geoffc;2494275 wrote:
On 1/24/2019 11:16 AM, jacmarpet wrote:
>
> Hello,
>
> I am trying to revoke role assignments from groups in a driver. It fails
> with the following:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Error
> Message: Unable to remove assigned role from identity
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Identity: O=top\OU=entities\...\CN=Group01
> Reason: Already Removed
>
> --------------------
>
>
> However, the group does actually have the role assigned.
>
> If I log into user application and remove it from there, it works fine:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Success
> Message: Removed role from group
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Group: O=top\OU=entities\...\CN=Group01
>
> --------------------
>
>
> What is see is different is that it says "Group:" instead of "Identity:"
> when I remove it from the user application UI. As if it does not
> understand that it is a group.
>
> I do not see anywhere that it is possible to define it as being a group
> that I would like to remove it from.
>
> What is going on?

The requestRolesAssigment() SOAP call takes a bunch of parameters.
Like: Action - grant, revoke, extend
AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
case you want GROUP_TO_ROLE and in 4.

In 4.5 they added a String (last line in the add.remove role tokens
definition) named role-assignment-type. Yours should be GROUP_TO_ROLE

Hello Geoffey,

I am doing the remove role from a driver, using the "remove role" option. I think the one you are talking about is from a workflow. From a driver it is not possible to choose either of those. You only specify the DN of the object, nothing else.

Jacob.

>> The requestRolesAssigment() SOAP call takes a bunch of parameters.
>> Like: Action - grant, revoke, extend
>> AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
>> case you want GROUP_TO_ROLE and in 4.
>>
>> In 4.5 they added a String (last line in the add.remove role tokens
>> definition) named role-assignment-type. Yours should be GROUP_TO_ROLE
>
> Hello Geoffey,
>
> I am doing the remove role from a driver, using the "remove role"
> option. I think the one you are talking about is from a workflow. From a
> driver it is not possible to choose either of those. You only specify
> the DN of the object, nothing else.

Ah, but there's the rub...

The Add Role/Remove Role tokens are wrappers in the engine to make a
SOAP call to requestRolesAssignment. I.e. It ain't magic.

You CAN specify the assignment type as of IDM 4.5 and higher.

<do-remove-role id="User-DN" role-id="RoleDN" time-out="60000" url="UA-URL">
<arg-password>
<token-text xml:space="preserve">password</token-text>
</arg-password>
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>
<arg-string name="description">
<token-text xml:space="preserve">Because</token-text>
</arg-string>
<arg-string name="effective-time">
<token-text xml:space="preserve">$NOW</token-text>
</arg-string>
</do-remove-role>



The key element you have been missing is this:
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>


If you do not specify, the default is USER_TO_ROLE.

geoffc;2494296 wrote:
>> The requestRolesAssigment() SOAP call takes a bunch of parameters.
>> Like: Action - grant, revoke, extend
>> AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
>> case you want GROUP_TO_ROLE and in 4.
>>
>> In 4.5 they added a String (last line in the add.remove role tokens
>> definition) named role-assignment-type. Yours should be GROUP_TO_ROLE
>
> Hello Geoffey,
>
> I am doing the remove role from a driver, using the "remove role"
> option. I think the one you are talking about is from a workflow. From a
> driver it is not possible to choose either of those. You only specify
> the DN of the object, nothing else.

Ah, but there's the rub...

The Add Role/Remove Role tokens are wrappers in the engine to make a
SOAP call to requestRolesAssignment. I.e. It ain't magic.

You CAN specify the assignment type as of IDM 4.5 and higher.

<do-remove-role id="User-DN" role-id="RoleDN" time-out="60000" url="UA-URL">
<arg-password>
<token-text xml:space="preserve">password</token-text>
</arg-password>
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>
<arg-string name="description">
<token-text xml:space="preserve">Because</token-text>
</arg-string>
<arg-string name="effective-time">
<token-text xml:space="preserve">$NOW</token-text>
</arg-string>
</do-remove-role>



The key element you have been missing is this:
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>


If you do not specify, the default is USER_TO_ROLE.

Geoffrey! You are the greatest! It works like a charm. Thank you so much 🙂

Jacob.

On 1/25/2019 7:54 AM, jacmarpet wrote:
>
> geoffc;2494296 Wrote:
>>>> The requestRolesAssigment() SOAP call takes a bunch of parameters.
>>>> Like: Action - grant, revoke, extend
>>>> AssignmentType - which is your issue. Default is USER_TO_ROLE, in
>> this
>>>> case you want GROUP_TO_ROLE and in 4.
>>>>
>>>> In 4.5 they added a String (last line in the add.remove role tokens
>>>> definition) named role-assignment-type. Yours should be
>> GROUP_TO_ROLE
>>>
>>> Hello Geoffey,
>>>
>>> I am doing the remove role from a driver, using the "remove role"
>>> option. I think the one you are talking about is from a workflow. From
>> a
>>> driver it is not possible to choose either of those. You only specify
>>> the DN of the object, nothing else.
>>
>> Ah, but there's the rub...
>>
>> The Add Role/Remove Role tokens are wrappers in the engine to make a
>> SOAP call to requestRolesAssignment. I.e. It ain't magic.
>>
>> You CAN specify the assignment type as of IDM 4.5 and higher.
>>
>> <do-remove-role id="User-DN" role-id="RoleDN" time-out="60000"
>> url="UA-URL">
>> <arg-password>
>> <token-text xml:space="preserve">password</token-text>
>> </arg-password>
>> <arg-string name="role-assignment-type">
>> <token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
>> </arg-string>
>> <arg-string name="description">
>> <token-text xml:space="preserve">Because</token-text>
>> </arg-string>
>> <arg-string name="effective-time">
>> <token-text xml:space="preserve">$NOW</token-text>
>> </arg-string>
>> </do-remove-role>
>>
>>
>>
>> The key element you have been missing is this:
>> <arg-string name="role-assignment-type">
>> <token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
>> </arg-string>
>>
>>
>> If you do not specify, the default is USER_TO_ROLE.
>
> Geoffrey! You are the greatest! It works like a charm. Thank you so much
> 🙂

Glad to help, send fish!

Then I get to say So long and Thank you for all the fish!

It was a new feature added in 4.5.

I only recently noticed that the Add Role can call the Extend
functionality as well, if you set a end date and effective date. I had
made a workflow to do that, not realizing that the Add Role had this
ability as well.