Article

jgdasilva's picture
article
Reads:

7768

Score:
5
5
3
 
Comments:

12

Convert Driver Entitlements to New RBPM 3.7 Resource Model

Author Info

4 March 2010 - 11:50am
Submitted by: jgdasilva

Author Blog
Author Profile

Tags

Tags Map

(View Disclaimer)

Authors: Volker Scheuber and John DaSilva

With the introduction of Roles Based Provisioning Module 3.7 a new Resource model was introduced. In order to be able to leverage this model you will need to convert any existing drivers that use entitlements so they can be used with resources.

A resource is any digital entity such as a user account, computer, or database that a business user needs to be able to access. The User Application provides a convenient way for end users to request the resources they need. In addition, it provides tools that administrators can use to define resources. Each resource is mapped to an entitlement.

If your driver has already been converted (for example Active Directory driver) you can just upgrade to the new configuration that was shipped with Designer 3.5. But if not, for example the driver you implemented on your own with entitlements, then you need to follow the steps in this cool solution.

Although you will only be preparing the driver for use with Resources, you will really be preparing your driver for future enhancements to Identity Manager and tools that will be provided. It may seem that you are doing more work than is necessary, you are setting yourself for the future, so that you will not need to perform the tasks in the future.

The policy file required for this cool solution can be found here.

You will complete the following:

1.0 Add Policy to Create Resource Configuration Object
     1.1 Add Policy to Library
     1.2 Link Policy to Input Transformation of Driver
2.0 Create GCVs to Control Driver Configuration
3.0 Create Mapping Table(s) for Localization
4.0 Deploy and Start (Restart) the Driver

1.0 Add Policy to Create Resource Configuration Object

The new resource model is driven by new configuration object that contains information from the driver configuration for the entitlements and in the future other configuration options. This configuration file is built on the fly every time a driver is started by a policy that checks the driver configuration and builds a new object built on the latest administrator set options.

This feature allows for the driver to be configured by an administrator without having to go in and change policies. For simple generic type of entitlements a policy can be linked to from the driver by placing it into a library in the driver set. In this way you can use the same policy in several drivers. When specialization is of the policy is required for a particular driver it could be copied into that driver.

You will complete the following:

1.1 Add Policy to Library

The first step is to add the policy to a Library object on the driver set.

Do the following:

  1. On the bottom Quick Launch taskbar select the Designer icon to start the Designer for Identity Manager.

  2. In the Outline view (on the left) select outline and then Library in the DriverSet, see Figure 1.

    Figure 1 Library in Outline view

  3. Create a new policy called lib-RMAP-InitEntitlementConfigurationResource-itp then in the Policy editor change to the XML Source tab at the bottom.

  4. Open the file in lib-RMAP-InitEntitlementConfigurationResource-itp.xml with a text editor.

    Click to view.

  5. Select all the text in the file and copy it.

  6. Paste the code you just copied from editor into the XML Source of the policy you created in Designer, see Figure 2.

    Figure 2 Policy as XML in Policy Editor

    Click to view.

  7. Select the Policy Builder tab at the bottom of the Policy Editor.

    Click to view.

  8. Close text editor, you will no longer need the file.

  9. Save the policy in Designer and close it.

  10. Deploy the Library object.

  11. Continue with the next section.

1.2 Link Policy to Input Transformation of Driver

Now that you have your policy you need to link into the Input Transformation of the Publisher channel of the driver. This policy should be the first policy in the Policy set, it is designed to only execute once when the driver starts.

Do the following:

  1. In the Outline view select the driver you are updating, change the view to the Fishbone view.

  2. Select the Input icon then in the Policy Set editor at the bottom use to add a policy.

    Click to view.

  3. Select Link a Policy then select Next to continue.

  4. Browse for the policy you created in the Library in Add Policy to Library.

    Click to view.

  5. Select Finish to complete the link to the policy.

  6. Do not deploy the driver, yet you still need to set up the configuration.

  7. Continue with the next exercise section.

2.0 Create GCVs to Control Driver Configuration

In this section you will create Global Configuration Variables on the driver. These GCVs will be used to driver the policy in its task of creating the resource configuration. In this way an administrator can change if a driver is going to be used for resources by simply changing the variable value and restarting the driver.

It is a good practice to use GCV to control the functions of your policies or provided any information needed by the driver, for example where groups and users are to be placed in the identity vault. The newer driver configurations shipped by Novell are leveraging this technique to make it easier to implement drivers in implementations of Identity Manager.

