Topic
8 replies Latest Post - ‏2013-06-19T17:42:29Z by dannelson
jdell
jdell
92 Posts
ACCEPTED ANSWER

Pinned topic ITIM 5.1: Get role name in a provisioning policy entitlement

‏2013-05-08T06:54:41Z |

Hello,

I'm trying to get the role name (from the role DN) in a provisioning policy entitlement.  I can get the entitlement to work if I hardcode the role DN, but if I try to extract the role name (from the errolename attribute) I get an error that states " 'Role' not found."  Here's the PPe code - I'm provisioning TAM group entitlements:

 

var roles = subject.getProperty("erroles");
var groups = new Array();
var i = 0;
var j = 0;
 
var rolename;
var role;
 
for (i = 0; i < roles.length; i++) {
 
    role = new Role(roles[i]);                  <============= this is the line that is failing
    rolename = role.getProperty("errolename");
    if (rolename == "role_DDPMarginLending") {
        groups[j++] = "DDPMarginLending";
    }
 
//    if (roles[i]== "erglobalid=170510182036473724,ou=roles,erglobalid=00000000000000000000,ou=babl,dc=bendigoadelaide") {
//        groups[j++] = "DDPMarginLending";
//    }
 

   // the following code works fine

    if (roles[i] == "erglobalid=170378779980987025,ou=roles,erglobalid=00000000000000000000,ou=babl,dc=bendigoadelaide") {
        groups[j++] = "DEPPortfolioFunding";
    }
}
 
if (groups.length > 0) {
    return groups;
} else {
    return null;
}

I've pointed out the code (or line) that is failing and the code that doesn't fail and correctly sets and provisions the entitlement.  I'm obviously not understanding how the Role extension is working from the documentation.  I thought that if you give the Role constructor a role DN it should return the directory object and from there I thought I should be able to retrieve the "simple" name for the role from the errolename attribute.

If anyone could point out the error of my ways, it would be greatly appreciated.

Cheers,

John D.

  • franzw
    franzw
    236 Posts
    ACCEPTED ANSWER

    Re: ITIM 5.1: Get role name in a provisioning policy entitlement

    ‏2013-05-08T07:32:12Z  in response to jdell

    You should not go down that route....

    This is very bad design and will hurt you as the code will scale very badly.

    The whole concept of the ITIM Provisioning Model is that you set up a policy for one (or more) roles. That policy will give a well defined result - both data and performance wise.

    You may not like my answer - but I will not help you hurting yourself - sorry.

    Regards

    Franz Wolfhagen

    • jdell
      jdell
      92 Posts
      ACCEPTED ANSWER

      Re: ITIM 5.1: Get role name in a provisioning policy entitlement

      ‏2013-05-08T23:38:05Z  in response to franzw

      Hi Franz,

      Thanks for your reply.  I tend to agree with you that it's probably not the best design, but I'll explain the scenario I'm working with.

      We're deploying a new web application and this application has 5 distinct access roles defined.  Each of these roles has a one-to-one mapping relationship  to a TAM group. The business requirement states that a user of the application can be a member of ONE or MORE of any of these 5 roles.  So I created the 5 roles in TIM and originally I was going to create 5 provisioning policies and assign one role to each of these PPs.  Since the only difference between these policies is the TAM group membership, I thought that I could use the one PP and assign all 5 roles as members of the PP and then use the entitlement to calculate the specific TAM group memberships that are required for the user.

      I may be wrong, but it just seemed a waste to create 5 PPs, where each PP is only assigning one TAM group membership.

      Potentially bad design aside, out of curiosity, I'd still be interested in why the code "new Role(roleDN)" is throwing an error.

      Regards,

      John D.

      • jdell
        jdell
        92 Posts
        ACCEPTED ANSWER

        Re: ITIM 5.1: Get role name in a provisioning policy entitlement

        ‏2013-05-09T02:21:24Z  in response to jdell

        OK.  I've figured out how to get the role name.

        But I do take on board Franz's advice.  However, in the scenario I described in my previous post, should I go ahead and create 5 provisioning policies - with each policy setting the TAM group membership entitlement for each role separately?

        I'd be interested in any other alternatives.

        Cheers,

        JD

        • SourabhM
          SourabhM
          17 Posts
          ACCEPTED ANSWER

          Re: ITIM 5.1: Get role name in a provisioning policy entitlement

          ‏2013-06-05T12:55:32Z  in response to jdell

          you are getting the error Role was not found because the Role constructor is available within the scope of workflow not in provisioning policy.

          In scriptframework.properties, there is a entry that provide the Role constructor available in workflow scope.

