaction. Can someone please help how to fetch unmodified attributes using scripting driver scripts or any filter settings?


Generally, IDM is built on the idea of changes. You get what changed. You don't get what didn't change. If you need something that didn't change, you query for it. Done in policy or XSLT, that can make it look like something changed, as far as the scripting driver's scripts are concerned.

What are you trying to accomplish? Post a level 3 trace of what you're doing so we can see it.
0 Likes
rahultamgadge
New Member.

Re: Scripting Driver - Fetching unmodified attributes

Our situation is : Upon user department change, we want to move user to different OU in Active directory. But since user is enabled for "Protect from accidental deletion" in active directory, it doesn't move. Well I tried some option using AD driver to disable protection, but didn't work. By any chance, do you have a solution using AD driver?

I tried using powershell in AD driver policy like below,
<do-set-dest-attr-value name="PSExecute">
<arg-value type="string">
<token-text xml:space="preserve">Get-ADUser $identityname$ |Set-ADObject -ProtectedFromAccidentalDeletion:$false</token-text>
</arg-value>
</do-add-src-attr-value>


Every time it gives some error related to exchanges 2010 services. I will post the error log as soon I get chance to replicate it.

So I was looking for other options and thought using powershell command in scripting driver could help. So, upon department change, I get the old and new department values in Modify.ps1, but I need sAMAccountName (this is an attribute in identity vault) to run the user specific powershell command to enable/disable "Protect from accidental deletion" in active directory.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Scripting Driver - Fetching unmodified attributes

rahultamgadge;2484842 wrote:
Our situation is : Upon user department change, we want to move user to different OU in Active directory. But since user is enabled for "Protect from accidental deletion" in active directory, it doesn't move. Well I tried some option using AD driver to disable protection, but didn't work. By any chance, do you have a solution using AD driver?


If there's a feature that should do it, that would seem like your best bet. Why re-invent the square wheel? So, define "tried some option" and "didn't work" here. Show us the trace.


rahultamgadge;2484842 wrote:

I tried using powershell in AD driver policy like below,
<do-set-dest-attr-value name="PSExecute">
<arg-value type="string">
<token-text xml:space="preserve">Get-ADUser $identityname$ |Set-ADObject -ProtectedFromAccidentalDeletion:$false</token-text>
</arg-value>
</do-add-src-attr-value>

Every time it gives some error related to exchanges 2010 services. I will post the error log as soon I get chance to replicate it.


Nothing really obviously wrong about that. Again, show us the trace.


rahultamgadge;2484842 wrote:

So I was looking for other options and thought using powershell command in scripting driver could help. So, upon department change, I get the old and new department values in Modify.ps1, but I need sAMAccountName (this is an attribute in identity vault) to run the user specific powershell command to enable/disable "Protect from accidental deletion" in active directory.


Show us what you've tried. With a level trace. Guessing, something along the lines of:


if attribute "department" is changing
set dest attr "sAMAccountName" / source attr "sAMAccountName"


in the subscriber command transform would do it.

But you've now identified three options. Pick one.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Scripting Driver - Fetching unmodified attributes

To answer the original question, you can query the Identity Vault in a script. This is described (for PowerShell) here: Querying the Identity Vault.

Sam Sampson
Novell IDM Drivers (Third-Party)
0 Likes
Knowledge Partner
Knowledge Partner

Re: Scripting Driver - Fetching unmodified attributes

rahultamgadge;2484842 wrote:
I get the old and new department values in Modify.ps1, but I need sAMAccountName (this is an attribute in identity vault) to run the user specific powershell command to enable/disable "Protect from accidental deletion" in active directory.


As Sam suggested you can use the idmquery function as provided in the standard library with scripting driver.
However, I strongly suggest that you do as David suggested and try and enrich the XDS event via DirXML Policy before it gets to the scripting shim.
From experience, this is far faster than one or more roundtrips using the IDMPLib.ps1 query function.

It is also arguably a better design.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
rahultamgadge
New Member.

Re: Scripting Driver - Fetching unmodified attributes

Thanks Sam, I am able to fetch the unmodified attributes by querying identity vault in the script in Scripting driver.


David, here is the error that I was earlier talking about when executing Powershell from the Active directory driver policy. We have the remote loader windows server "Windows Server 2012 R2".

[08/06/18 16:59:35.442]:ActiveDirectory ST:
<nds dtdversion="1.1" ndsversion="8.7">
<source>
<product asn1id="" build="20140409_120000" instance="\WLD-IDV-STG\system\driverset1\Active Directory Driver" version="4.0.0.4">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="IDMVAULT01#20180806215931#1#1:00a0814d-6cab-439d-aefe-4d81a000ab6c" level="error" text1="Exchange 2010" type="exchange">Exchange 2010 Exception. code:0x00000092 Error completing
exchange 2010 command. ERROR: No snap-ins have been registered for Windows PowerShell version 2.</status>
<status event-id="IDMVAULT01#20180806215931#1#1:00a0814d-6cab-439d-aefe-4d81a000ab6c" level="success"/>
</output>
</nds>
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Scripting Driver - Fetching unmodified attributes

The error message references PS version 2, which is quite old. I would open a PS console on the desktop and see what version it is by viewing $PSVersionTable.

If you have a newer version, then your Scripting Driver is likely old. You can download the latest patch. It will be backwards-compatible with IDM 4.5.

If PS is old, you may need to install / upgrade Exchange Management Tools on that system.

-- Sam
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.