Do the following:

  1. In the Designer in the Developer editor (blue background) double-click on the channel (the line between the driver icon and the IDVAULT icon) to open the driver configuration properties.

  2. Select the GCVs in the left navigation.

    Click to view.

  3. Select the Add button, do the following steps, use Figure 3 as a guide.

    1. Name is drv.rolemapping.enable

      IMPORTANT:Case is important in the names of a GCV, so type it in exactly as defined in the instructions.

    2. Display name is Enable Role Mapping

    3. Description is:

      If you turn role mapping on then this driver will be visible to the role mapping administrator.

    4. Type is enumeration add two values with the following properties.

      1. Display name of Yes and value of true, OK to save.

      2. Display name of No and value of false, OK to save.

        Click to view.

  4. The completed dialog for the first GCV.

    Figure 3 Role mapping GCV defined

    Click to view.

  5. Select Finish to save the GCV.

  6. Now you need to define under this GCV one to enable the specific entitlement. You can control the overall mapping and then decide that it only be used for certain entitlements.

    1. The Name of the GCV is drv.rolemapping.EntitlementName

      NOTE:The last part of the name (i.e. EntitlementName) is your entitlement name. It is important not to have spaces in your entitlement name.

      IMPORTANT:Case is important in the names of a GCV, so type it in exactly as defined in the instructions.

    2. Go ahead and enter the remaining fields, the Type will be the same as in .Step 3.d

      Click to view.

  7. Now you need to add one for the Resource Mapping, do the following steps, use Figure 3 as a guide.

    1. Name is drv.resourcemapping.enable

      IMPORTANT:Case is important in the names of a GCV, so type it in exactly as defined in the instructions.

    2. Display name is Enable Resource Mapping

    3. Description is:

      If you turn resource mapping on then this driver will be visible to the role mapping administrator.

    4. The Type will be the same as in .Step 3.d.

  8. The completed dialog for the third GCV.

    Figure 4 Resource mapping GCV defined

    Click to view.

  9. Now you need to define under this GCV one to enable the specific entitlement. You can control the overall mapping and then decide that it only be used for certain entitlements.

    1. The Name of the GCV is drv.resourcemapping.EntitlementName

      NOTE:The last part of the name (i.e. EntitlementName) is your entitlement name. It is important not to have spaces in your entitlement name.

      IMPORTANT:Case is important in the names of a GCV, so type it in exactly as defined in the instructions.

    2. Go ahead and enter the remaining fields, the Type will be the same as in .Step 3.d

      Click to view.

  10. You should now have 4 GCVs defined, as in Figure 5.

    Figure 5 All GCVs defined

    Click to view.

  11. Select Apply to save your changes.

  12. Continue with the next exercise section.

3.0 Create Mapping Table(s) for Localization

The information about resource mapping can actually be displayed by another tool and to provide text in different languages we need to provide the name of our entitlements in a Mapping Table on the driver. You would create a mapping table for each language that you want to support.

The name of the mapping table must be in the following format with the last characters (in this example EN for English) being the language being used. And it is a zero (0) not an o in the name.

L10N_EN

In this section you will only define one mapping table for the English language.

Do the following:

  1. In the Outline view select the driver then right-mouse context menu select New->Mapping Table to create the mapping table object.

    Click to view.

  2. The table name is L10N_EN, with a 0 (zero) not an o.

  3. Add 2 columns to the table the first one called key and the second called value.

    Click to view.

    Click to view.

  4. Add one row where the key (column 1) is entEntitlementNameDisplayName this the entitlement name and would be the same for every language mapping table. One entry for each entitlement. See Figure 6.

    NOTE:The last part of the name (i.e. EntitlementName) is your entitlement name. It is important not to have spaces in your entitlement name.

  5. The value (column 2) is Group, this is the language specific name for the entitlement, see Figure 6.

  6. The completed mapping table.

    Figure 6 Mapping table with one row defined

    Click to view.

  7. Save and close the editor.

  8. Continue with the next exercise section.

4.0 Deploy and Start (Restart) the Driver

Now that you have completed the configuration of your driver you are ready to deploy and start the driver to have the resource configuration created.

Do the following:

  1. Close any open editors, make sure all your changes are saved.

  2. Deploy your driver.

  3. When prompted to restart the driver, say yes.

  4. To see the changes made to your driver configuration by the new policy, use Compare, see Figure 7.

    Figure 7 Driver Compare menu option.

    Click to view.

  5. The results of the compare should show one difference, a new object called Entitlement Configuration (see Figure 8), you can reconcile it to your driver but you really don’t need to because it will be recreated every time you start the driver.

