jacmarpet1

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-01-24
16:15
531 views
Unable to revoke role from group in driver - Already Removed
Hello,
I am trying to revoke role assignments from groups in a driver. It fails with the following:
However, the group does actually have the role assigned.
If I log into user application and remove it from there, it works fine:
What is see is different is that it says "Group:" instead of "Identity:" when I remove it from the user application UI. As if it does not understand that it is a group.
I do not see anywhere that it is possible to define it as being a group that I would like to remove it from.
What is going on?
Thanks in advance,
Jacob.
I am trying to revoke role assignments from groups in a driver. It fails with the following:
DirXML Log Event -------------------
Driver: \TREE\top\DriverSet01\ROLERES01
Channel: Subscriber
Status: Error
Message: Unable to remove assigned role from identity
Role: ...CN=Level30\CN=Requestable...\CN=Role01
Identity: O=top\OU=entities\...\CN=Group01
Reason: Already Removed
However, the group does actually have the role assigned.
If I log into user application and remove it from there, it works fine:
DirXML Log Event -------------------
Driver: \TREE\top\DriverSet01\ROLERES01
Channel: Subscriber
Status: Success
Message: Removed role from group
Role: ...CN=Level30\CN=Requestable...\CN=Role01
Group: O=top\OU=entities\...\CN=Group01
What is see is different is that it says "Group:" instead of "Identity:" when I remove it from the user application UI. As if it does not understand that it is a group.
I do not see anywhere that it is possible to define it as being a group that I would like to remove it from.
What is going on?
Thanks in advance,
Jacob.
5 Replies


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-01-24
18:03
On 1/24/2019 11:16 AM, jacmarpet wrote:
>
> Hello,
>
> I am trying to revoke role assignments from groups in a driver. It fails
> with the following:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Error
> Message: Unable to remove assigned role from identity
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Identity: O=top\OU=entities\...\CN=Group01
> Reason: Already Removed
>
> --------------------
>
>
> However, the group does actually have the role assigned.
>
> If I log into user application and remove it from there, it works fine:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Success
> Message: Removed role from group
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Group: O=top\OU=entities\...\CN=Group01
>
> --------------------
>
>
> What is see is different is that it says "Group:" instead of "Identity:"
> when I remove it from the user application UI. As if it does not
> understand that it is a group.
>
> I do not see anywhere that it is possible to define it as being a group
> that I would like to remove it from.
>
> What is going on?
The requestRolesAssigment() SOAP call takes a bunch of parameters.
Like: Action - grant, revoke, extend
AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
case you want GROUP_TO_ROLE and in 4.
In 4.5 they added a String (last line in the add.remove role tokens
definition) named role-assignment-type. Yours should be GROUP_TO_ROLE
>
> Hello,
>
> I am trying to revoke role assignments from groups in a driver. It fails
> with the following:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Error
> Message: Unable to remove assigned role from identity
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Identity: O=top\OU=entities\...\CN=Group01
> Reason: Already Removed
>
> --------------------
>
>
> However, the group does actually have the role assigned.
>
> If I log into user application and remove it from there, it works fine:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Success
> Message: Removed role from group
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Group: O=top\OU=entities\...\CN=Group01
>
> --------------------
>
>
> What is see is different is that it says "Group:" instead of "Identity:"
> when I remove it from the user application UI. As if it does not
> understand that it is a group.
>
> I do not see anywhere that it is possible to define it as being a group
> that I would like to remove it from.
>
> What is going on?
The requestRolesAssigment() SOAP call takes a bunch of parameters.
Like: Action - grant, revoke, extend
AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
case you want GROUP_TO_ROLE and in 4.
In 4.5 they added a String (last line in the add.remove role tokens
definition) named role-assignment-type. Yours should be GROUP_TO_ROLE
jacmarpet1

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-01-24
20:55
geoffc;2494275 wrote:
On 1/24/2019 11:16 AM, jacmarpet wrote:
>
> Hello,
>
> I am trying to revoke role assignments from groups in a driver. It fails
> with the following:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Error
> Message: Unable to remove assigned role from identity
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Identity: O=top\OU=entities\...\CN=Group01
> Reason: Already Removed
>
> --------------------
>
>
> However, the group does actually have the role assigned.
>
> If I log into user application and remove it from there, it works fine:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Success
> Message: Removed role from group
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Group: O=top\OU=entities\...\CN=Group01
>
> --------------------
>
>
> What is see is different is that it says "Group:" instead of "Identity:"
> when I remove it from the user application UI. As if it does not
> understand that it is a group.
>
> I do not see anywhere that it is possible to define it as being a group
> that I would like to remove it from.
>
> What is going on?
The requestRolesAssigment() SOAP call takes a bunch of parameters.
Like: Action - grant, revoke, extend
AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
case you want GROUP_TO_ROLE and in 4.
In 4.5 they added a String (last line in the add.remove role tokens
definition) named role-assignment-type. Yours should be GROUP_TO_ROLE
Hello Geoffey,
I am doing the remove role from a driver, using the "remove role" option. I think the one you are talking about is from a workflow. From a driver it is not possible to choose either of those. You only specify the DN of the object, nothing else.
Jacob.


