karmst2

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-02
19:38
462 views
Wonkiness with nrfGroupRoles and directly assigned Roles
Hello,
IDM 4.7.1.1 AE, both User Application and Engine.
I have an ongoing issue where it appears that the Roles and Resources Service Driver is misinterpreting Role assignments. The scenario I will describe worked with IDM 4.0.2.
The scenario is thus. Let's take a simple example of a User, but I believe this will apply to many Users.
We have a User who has been assigned an I.T. Role, and the I.T. Role has a Permission Role assigned. The Permission Role, in turn. has a Resource and an associated Entitlement.
The 2 tests I ran have 3 steps each.
1.1 - Add User to Group
1.2 - Add User to Role
1.3 - Remove User from Group
2.1 - Add User to Role
2.2 - Add User to Group
2.3 - Remove User from Role
The Group has an associated I.T. Role (nrfAssociatedRoles) which is setup, at the Resource and Entitlement level, exactly the same as the directly assigned Role.
What I am finding is that when the User is removed from the Role (Test 1) or Removed from the Group (Test 2), the Resource (and therefore the entitlement) are also removed.
For Test 1, I would expect the User to remain with the Resource and Entitlement because the User is still part of the Role that has the Resource and Entitlement linked to the Permission Role.
For Test 2, I would expect the User to remain with the Resource and Entitlement because the User is still part of the Group that has the Resource and Entitlement linked to the Permission Role which is assigned due to the nrfAssignedRoles pointing to the I.T. Role.
The screenshots of the tests are https://owncloud.belkast.com/index.php/s/1PFGupGR4VcR96u
Password is MicroFocus
Compare 1.1 - Add User to Group.png with 2.3 - Remove User from Role.png.
The attributes should be the same, because the end result is that the User is a member of the BWISE Group.
But, even though the nrfGroupRoles, nrfInheritedRoles, and nrfMemberOf attributes are all the same in 3.2 as they are in 1.1, the Resource has been taken off.
Thanks for any help or insight in advance!
-K
IDM 4.7.1.1 AE, both User Application and Engine.
I have an ongoing issue where it appears that the Roles and Resources Service Driver is misinterpreting Role assignments. The scenario I will describe worked with IDM 4.0.2.
The scenario is thus. Let's take a simple example of a User, but I believe this will apply to many Users.
We have a User who has been assigned an I.T. Role, and the I.T. Role has a Permission Role assigned. The Permission Role, in turn. has a Resource and an associated Entitlement.
The 2 tests I ran have 3 steps each.
1.1 - Add User to Group
1.2 - Add User to Role
1.3 - Remove User from Group
2.1 - Add User to Role
2.2 - Add User to Group
2.3 - Remove User from Role
The Group has an associated I.T. Role (nrfAssociatedRoles) which is setup, at the Resource and Entitlement level, exactly the same as the directly assigned Role.
What I am finding is that when the User is removed from the Role (Test 1) or Removed from the Group (Test 2), the Resource (and therefore the entitlement) are also removed.
For Test 1, I would expect the User to remain with the Resource and Entitlement because the User is still part of the Role that has the Resource and Entitlement linked to the Permission Role.
For Test 2, I would expect the User to remain with the Resource and Entitlement because the User is still part of the Group that has the Resource and Entitlement linked to the Permission Role which is assigned due to the nrfAssignedRoles pointing to the I.T. Role.
The screenshots of the tests are https://owncloud.belkast.com/index.php/s/1PFGupGR4VcR96u
Password is MicroFocus
Compare 1.1 - Add User to Group.png with 2.3 - Remove User from Role.png.
The attributes should be the same, because the end result is that the User is a member of the BWISE Group.
But, even though the nrfGroupRoles, nrfInheritedRoles, and nrfMemberOf attributes are all the same in 3.2 as they are in 1.1, the Resource has been taken off.
Thanks for any help or insight in advance!
-K
3 Replies


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-03
12:22
I think you should open uo an SR for this. It should work.
Could be related ti this discussion:
https://forums.novell.com/showthread.php/511671-Role-not-processing-add-removes-from-assigned-eDir-Group
Could be related ti this discussion:
https://forums.novell.com/showthread.php/511671-Role-not-processing-add-removes-from-assigned-eDir-Group
karmst2

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-03
14:48
Thanks for sending on the link to the other thread, Joakim.
We will open an SR.
-K
We will open an SR.
-K


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2019-04-04
08:05
Keith,
Try RRSD patch 472 - this looked to be related to your issue. Bug 1105072: RRSD Driver: Removing users from group having parent role assignments removes overlapping child roles from group members.
Alex
Try RRSD patch 472 - this looked to be related to your issue. Bug 1105072: RRSD Driver: Removing users from group having parent role assignments removes overlapping child roles from group members.
Alex
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.