          ITIM.extension.Workflow.model.4=com.ibm.itim.script.extensions.model.RoleModelExtension

          you can try to define the same RoleModelExtension under provisioning policy scope and let see if it works

          ITIM.extension.ProvisioningPolicy.role=com.ibm.itim.script.extensions.model.RoleModelExtension

          Cheers,

          SourabhM

          Updated on 2013-06-05T12:56:38Z at 2013-06-05T12:56:38Z by SourabhM
  • goonitsupport
    goonitsupport
    64 Posts
    ACCEPTED ANSWER

    Re: ITIM 5.1: Get role name in a provisioning policy entitlement

    ‏2013-06-06T09:18:11Z  in response to jdell

    I agree with Franz here and believe my main objection to this is transparency. Provisioning Policies should be kept as simple as possible and make them easy to understand for everyone. When designing security it shouldn't just be for the benefit of techies it must be easiliy understandable by all (e.g. auditors).

    The other concern is performance. A simple model with 1 policy and role per group name will perform much faster than the 1 policy for all groups.

    All that being said I did consider whether this would ever be a usecase I would consider. The only reason I would do this is if new groups were constantly being added and the customer was comfortable creating new Roles in ISIM but didn't want to create new Provisioning Policies for whatever reason.

    Of course even then given time the best course of action would be to automate the creation of appropriate Provisioning Policies based on roles being created in a specific container.

    So with all the preamble aside here is how you could do it after careful consideration of all factors: -

    Add the following to scriptframework.properties (perhaps only 1 is required): ITIM.extension.ProvisioningPolicy.vc.3=com.ibm.itim.script.extensions.model.RoleModelExtension
    ITIM.extension.ProvisioningPolicy.vc.2=com.ibm.itim.script.extensions.model.PersonModelExtension
     

    //prov policy script

    var rolesArray = subject.getRoles();

    for(var i=0;i<rolesArray.length;i++)
    {
    Enrole.log("script", "My role name is  "+rolesArray[i].getProperty("errolename")[0]);
    }

     

     

     

    • jdell
      jdell
      92 Posts
      ACCEPTED ANSWER

      Re: ITIM 5.1: Get role name in a provisioning policy entitlement

      ‏2013-06-06T23:48:43Z  in response to goonitsupport

      Hello,

      Thanks for your reply.

      As I stated in my post on May 9, I figured out how to get the role names and the code snippet you provided is the method I used.  Having said that, I have taken Franz's advice on board and I have decided to not use this method and instead I'm going with multiple provisioning policies - I'm not overly happy with it as each of these policies are only assigning a TAM group membership. It would've been nice to be able to incorporate the provisioning of the group memberships in one PP.

      Thanks,

      JD

      • TerryYau
        TerryYau
        21 Posts
        ACCEPTED ANSWER

        Re: ITIM 5.1: Get role name in a provisioning policy entitlement

        ‏2013-06-07T06:22:20Z  in response to jdell

        Hi jdell,

        Good choice.  When it comes to creating PPs, it's best to have them as Franz described.  While as tempting as it may be to use minimal code and configurations to achieve a goal, it will help you a lot down the road where you have the PPs in a somewhat isolated manner (rather than too combined) when it comes to troubleshooting and future modification.

      • dannelson
        dannelson
        25 Posts
        ACCEPTED ANSWER

        Re: ITIM 5.1: Get role name in a provisioning policy entitlement

        ‏2013-06-19T17:42:29Z  in response to jdell

        Actually, I do something similar to what JDell originally wanted to do, and it seems to work fine for me.  We use quite a bit of roles that get mapped to TAM groups (over 400 so far), and having a PP for each role would be imho insane.  I have created a provisioning policy for each web application, with all of that app's roles assigned to that policy.  Application "abcd" may have roles named ABCD_USER_ROLE, and ABCD_ADMIN_ROLE, for example, which get translated to the TAM groups "abcd_user" and "abcd_admin".  I also have a covering group that I use in TAM acls, which in this example is "itim_abcd":

        var allroles=subject.getProperty("role");
        var roles=[];
        roles.length=0; /* Tivoli JS bug creates a 1-element array on the previous line.  Truncate it back to empty. */

        var i;
        var prefix="ABCD_";

        /* Enrole.log("pp", "roles=<"+roles.toString()+">("+roles.length+")"); */

        /* filter out only the roles starting with 'prefix', remove _ROLE from the end, and lowercase them.  */
        for (i=0;i<allroles.length;i++)
        {
          var r = allroles[i].name;
        /* Enrole.log("pp", "examining <"+r+">");  */
          if (r.substring(0,prefix.length) == prefix)
          {
            r=r.replace(/_ROLE$/,"");
            r=r.toLowerCase();
        /*  Enrole.log("pp", "pushing <"+r+">");  */
            roles.push(r);
          }
        }

        /* Push one generic group that we will use in the ITAM ACL */
        roles.push("itam_abcd");

        /* Enrole.log("pp", "returning roles=<"+roles.toString()+">("+roles.length+")"); */

        return roles;


         

        Updated on 2013-06-19T17:44:04Z at 2013-06-19T17:44:04Z by dannelson