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-01-24
22:21
>> The requestRolesAssigment() SOAP call takes a bunch of parameters.
>> Like: Action - grant, revoke, extend
>> AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
>> case you want GROUP_TO_ROLE and in 4.
>>
>> In 4.5 they added a String (last line in the add.remove role tokens
>> definition) named role-assignment-type. Yours should be GROUP_TO_ROLE
>
> Hello Geoffey,
>
> I am doing the remove role from a driver, using the "remove role"
> option. I think the one you are talking about is from a workflow. From a
> driver it is not possible to choose either of those. You only specify
> the DN of the object, nothing else.
Ah, but there's the rub...
The Add Role/Remove Role tokens are wrappers in the engine to make a
SOAP call to requestRolesAssignment. I.e. It ain't magic.
You CAN specify the assignment type as of IDM 4.5 and higher.
<do-remove-role id="User-DN" role-id="RoleDN" time-out="60000" url="UA-URL">
<arg-password>
<token-text xml:space="preserve">password</token-text>
</arg-password>
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>
<arg-string name="description">
<token-text xml:space="preserve">Because</token-text>
</arg-string>
<arg-string name="effective-time">
<token-text xml:space="preserve">$NOW</token-text>
</arg-string>
</do-remove-role>
The key element you have been missing is this:
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>
If you do not specify, the default is USER_TO_ROLE.
>> Like: Action - grant, revoke, extend
>> AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
>> case you want GROUP_TO_ROLE and in 4.
>>
>> In 4.5 they added a String (last line in the add.remove role tokens
>> definition) named role-assignment-type. Yours should be GROUP_TO_ROLE
>
> Hello Geoffey,
>
> I am doing the remove role from a driver, using the "remove role"
> option. I think the one you are talking about is from a workflow. From a
> driver it is not possible to choose either of those. You only specify
> the DN of the object, nothing else.
Ah, but there's the rub...
The Add Role/Remove Role tokens are wrappers in the engine to make a
SOAP call to requestRolesAssignment. I.e. It ain't magic.
You CAN specify the assignment type as of IDM 4.5 and higher.
<do-remove-role id="User-DN" role-id="RoleDN" time-out="60000" url="UA-URL">
<arg-password>
<token-text xml:space="preserve">password</token-text>
</arg-password>
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>
<arg-string name="description">
<token-text xml:space="preserve">Because</token-text>
</arg-string>
<arg-string name="effective-time">
<token-text xml:space="preserve">$NOW</token-text>
</arg-string>
</do-remove-role>
The key element you have been missing is this:
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>
If you do not specify, the default is USER_TO_ROLE.
jacmarpet1

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-01-25
12:51
geoffc;2494296 wrote:
>> The requestRolesAssigment() SOAP call takes a bunch of parameters.
>> Like: Action - grant, revoke, extend
>> AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
>> case you want GROUP_TO_ROLE and in 4.
>>
>> In 4.5 they added a String (last line in the add.remove role tokens
>> definition) named role-assignment-type. Yours should be GROUP_TO_ROLE
>
> Hello Geoffey,
>
> I am doing the remove role from a driver, using the "remove role"
> option. I think the one you are talking about is from a workflow. From a
> driver it is not possible to choose either of those. You only specify
> the DN of the object, nothing else.
Ah, but there's the rub...
The Add Role/Remove Role tokens are wrappers in the engine to make a
SOAP call to requestRolesAssignment. I.e. It ain't magic.
You CAN specify the assignment type as of IDM 4.5 and higher.
<do-remove-role id="User-DN" role-id="RoleDN" time-out="60000" url="UA-URL">
<arg-password>
<token-text xml:space="preserve">password</token-text>
</arg-password>
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>
<arg-string name="description">
<token-text xml:space="preserve">Because</token-text>
</arg-string>
<arg-string name="effective-time">
<token-text xml:space="preserve">$NOW</token-text>
</arg-string>
</do-remove-role>
The key element you have been missing is this:
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>
If you do not specify, the default is USER_TO_ROLE.
Geoffrey! You are the greatest! It works like a charm. Thank you so much 🙂
Jacob.


