Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Knowledge Partner
Knowledge Partner
558 views

parameter-format="idm4" and administrator-defined-values

Jump to solution
Is this combination supported? Or is idm4 parameter format only allowed
with query based values (values from the application)?

I ask this because I get an error "Unable to complete the CODE MAP
refresh for entitlement:" when I run a refresh of entitlement values.

If I change the parameter format back to legacy. Then the error goes away.


ERROR [RBPM]
[com.novell.idm.nrf.service.CodeMapEngine:updateEntitlementToCodeMapView] Unable
to complete the CODE MAP refresh for entitlement:
INFO [RBPM] [com.novell.idm.nrf.service.CodeMapEngine:refreshCodeMap]
Unable to complete the CODE MAP refresh for entitlement: cn=aseaccount,c
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Labels (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: parameter-format="idm4" and administrator-defined-values

Jump to solution

True that would fix the problem, but then Designer is broken as it generates the Entitlement with XML Data, and not JSON Data.

I have the exact same configuration in an IDM 4.5 project which works. Now has this changed between IDM 4.5 and 4.7 - so entitlement with values needs to be updated?

 

Cheers,

Casper

0 Likes
8 Replies
Knowledge Partner
Knowledge Partner

Re: parameter-format="idm4" and administrator-defined-values

Jump to solution
On 16.03.2012 11:36, Alex McHugh wrote:
> Is this combination supported? Or is idm4 parameter format only allowed
> with query based values (values from the application)?
>
> I ask this because I get an error "Unable to complete the CODE MAP
> refresh for entitlement:" when I run a refresh of entitlement values.
>
> If I change the parameter format back to legacy. Then the error goes away.


Nevermind, I worked out that this is possible.

1. In EntitlementConfiguration make sure that the following are present:
a. parameter-format="idm4"
b. <parameters><parameter mandatory="true" name="ID"
source="value"/></parameters>
2. In entitlement object, specify the value in JSON format, for example:
{"ID":"an_entitlement_value"}
3. refresh entitlement values and no errors are generated during refresh
4. granting/revoking a resource tied to this entitlement doesn't
generate any errors in the roles & resources driver trace either.

Not sure if this approach has any drawbacks (except that it's a bit more
fiddly to define new administrator defined values).

There is a potential that this will be converted to a "values from the
application" type entitlement at a later date, so it was important to
ensure that the parameter format wouldn't need to change.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Highlighted
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: parameter-format="idm4" and administrator-defined-values

Jump to solution

True that would fix the problem, but then Designer is broken as it generates the Entitlement with XML Data, and not JSON Data.

I have the exact same configuration in an IDM 4.5 project which works. Now has this changed between IDM 4.5 and 4.7 - so entitlement with values needs to be updated?

 

Cheers,

Casper

0 Likes
Knowledge Partner
Knowledge Partner

Re: parameter-format="idm4" and administrator-defined-values

Jump to solution

We've seen IDM Apps and RRSD has got stricter with how it interprets the info in the Entitlement-Configuration object. RRSD actually parses Entitlement-Configuration and uses the info in that to decide how to grant/revoke entitlement values. At one customer, this caused some odd errors for me when I had inadvertently created an Entitlement-Configuration object with invalid XML.

I think it is actually a good thing that RRSD driver has become more strict as there are environments out there with all kind of cruft that should never have worked in the first place.

The DTD for Entitlement-Configuration objects now states that if you omit parameter-format then it defaults to idm4. I don't think it was like that when they first launched the new style entitlements in 4.0

Recall that administrator defined values were intended to be used by the old Entitlement Service Driver. Which has been on the deprecated chopping block for a long time now.

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: parameter-format="idm4" and administrator-defined-values

Jump to solution

With 4.0.x the new format was introduced, and it would default to it. I think I even got an original 4.0.0 AD driver somewhere which would create the EntitlementConfiguation object without the format.

But this is not an issue with the RRSD driver, this is the UA which will not do a code-map refresh of the entitlement, and the Entitlement is created with Designer.

I've followed the documentation (IDM 4.7): https://www.netiq.com/documentation/identity-manager-47/pdfdoc/entitlements/entitlements.pdf - on page 21 there is a screendump of an entitlement (Designer) and mine is an almost exact copy.

And on page 46 there is an example of an entitlement with values (XML).

The code-map refresh works just fine with entitlements w/o values, and with queries, it only fails when there are values.

 

A bit strange.

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: parameter-format="idm4" and administrator-defined-values

Jump to solution

I am pretty sure Steve in the past suggested two solutions for non-valued entitlements.

 

1) Legacy mode as Alex suggested.

2) Specify a value of {} (Open curly brace, close curly brace) which is a valid empty JSON element.

 

Thinking about it, does the EntitlementConfiguration DTD support static values for <parameter> nodes? 

cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: parameter-format="idm4" and administrator-defined-values

Jump to solution

The DTD shows the values as XML. And even Designer 4.8 will generate the Entitlement as:

<entitlement conflict-resolution="priority" description="" display-name="test-values">
<values multi-valued="false">
<value>VALUE1</value>
<value>VALUE2</value>
<value>VALUE3</value>
</values>
</entitlement>

There are now two options - something is in my setup is really wrong, or Designer and the Documentation is wrong 😉

I'll ignore the issue for the time being.

 

Thanks!

0 Likes
Knowledge Partner
Knowledge Partner

Re: parameter-format="idm4" and administrator-defined-values

Jump to solution

Designer and the documentation fail to mention that you need to set parameter-format to legacy if you want to use this style. 

The documentation is not "wrong" just incomplete.
If you insist on using idm4 as parameter format than you need to construct your values as such (JSON inside XML)

<entitlement conflict-resolution="priority" description="" display-name="test-values">
<values multi-valued="false">
<value>{"ID":"VALUE1"}</value> 
<value>{"ID":"VALUE2"}</value>
<value>{"ID":"VALUE3"}</value>
</values>
</entitlement>

Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: parameter-format="idm4" and administrator-defined-values

Jump to solution

This is interesting, as then Designer is "broken" as it will always produce the legacy format - unless of cause you enter "{"ID":"VALUE1"}" which then will work.

Bug as you said, the Documentation needs a refresher.

Good to know, thank you.

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.