UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Captain
Captain
376 views

Single valued entitlement with administrative defined values

Jump to solution

Hi guys

I have the requirement to provide Basic Userinfo and HomeFolder Quota to a Database.
Userinfo part is simple, just some mapping and provisioning.

The challenge I have is with the quota.
Fixed values like 1,2,3,10,20,30,40 (GB)
Quota needs to be set based on role assignments.
No Entitlement means default Quota of 1.

My current approach is:
UserQuota Entitlement with administrative defined values looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<entitlement conflict-resolution="union" description="User Home Folder Quota in GB" display-name="UserQuota">
<values multi-valued="false">
<value>{"ID":"Quota","ID2":"1 GB"}</value>
<value>{"ID":"Quota","ID2":"2 GB"}</value>
<value>{"ID":"Quota","ID2":"3 GB"}</value>
<value>{"ID":"Quota","ID2":"10 GB"}</value>
<value>{"ID":"Quota","ID2":"20 GB"}</value>
<value>{"ID":"Quota","ID2":"30 GB"}</value>
<value>{"ID":"Quota","ID2":"40 GB"}</value>
</values>
</entitlement>

Create Resources for each of the entitlement values and then those can be mapped to roles.
Entitlement values are then evaluated during provisioning and quota value in the DB is set.

So far so good. Resource added to user, entitlement event in the subscriber, quota is set (or set to default value on removal).


Here's the catch, let's say I start with 2 GB quota, now I request more quota: Resource 10GB is added, entitlement value is set overwriting the previous one, quota gets provisioned. However, I still have the Resource (2GB) assigned, just sitting there, not doing any harm. It also can be removed w/o any impact, as the entitlement is already gone (replaced).
This is confusing as on the IDApps Level one sees more than one quota resource assigned and does not know which one is valid.

Any suggestion on how to solve this or maybe different approach?

Cheers,
Matthias

0 Likes
1 Solution

Accepted Solutions
Knowledge Partner Knowledge Partner
Knowledge Partner

The issue starts already at the role level: first assign the 5GB role, then later the 10GB role. This should actually remove the 5GB role as only one quota=resource=role can be assigned at a time.
Basically the role model does not match your requirement 1:1 so you'd need to add some mechanism to enforce a single quote role assignments per user (or none, which would default to the 1GB role, so you can as well assign it by default).


Maybe a null driver listening to nrfAssignedRoles could remove all but the latest assigned quote role. This would only work if those roles are ever only assigned directly, though. If you had several business roles including different quota rules, you cannot just revoke the inherited lower quota role.

Which leaves a probably better approach: allow the quota entitlement to be assigned multiple times and on your db driver, consider only the highest assigned quota. If someone has the 1GB, 5GB an 10GB entitlements, 10GB is what counts. That would also allow to fallback to lower values if an entitlement is revoked.

______________________________________________
https://www.is4it.de/identity-access-management

View solution in original post

5 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

>Create Resources for each of the entitlement values and then those can be mapped to roles

Have you tried creating one resource with dynamic value (I think it is called something like map value at resource request time) and then assign same resource to roles with different values?

0 Likes
Captain
Captain

I also considered this, but then decided against it, mainly because

* this would be a resource form and the values would be stored only on the resource

* it would mean to evaluate all of the assigned resources of a user and checking for form values in the driver, losing the advantage of the entitlement of which the driver only reacts on its own entitlement

* I still would end up with multiple resources 

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

The issue starts already at the role level: first assign the 5GB role, then later the 10GB role. This should actually remove the 5GB role as only one quota=resource=role can be assigned at a time.
Basically the role model does not match your requirement 1:1 so you'd need to add some mechanism to enforce a single quote role assignments per user (or none, which would default to the 1GB role, so you can as well assign it by default).


Maybe a null driver listening to nrfAssignedRoles could remove all but the latest assigned quote role. This would only work if those roles are ever only assigned directly, though. If you had several business roles including different quota rules, you cannot just revoke the inherited lower quota role.

Which leaves a probably better approach: allow the quota entitlement to be assigned multiple times and on your db driver, consider only the highest assigned quota. If someone has the 1GB, 5GB an 10GB entitlements, 10GB is what counts. That would also allow to fallback to lower values if an entitlement is revoked.

______________________________________________
https://www.is4it.de/identity-access-management

View solution in original post

Captain
Captain

> Which leaves a probably better approach: allow the quota entitlement to be assigned multiple times and on your db driver, consider only the highest assigned quota. If someone has the 1GB, 5GB an 10GB entitlements, 10GB is what counts. That would also allow to fallback to lower values if an entitlement is revoked.

Thanks for the inputs, I will probably take that approach so at least resource and entitlement values are inline and transparent to the users and admins.

0 Likes
Admiral
Admiral

I got a couple of these, and while my solution isn't great I find I've found a middle ground.

I got two Entitlements; one which is just the normal Account entitlement and one which is the AccountRole entitlement which has the values - which are only used when the AccountRole is assigned to the user.

I then in the sub-cmd has a policy which is triggered when a user is added (<add>). It will set the 'default' value on the destination user; for example <role>default</role>. This is only as long as the AccountRole is not assigned, the the AccountRole is assigned during add I'll take what ever that value is.

Then when the AccountRole is assigned to the user I take what ever value which has been set that way, and if the AccountRole is removed from the user I set the 'default' value again.

That way users are added to the destination system with one entitlement, and given non-default values with another.

I could probably make it nicer but this is a fool proof I can make it - also it's simple.

The problem with having only one entitlement is that it gives access (acount) and also setting different values, which could end having a user being removed before being added again. And one of the systems where I use this, that would not be an option (system owner has to release pre-used usernames manually).

Cheers.

 

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.