Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
joelburke Respected Contributor.
Respected Contributor.
106 views

nrfGroupRoles not listing all groups that cause role assignment

I've run into an issue with the nrfGroupRoles attribute not being populated with all of the groups that cause a role assignment. Here is my setup.

I have a role called :
TestRole

This role has two groups directly assigned that role called:
TestGroup
TestGroup2

Now, if I add a user to TestGroup, I see the following user attribute values:

groupMembership: cn=TestGroup,ou=Groups,ou=Data,o=Dev
nrfGroupRoles: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET,o=Dev#0#<assignment><start_tm>20191105210853Z</start_tm><cause><group>cn=TestGroup,ou=Groups,ou=Data,o=Dev</group></cause></assignment>
nrfMemberOf: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET01,ou=Servers,o=Dev

Looks good so far. I'd expect the #0# value of the nrfGroupRoles entry to mean revoked, but that doesn't seem to be the case. Not sure, but anyways, I'll continue.

I add the user to TestGroup2. I see the following:
groupMembership: cn=TestGroup,ou=Groups,ou=Data,o=Dev
groupMembership: cn=TestGroup2,ou=Groups,ou=Data,o=Dev
nrfGroupRoles: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET,o=Dev#0#<assignment><start_tm>20191105210853Z</start_tm><cause><group>cn=TestGroup,ou=Groups,ou=Data,o=Dev</group></cause></assignment>
nrfMemberOf: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET,o=Dev

You can see that TestRole2 was not added to nrfGroupRoles.

The final piece is this. If I remove the user from TestGroup, which is in nrfGroupRoles, I get this:
groupMembership: cn=TestGroup2,ou=Groups,ou=Data,o=Dev
nrfGroupRoles: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET,o=Dev#0#<assignment><start_tm>20191105211740Z</start_tm><cause><group>cn=TestGroup,ou=Groups,ou=Data,o=Dev</group></cause></assignment>
nrfMemberOf: cn=TestRole,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,cn=DRIVERSET,o=Dev

You can see the user is still assigned to nrfMemberOf. This is correct. TestGroup is still in nrfGroupRoles, which is incorrect.

I'm seeing this behavior in RRSD 4.7.0.0 and 4.7.3.0. Maybe there are other components involved that I am not aware of? I have browsed the RRSD and iMonitor traces but nothing is jumping out at me.

Any ideas? Do I have some fundamental misunderstanding of these attributes?

0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: nrfGroupRoles not listing all groups that cause role assignment

Sounds like a RRSD bug, there have unfortunately been lots of these in recent years.

Please raise a SR to get this fixed.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
FT Valued Contributor.
Valued Contributor.

Re: nrfGroupRoles not listing all groups that cause role assignment

Maybe a silly question, but is this incorrect state permanent? I mean, is it still wrong if you restart te RRSD or wait till it recalculates dynamic groups at rate specified in it's configuration? I found this tricky fact recently when roles granted were not provisioned to one system until dynamic groups were recalculated a bit later.

0 Likes
joelburke Respected Contributor.
Respected Contributor.

Re: nrfGroupRoles not listing all groups that cause role assignment

I am not using dynamic groups and an RRSD restart does not correct the attribute.

I opened an SR with Microfocus and they have acknowled this issue as a bug(1156142). They did provide workarounds:

1. Perform a migrate-from on the user on the Role and Resource Service Driver. This is a reactive measure but it works.

2. Disable the following rule in the "Convert the event into a custom command to send to the driver" policy.

<do-if>
    <arg-conditions>
             <or>
                     <if-op-attr name="Group Membership" op="changing"/>
                     <if-op-attr name="nrfDynamicGroupMembership" op="changing"/>
             </or>
     </arg-conditions>
     <arg-actions>
             <do-set-xml-attr expression="../nrf:*" name="changingAttribute">
                     <arg-string>
                             <token-text xml:space="preserve">Group Membership</token-text>
                     </arg-string>
             </do-set-xml-attr>
             <do-append-xml-element expression="../nrf:*" name="driver-operational-data"/>
             <do-clone-xpath dest-expression="../nrf:*/driver-operational-data" src-expression="../modify/modify-attr"/>
     </arg-actions>
     <arg-actions/>
</do-if>

 

The second workaround is proactive. I deployed it to our development environment but I have not tested it yet.

 

 

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.