mjuricek1 Absent Member.
Absent Member.
453 views

migration from RBE to RBPM

Hi all,

...one topic which was probably discussed many times before but I cannot find any article about it...
Old NetIQ IDM is using RBE (Entitlement Service Driver and entitlement policies placed in a driverset). Those policies enable you to define very nice rules for entitlement assignment. E.g. user is member of the group “group01” and the attribute “customAttribute01” is set to “TRUE”, then assign role and get entitlement.
RBPM does not allow something like this. Or I am not aware about it. We can assign roles only to users, to groups or to containers.

Any idea how to achieve similar functionality in RBPM?
My first idea – dynamicGroups. We just need to take memberQueryURL from the policies, define new dynamicGroups with the same filter and allow dynamicGroups in UserApplication. But dynamicGroups are quite tricky and probably, it is not the best idea.

Regards,
Milan
Labels (1)
Tags (3)
0 Likes
3 Replies
mjuricek1 Absent Member.
Absent Member.

Re: migration from RBE to RBPM

ok, I found one helpful article which can help me to develop a solution which allows to use RBE and RBPM together.
RBE + Loopback driver will set members in the static groups and those groups are assigned to roles. ...bit crazy but looks like a plan 🙂

https://www.netiq.com/communities/cool-solutions/dynamic-groups-and-rbe-driver/

any other, better idea?


BR,
Milan
0 Likes
Knowledge Partner
Knowledge Partner

Re: migration from RBE to RBPM

mjuricek <mjuricek@no-mx.forums.microfocus.com> wrote:
>
> any other, better idea?


We went with the following (all automated via policy)


create groups (regular)
Upgrade to dynamic groups: (add aux class)
(This step is in case we ever want to ditch the dynamic group part for a
specific group)

Generate and set member query (via LDAP call, but Aaron has partly reverse
engineer d the binary format that IDM sees natively).
Create level 30 role
Use add role token to assign group to role.

We optionally coded to create resource (link to entitlement and entitlement
value) and link to role hierarchy.

This works just fine- can be done manually also if only a few groups.

Migrating from RBE to RBPM can involve some coordination as you really
should revoke all existing entitlements via RBE and regrant via RRSD,
however nothing insurmountable (just need to keep target driver disabled
during this period).

We have done this at a customer and it went fine.


Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: migration from RBE to RBPM

On 4/12/2018 4:54 AM, mjuricek wrote:
>
> Hi all,
>
> ...one topic which was probably discussed many times before but I cannot
> find any article about it...
> Old NetIQ IDM is using RBE (Entitlement Service Driver and entitlement
> policies placed in a driverset). Those policies enable you to define
> very nice rules for entitlement assignment. E.g. user is member of the
> group �group01� and the attribute �customAttribute01� is set to �TRUE�,
> then assign role and get entitlement.
> RBPM does not allow something like this. Or I am not aware about it. We
> can assign roles only to users, to groups or to containers.
>
> Any idea how to achieve similar functionality in RBPM?
> My first idea � dynamicGroups. We just need to take memberQueryURL from
> the policies, define new dynamicGroups with the same filter and allow
> dynamicGroups in UserApplication. But dynamicGroups are quite tricky and
> probably, it is not the best idea.


RBPM's approach to the RBE model is to define Dynamic Groups, and assign
Roles to those dynamic groups.

Then RBPM periodically re-evaluates all the dynamic groups assigned
Roles, and checks if any changes are needed. This is not 'super
efficient' IDM 4.7 added more threads to make this less blocking and
boost performance. (I have not seen/heard any good real world discussion
of this, yet, but hope I do).

You can define a driver yourself (loopback/null) that implements the
logic and assigns group membership (see your next response) or grants
the roles (don't forget revoke as well).


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.