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-01-25
13:20
On 1/25/2019 7:54 AM, jacmarpet wrote:
>
> geoffc;2494296 Wrote:
>>>> The requestRolesAssigment() SOAP call takes a bunch of parameters.
>>>> Like: Action - grant, revoke, extend
>>>> AssignmentType - which is your issue. Default is USER_TO_ROLE, in
>> this
>>>> case you want GROUP_TO_ROLE and in 4.
>>>>
>>>> In 4.5 they added a String (last line in the add.remove role tokens
>>>> definition) named role-assignment-type. Yours should be
>> GROUP_TO_ROLE
>>>
>>> Hello Geoffey,
>>>
>>> I am doing the remove role from a driver, using the "remove role"
>>> option. I think the one you are talking about is from a workflow. From
>> a
>>> driver it is not possible to choose either of those. You only specify
>>> the DN of the object, nothing else.
>>
>> Ah, but there's the rub...
>>
>> The Add Role/Remove Role tokens are wrappers in the engine to make a
>> SOAP call to requestRolesAssignment. I.e. It ain't magic.
>>
>> You CAN specify the assignment type as of IDM 4.5 and higher.
>>
>> <do-remove-role id="User-DN" role-id="RoleDN" time-out="60000"
>> url="UA-URL">
>> <arg-password>
>> <token-text xml:space="preserve">password</token-text>
>> </arg-password>
>> <arg-string name="role-assignment-type">
>> <token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
>> </arg-string>
>> <arg-string name="description">
>> <token-text xml:space="preserve">Because</token-text>
>> </arg-string>
>> <arg-string name="effective-time">
>> <token-text xml:space="preserve">$NOW</token-text>
>> </arg-string>
>> </do-remove-role>
>>
>>
>>
>> The key element you have been missing is this:
>> <arg-string name="role-assignment-type">
>> <token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
>> </arg-string>
>>
>>
>> If you do not specify, the default is USER_TO_ROLE.
>
> Geoffrey! You are the greatest! It works like a charm. Thank you so much
> 🙂
Glad to help, send fish!
Then I get to say So long and Thank you for all the fish!
It was a new feature added in 4.5.
I only recently noticed that the Add Role can call the Extend
functionality as well, if you set a end date and effective date. I had
made a workflow to do that, not realizing that the Add Role had this
ability as well.
>
> geoffc;2494296 Wrote:
>>>> The requestRolesAssigment() SOAP call takes a bunch of parameters.
>>>> Like: Action - grant, revoke, extend
>>>> AssignmentType - which is your issue. Default is USER_TO_ROLE, in
>> this
>>>> case you want GROUP_TO_ROLE and in 4.
>>>>
>>>> In 4.5 they added a String (last line in the add.remove role tokens
>>>> definition) named role-assignment-type. Yours should be
>> GROUP_TO_ROLE
>>>
>>> Hello Geoffey,
>>>
>>> I am doing the remove role from a driver, using the "remove role"
>>> option. I think the one you are talking about is from a workflow. From
>> a
>>> driver it is not possible to choose either of those. You only specify
>>> the DN of the object, nothing else.
>>
>> Ah, but there's the rub...
>>
>> The Add Role/Remove Role tokens are wrappers in the engine to make a
>> SOAP call to requestRolesAssignment. I.e. It ain't magic.
>>
>> You CAN specify the assignment type as of IDM 4.5 and higher.
>>
>> <do-remove-role id="User-DN" role-id="RoleDN" time-out="60000"
>> url="UA-URL">
>> <arg-password>
>> <token-text xml:space="preserve">password</token-text>
>> </arg-password>
>> <arg-string name="role-assignment-type">
>> <token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
>> </arg-string>
>> <arg-string name="description">
>> <token-text xml:space="preserve">Because</token-text>
>> </arg-string>
>> <arg-string name="effective-time">
>> <token-text xml:space="preserve">$NOW</token-text>
>> </arg-string>
>> </do-remove-role>
>>
>>
>>
>> The key element you have been missing is this:
>> <arg-string name="role-assignment-type">
>> <token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
>> </arg-string>
>>
>>
>> If you do not specify, the default is USER_TO_ROLE.
>
> Geoffrey! You are the greatest! It works like a charm. Thank you so much
> 🙂
Glad to help, send fish!
Then I get to say So long and Thank you for all the fish!
It was a new feature added in 4.5.
I only recently noticed that the Add Role can call the Extend
functionality as well, if you set a end date and effective date. I had
made a workflow to do that, not realizing that the Add Role had this
ability as well.