jacmarpet1 Absent Member.
Absent Member.
459 views

Unable to revoke role from group in driver - Already Removed

Hello,

I am trying to revoke role assignments from groups in a driver. It fails with the following:


DirXML Log Event -------------------
Driver: \TREE\top\DriverSet01\ROLERES01
Channel: Subscriber
Status: Error
Message: Unable to remove assigned role from identity
Role: ...CN=Level30\CN=Requestable...\CN=Role01
Identity: O=top\OU=entities\...\CN=Group01
Reason: Already Removed


However, the group does actually have the role assigned.

If I log into user application and remove it from there, it works fine:


DirXML Log Event -------------------
Driver: \TREE\top\DriverSet01\ROLERES01
Channel: Subscriber
Status: Success
Message: Removed role from group
Role: ...CN=Level30\CN=Requestable...\CN=Role01
Group: O=top\OU=entities\...\CN=Group01


What is see is different is that it says "Group:" instead of "Identity:" when I remove it from the user application UI. As if it does not understand that it is a group.

I do not see anywhere that it is possible to define it as being a group that I would like to remove it from.

What is going on?

Thanks in advance,

Jacob.
Labels (1)
0 Likes
5 Replies
Knowledge Partner
Knowledge Partner

Re: Unable to revoke role from group in driver - Already Removed

On 1/24/2019 11:16 AM, jacmarpet wrote:
>
> Hello,
>
> I am trying to revoke role assignments from groups in a driver. It fails
> with the following:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Error
> Message: Unable to remove assigned role from identity
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Identity: O=top\OU=entities\...\CN=Group01
> Reason: Already Removed
>
> --------------------
>
>
> However, the group does actually have the role assigned.
>
> If I log into user application and remove it from there, it works fine:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Success
> Message: Removed role from group
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Group: O=top\OU=entities\...\CN=Group01
>
> --------------------
>
>
> What is see is different is that it says "Group:" instead of "Identity:"
> when I remove it from the user application UI. As if it does not
> understand that it is a group.
>
> I do not see anywhere that it is possible to define it as being a group
> that I would like to remove it from.
>
> What is going on?


The requestRolesAssigment() SOAP call takes a bunch of parameters.
Like: Action - grant, revoke, extend
AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
case you want GROUP_TO_ROLE and in 4.

In 4.5 they added a String (last line in the add.remove role tokens
definition) named role-assignment-type. Yours should be GROUP_TO_ROLE



0 Likes
jacmarpet1 Absent Member.
Absent Member.

Re: Unable to revoke role from group in driver - Already Rem

geoffc;2494275 wrote:
On 1/24/2019 11:16 AM, jacmarpet wrote:
>
> Hello,
>
> I am trying to revoke role assignments from groups in a driver. It fails
> with the following:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Error
> Message: Unable to remove assigned role from identity
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Identity: O=top\OU=entities\...\CN=Group01
> Reason: Already Removed
>
> --------------------
>
>
> However, the group does actually have the role assigned.
>
> If I log into user application and remove it from there, it works fine:
>
>
> Code:
> --------------------
>
> DirXML Log Event -------------------
> Driver: \TREE\top\DriverSet01\ROLERES01
> Channel: Subscriber
> Status: Success
> Message: Removed role from group
> Role: ...CN=Level30\CN=Requestable...\CN=Role01
> Group: O=top\OU=entities\...\CN=Group01
>
> --------------------
>
>
> What is see is different is that it says "Group:" instead of "Identity:"
> when I remove it from the user application UI. As if it does not
> understand that it is a group.
>
> I do not see anywhere that it is possible to define it as being a group
> that I would like to remove it from.
>
> What is going on?


The requestRolesAssigment() SOAP call takes a bunch of parameters.
Like: Action - grant, revoke, extend
AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
case you want GROUP_TO_ROLE and in 4.

In 4.5 they added a String (last line in the add.remove role tokens
definition) named role-assignment-type. Yours should be GROUP_TO_ROLE


Hello Geoffey,

I am doing the remove role from a driver, using the "remove role" option. I think the one you are talking about is from a workflow. From a driver it is not possible to choose either of those. You only specify the DN of the object, nothing else.

Jacob.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Unable to revoke role from group in driver - Already Removed

>> The requestRolesAssigment() SOAP call takes a bunch of parameters.
>> Like: Action - grant, revoke, extend
>> AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
>> case you want GROUP_TO_ROLE and in 4.
>>
>> In 4.5 they added a String (last line in the add.remove role tokens
>> definition) named role-assignment-type. Yours should be GROUP_TO_ROLE

>
> Hello Geoffey,
>
> I am doing the remove role from a driver, using the "remove role"
> option. I think the one you are talking about is from a workflow. From a
> driver it is not possible to choose either of those. You only specify
> the DN of the object, nothing else.


Ah, but there's the rub...

