Highlighted
dbuschke Super Contributor.
Super Contributor.
146 views

getting future role assignments in workflow

Jump to solution

Hi,

I am looking for a way to get all role assignments, even the ones which will be executed in the future. There is RoleVault.getRolesUserIn() but this only retrieves current active assignments. But I also have role assignments which have a future effective date. How to retrieve them?

regards

Daniel

Labels (1)
0 Likes
1 Solution

Accepted Solutions
dbuschke Super Contributor.
Super Contributor.

Re: getting future role assignments in workflow

Jump to solution

Summary, I tried 2 solutions:

1. use REST API
Works well, you have to look at the idmappsdoc for the best methods to use. Also canceling is implemented. But I feared the authentication process. You have to request a token from OSP first. This makes implementation a bit tricky. But should work.

2. use Entity Activity
I created a DAL query with filtering user (via parameter) and requests with status 25. Setting the status to 70 via Entity Activity did the trick and looked liked the easier implementation.

Thanks
Daniel

Edit: would have selected both posts as solution. But as this is not possible I accepted this summary as solution.

0 Likes
13 Replies
Knowledge Partner
Knowledge Partner

Re: getting future role assignments in workflow

Jump to solution

You could look at the nrfRequest objects, whose nrfStartTime > NOW.  That would identify them.

dbuschke Super Contributor.
Super Contributor.

Re: getting future role assignments in workflow

Jump to solution

Yeah, I've already thought about but hoped there is a "build in" method.

The request object also has attribut nrfStatus set to 25. Can anyone confirm that this meens "pending"?

regards
Daniel

0 Likes
Knowledge Partner
Knowledge Partner

Re: getting future role assignments in workflow

Jump to solution

I don’t believe the nrfStatus values have ever been publicly documented for roles. So I wouldn’t make any assumptions about those.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
dbuschke Super Contributor.
Super Contributor.

Re: getting future role assignments in workflow

Jump to solution

That's what I am wondering about because they are documented for resource requests:

https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin/data/bgewfmp.html#bgii8jx

0 Likes
Knowledge Partner
Knowledge Partner

Re: getting future role assignments in workflow

Jump to solution

And if it helps, I have bugged the doc team to do the same for Roles, I hope they do actually do it.

Knowledge Partner
Knowledge Partner

Re: getting future role assignments in workflow

Jump to solution

Yes, nrfStatus=25 means it has a pending event in the future before completeing.  50 is complete, 80 is error.

Micro Focus Expert
Micro Focus Expert

Re: getting future role assignments in workflow

Jump to solution

There is a table in the Sentinel Collector for IDM:

~~Status Codes~~ ~~Status Property~~ ~~Description~~
0 NEW_REQUEST Set by the User Application on a newly created nrfRequest object.
2 SOD_APPROVAL_START_PENDING The Role Service driver attempts to start the SoD workflow again. This is used for requests in the SOD_APPROVAL_START_SUSPENDED mode.
3 SOD_APPROVAL_START_SUSPENDED Occurs when the Role Service driver is not able to start an SoD workflow. A driver task then resets these requests to SOD_WORKFLOW_START_PENDING to retry the starting of the workflow.
5 SOD_EXCEPTION_APPROVAL_PENDING Set by the Role Service driver after successfully initiating an SoD exception workflow.
10 SOD_EXCEPTION_APPROVED Set by the SoD exception workflow when approved.
12 APPROVAL_START_PENDING The Role Service driver attempts to start the workflow. The request must be in APPROVAL_START_SUSPENDED mode.
13 APPROVAL_START_SUSPENDED Occurs when the Role Service driver is not able to start the approval workflow. A driver task then resets these requests to APPROVAL_START_PENDING to try to start the workflow again.
15 APPROVAL_PENDING Set by the Role Service driver after successfully starting role assignment workflow.
20 APPROVED Set by the role assignment workflow when approved.
25 ACTIVATION_TIME_PENDING Set by the Role Service driver after obtaining all necessary approvals and the activation time has not yet been reached.
30 PROVISION Set by the Role Service driver after all the necessary approvals have been approved and the role activation time has been reached.
50 PROVISIONED Set by the Role Service driver after a role has been provisioned.
70 CANCEL Request cancellation
75 CANCELLED Cancellation request completed
80 PROVISIONING_ERROR Set by the Role Service driver when an error occurred during provisioning/deprovisioning
90 SOD_EXCEPTION_DENIED Set by SoD exception workflow when denied.
95 DENIED Set by role assignment workflow when approved.
100 CLEANUP Set when nrfRequest workflow should be cleaned up (deleted). This is intended to be triggered by a batch process some configurable amount of time after the request has either been fulfilled or denied.
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: getting future role assignments in workflow

Jump to solution

Could "requests/history" be an option, that would give all the requests a user has made.

dbuschke Super Contributor.
Super Contributor.

Re: getting future role assignments in workflow

Jump to solution
I need to get them programmatically
0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: getting future role assignments in workflow

Jump to solution

I was referring to the REST call "request/history" - which looks as it returns a bunch of interesting stuff. 

0 Likes
dbuschke Super Contributor.
Super Contributor.

Re: getting future role assignments in workflow

Jump to solution

Oh sorry, thought you were referencing the GUI. I had a look at it. The methods Post /requests/historyForUser and Delete /requests/history are exactly what I am looking for. I have tested this in JAVA so far but is there a nice an smooth way to include REST calls to this interface into your workflow? Yes, there is the REST activity but I see some troubles getting the authentication information. Any ideas?

regards
Daniel

0 Likes
Knowledge Partner
Knowledge Partner

Re: getting future role assignments in workflow

Jump to solution

You can get the auth info via GCV's (Note: You need a GCV to allow the retrieval of passwords GCVs) in workflow.

 

0 Likes
dbuschke Super Contributor.
Super Contributor.

Re: getting future role assignments in workflow

Jump to solution

Summary, I tried 2 solutions:

1. use REST API
Works well, you have to look at the idmappsdoc for the best methods to use. Also canceling is implemented. But I feared the authentication process. You have to request a token from OSP first. This makes implementation a bit tricky. But should work.

2. use Entity Activity
I created a DAL query with filtering user (via parameter) and requests with status 25. Setting the status to 70 via Entity Activity did the trick and looked liked the easier implementation.

Thanks
Daniel

Edit: would have selected both posts as solution. But as this is not possible I accepted this summary as solution.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.