Anonymous_User Absent Member.
Absent Member.
444 views

creating new roles, resources, association via workflow


Hi, We have IDM 4.0.2 on windows.

As per our requirement, we manage AD groups as roles in IDM. We do not
manage as groups, so we dont have sync on group objects.

Example: if there are 100 groups in AD, we have created 100 - roles,
resource with group values, association and entitlment mapping table.

So, when a roles is assigned to a user, roles and resource drive assigns
resources with group value and AD driver picks up the entitlemnt value
and gets the actual AD gorup from mapping table and assigns the group in
AD.

This is working fine.

But, if there are few groups are created in AD in future, ex: 5 new
groups today created in AD, we have to import them into IDM as
roles,resource and update mapping table. As of now, we are doing it
manually.

Is this can be done through an IDM workflow, where the user enters the
name of role and group dn in AD. And the workflow should create Roles,
Resource, Association and update entitlement maping table?

Please help. also let us know what is the best approach on this as per
our scenario.

thanks in advance.

dk


--
dinatechmnovell
------------------------------------------------------------------------
dinatechmnovell's Profile: https://forums.netiq.com/member.php?userid=6777
View this thread: https://forums.netiq.com/showthread.php?t=51636

Labels (1)
0 Likes
8 Replies
Anonymous_User Absent Member.
Absent Member.

Re: creating new roles, resources, association via workflow


Hi dinatechmnovell

This can be done using role and resource integartion activity in the
workflow.

Sanjeev Bali


--
allsol
------------------------------------------------------------------------
allsol's Profile: https://forums.netiq.com/member.php?userid=1281
View this thread: https://forums.netiq.com/showthread.php?t=51636

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: creating new roles, resources, association via workflow


Have you looked into the new Permissions Collection and Reconciliation
Services (http://tinyurl.com/kextgwt)? It sounds like there may be some
benefit for you to have those in place. You may be able to tweak the
code or trigger upon its events to launch your own specific processes
such as a role creation.


--
pcook
------------------------------------------------------------------------
pcook's Profile: https://forums.netiq.com/member.php?userid=429
View this thread: https://forums.netiq.com/showthread.php?t=51636

0 Likes
Knowledge Partner
Knowledge Partner

Re: creating new roles, resources, association via workflow

On 9/3/2014 7:59 AM, pcook wrote:
>
> Have you looked into the new Permissions Collection and Reconciliation
> Services (http://tinyurl.com/kextgwt)? It sounds like there may be some
> benefit for you to have those in place. You may be able to tweak the
> code or trigger upon its events to launch your own specific processes
> such as a role creation.


It is on my list to do a detailed driver walk through of those packages.
(Long list, what can I say) But now you have me wondering, how do they
create new Role or Resource objects in policy? The Add Role token adds
a user to a Role, does not create a Role.

They could Start a Workflow but I did not recall (I barely glanced, so I
could be totally offbase) seeing a workflow included to create roles or
resources included with it.

ECMA HTTP call to SOAP endpoint? That would be clever to see!


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: creating new roles, resources, association via workflow


Roles, Resources and the Association are all just eDirectory objects. I
have a workflow that creates Group, nrfRole, nrfResource and
nrfResourceAssociation objects and the needed attributes for each. We
don't use the mapping tables, preferring to directly sync the groups.
The form has a select list of DNs where the groups should go. The
workflow then has several Conditions to test for which DN was chosen and
directs the flow to specific Entities for Group, Resource, Role and
Association. In each Entity, we either take flowdata (like the typed in
name for CN or from a select box for for nrfCategoryKey) or have
hard-coded data for particular attributes like DN and
nrfEntitlementRef.

This is a very similar process as workflows that create User objects.
You're just creating eDirectory objects and setting attributes. Once you
create your Role/Resource, you'll need to refresh your Role Category if
you already have that open in your browser.

That's the idea, just create eDirectory objects. I can give more
specific details if you like.


--
stober
------------------------------------------------------------------------
stober's Profile: https://forums.netiq.com/member.php?userid=5986
View this thread: https://forums.netiq.com/showthread.php?t=51636

0 Likes
Knowledge Partner
Knowledge Partner

Re: creating new roles, resources, association via workflow

On 9/4/2014 2:09 PM, stober wrote:
>
> Roles, Resources and the Association are all just eDirectory objects. I
> have a workflow that creates Group, nrfRole, nrfResource and
> nrfResourceAssociation objects and the needed attributes for each. We
> don't use the mapping tables, preferring to directly sync the groups.


I do not disagree. Where we run into trouble is that there is an entire
area of the User App/RBPM model that is opaque to us, on its internal
workings.

Per Steve, the company line is, "That is not supported". But that is
not entirely the question for us, is it?

We want to know, what is written to the UA DB that matters about a newly
created Role, Resource, or Role-Role/Role-Resource assignments. If
anything.
If nothing, then it seems very likely not an issue your approach.

If something, it is possible to have problems.

But we have no clue, and there appears to be no desire to answer the
question. I can live with a policy of 'we won't support that approach',
if I know it won't cause direct issues.

But I do not have enough info to know. And it does not seem to be
forthcoming.

I have seen no evidence that it matters to the DB, but that is just my
experience.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: creating new roles, resources, association via workflow


I questioned this approach too, specifically about the UA DB. But when
testing, I see the Role, Resource, Association in the UA and I see
requests waiting for approval (on the Roles) and all the little bits and
pieces that show in the UA. I don't know what other underlying DB stuff
that might be missing, but it doesn't seem to effect function in any way
that I can see. I agree with you, I'd like more technical documentation
of what's stored in the DB vs eDirectory, how it's all linked and what
it means. For now, I've used this workflow from 3.7 through all versions
to 4.02. I'll continue using it until something changes to stops it from
functioning. Mostly because I find the integration activity to be a
nightmare. 🙂


--
stober
------------------------------------------------------------------------
stober's Profile: https://forums.netiq.com/member.php?userid=5986
View this thread: https://forums.netiq.com/showthread.php?t=51636

0 Likes
Knowledge Partner
Knowledge Partner

Re: creating new roles, resources, association via workflow

> to 4.02. I'll continue using it until something changes to stops it from
> functioning. Mostly because I find the integration activity to be a
> nightmare. 🙂


I happen to like the Integration Activity, but I am strange that way. 🙂



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: creating new roles, resources, association via workflow

On 09/04/2014 04:13 PM, Geoffrey Carman wrote:
>> to 4.02. I'll continue using it until something changes to stops it from
>> functioning. Mostly because I find the integration activity to be a
>> nightmare. 🙂

>
> I happen to like the Integration Activity, but I am strange that way. 🙂
>
>
>

Greetings,
Since you are using direct ldap create/modify you can create objects
that will not comply with the actual schema for what a Role or Resource
should be. Therefore, one can easily create an object that will cause
massive problems either at runtime or that will not allow you to import
your UAD into Designer (I have seen this directly at a customer).

Therefore, The only supported ways to create or modify a Role or
Resource are:

User Application UI
User Application SOAP endpoints
User Application REST endpoints
RMA
rra (Catalog Administrator if you have updated to the 4.0.2A release)
Designer

Anything else is not support and can very likely cause problems (and yes
I have seen it)

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.