The Add Role/Remove Role tokens are wrappers in the engine to make a
SOAP call to requestRolesAssignment. I.e. It ain't magic.

You CAN specify the assignment type as of IDM 4.5 and higher.

<do-remove-role id="User-DN" role-id="RoleDN" time-out="60000" url="UA-URL">
<arg-password>
<token-text xml:space="preserve">password</token-text>
</arg-password>
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>
<arg-string name="description">
<token-text xml:space="preserve">Because</token-text>
</arg-string>
<arg-string name="effective-time">
<token-text xml:space="preserve">$NOW</token-text>
</arg-string>
</do-remove-role>



The key element you have been missing is this:
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>


If you do not specify, the default is USER_TO_ROLE.

0 Likes
jacmarpet1 Absent Member.
Absent Member.

Re: Unable to revoke role from group in driver - Already Rem

geoffc;2494296 wrote:
>> The requestRolesAssigment() SOAP call takes a bunch of parameters.
>> Like: Action - grant, revoke, extend
>> AssignmentType - which is your issue. Default is USER_TO_ROLE, in this
>> case you want GROUP_TO_ROLE and in 4.
>>
>> In 4.5 they added a String (last line in the add.remove role tokens
>> definition) named role-assignment-type. Yours should be GROUP_TO_ROLE

>
> Hello Geoffey,
>
> I am doing the remove role from a driver, using the "remove role"
> option. I think the one you are talking about is from a workflow. From a
> driver it is not possible to choose either of those. You only specify
> the DN of the object, nothing else.


Ah, but there's the rub...

The Add Role/Remove Role tokens are wrappers in the engine to make a
SOAP call to requestRolesAssignment. I.e. It ain't magic.

You CAN specify the assignment type as of IDM 4.5 and higher.

<do-remove-role id="User-DN" role-id="RoleDN" time-out="60000" url="UA-URL">
<arg-password>
<token-text xml:space="preserve">password</token-text>
</arg-password>
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>
<arg-string name="description">
<token-text xml:space="preserve">Because</token-text>
</arg-string>
<arg-string name="effective-time">
<token-text xml:space="preserve">$NOW</token-text>
</arg-string>
</do-remove-role>



The key element you have been missing is this:
<arg-string name="role-assignment-type">
<token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
</arg-string>


If you do not specify, the default is USER_TO_ROLE.


Geoffrey! You are the greatest! It works like a charm. Thank you so much 🙂

Jacob.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Unable to revoke role from group in driver - Already Removed

On 1/25/2019 7:54 AM, jacmarpet wrote:
>
> geoffc;2494296 Wrote:
>>>> The requestRolesAssigment() SOAP call takes a bunch of parameters.
>>>> Like: Action - grant, revoke, extend
>>>> AssignmentType - which is your issue. Default is USER_TO_ROLE, in

>> this
>>>> case you want GROUP_TO_ROLE and in 4.
>>>>
>>>> In 4.5 they added a String (last line in the add.remove role tokens
>>>> definition) named role-assignment-type. Yours should be

>> GROUP_TO_ROLE
>>>
>>> Hello Geoffey,
>>>
>>> I am doing the remove role from a driver, using the "remove role"
>>> option. I think the one you are talking about is from a workflow. From

>> a
>>> driver it is not possible to choose either of those. You only specify
>>> the DN of the object, nothing else.

>>
>> Ah, but there's the rub...
>>
>> The Add Role/Remove Role tokens are wrappers in the engine to make a
>> SOAP call to requestRolesAssignment. I.e. It ain't magic.
>>
>> You CAN specify the assignment type as of IDM 4.5 and higher.
>>
>> <do-remove-role id="User-DN" role-id="RoleDN" time-out="60000"
>> url="UA-URL">
>> <arg-password>
>> <token-text xml:space="preserve">password</token-text>
>> </arg-password>
>> <arg-string name="role-assignment-type">
>> <token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
>> </arg-string>
>> <arg-string name="description">
>> <token-text xml:space="preserve">Because</token-text>
>> </arg-string>
>> <arg-string name="effective-time">
>> <token-text xml:space="preserve">$NOW</token-text>
>> </arg-string>
>> </do-remove-role>
>>
>>
>>
>> The key element you have been missing is this:
>> <arg-string name="role-assignment-type">
>> <token-text xml:space="preserve">GROUP_TO_ROLE</token-text>
>> </arg-string>
>>
>>
>> If you do not specify, the default is USER_TO_ROLE.

>
> Geoffrey! You are the greatest! It works like a charm. Thank you so much
> 🙂


Glad to help, send fish!

Then I get to say So long and Thank you for all the fish!

It was a new feature added in 4.5.

I only recently noticed that the Add Role can call the Extend
functionality as well, if you set a end date and effective date. I had
made a workflow to do that, not realizing that the Add Role had this
ability as well.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.