    Figure 8 Entitlement Configuration created

    Click to view.

  6. If the Entitlement Configuration object was not created, the reason could be because:

    • The policy was not linked or deployed in the library

    • The GCV were not created correctly, there must be 2 that match your entitlement name.

    • You do not have a mapping table created with the proper name and proper column names.

    1. If that is the case go back and trouble shoot your driver configuration.

  7. Congratulations you have updated your driver for use with the new resource model!

AllegatoDimensione
lib-RMAP-InitEntitlementConfigurationResource-itp.zip2.35 KB

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.



Related Articles


User Comments

alekz's picture

Question

Submitted by alekz on 7 March 2010 - 2:31pm.

Hello!
Thanks for a nice article.
Some questions.
We still need to create entitlements and then we need to create a resource that uses that entitlement?
I'm trying to understand the change because I haven't worked with 3.7 yet.
When reading the documentation there is a mention of an entitlements tab when creating resources.
Will we need to modify the policy code that uses the entitlements?

Thanks.

jgdasilva's picture

Modify Policy Question

Submitted by jgdasilva on 15 March 2010 - 9:28am.

No, if your existing entitlement is working you don't need to make any changes to the policies.

The changes in this article is just if you want to use those entitlements with the Resource model that was introduced in 3.7.

jgdasilva's picture

For New Entitlements

Submitted by jgdasilva on 15 March 2010 - 9:33am.

If you are creating a new entitlement in an existing driver and want to use it in a Resource then you would need to add the GCVs and Map table in as explained in the article.

If you are using one of the newer driver configuration that has already been updated then you would just need to set the GCV for the entitlement to true.

aat385's picture

Query the application for values

Submitted by aat385 on 8 April 2010 - 11:59pm.

Hi, I'm trying to set up an entitlement that queries the application for its values. When I try to link the resource to the entitlement in the User App, no values are returned. The query, however, does work through Designer, when testing via the deprecated Role -> Entitlement association.

Any feedback would be very much appreciated!

jgdasilva's picture

Re: Query the application for values

Submitted by jgdasilva on 9 April 2010 - 8:28am.

The driver information is cached by the User Application, try flush that cache. If you go under Roles and Resources as the Administrator, there is a Configuration item on the left menu. Select that and in the middle there is the time settings and the option to rerun loading of the cache.

If that does not resolve the problem then is the driver on a different server than the User Application and Role and Resource driver. There is a bug that if on a different server the query results are not fetched by the user application.

aat385's picture

RE:

Submitted by aat385 on 10 April 2010 - 5:44am.

Thank you for the reply.

I have tried flushing the cache previously to no avail. The driver that I am attempting to implement the group entitlement on is an edir-to-edir driver from the id vault to another tree. The User App driver is sitting on the id vault server. Would the bug you mentioned apply to this?

Cheers.

jgdasilva's picture

eDir Driver and User App Driver on Same Server?

Submitted by jgdasilva on 12 April 2010 - 12:27pm.

Are the edir Driver and User App driver on the same driverset and same server? If not this is the problem and the only work around right now is to put them on the same server at least long enough for the query results to be cached by the user application.

So the eDir driver does show up when you create the resource and select the entitlements as one of the drivers? And the entitlement is shown on the list? Just that the entitlements do not show correct?

aat385's picture

RE:

Submitted by aat385 on 12 April 2010 - 5:41pm.

Yes, the eDir driver on the id vault is on the same server and driverset as the roles&resource driver. Of course, its counterpart is on a separate tree, which is the application that I'm attempting to query. Correct, I can view and select the entitlement on the eDir driver in the id vault, but when I attempt to assign the entitlement value there are no items in the list (i.e. group names from the target container). The query does work through Designer, so it's not a connection problem. Please note, the department I work for have a support agreement with Novell, so if we can confirm that this is a bug and not user error :) I can then escalate it. Thanks.

jgdasilva's picture

User App Driver

Submitted by jgdasilva on 13 April 2010 - 12:27pm.

I asked about the User App driver, is it in the same tree? I will assume so.

The next step would be look at the User Application logs.

Probably would be best to work with support. Or post this on the forums with your log file.

Have you restarted the User Application, since this started?

scauwe's picture

Bug with internationalisation

Submitted by scauwe on 23 April 2010 - 4:20am.

The mapping table used for internationalization is not used by the user app. I cerated 3 mapping tables (L10N_EN, L10N_NL and L10N_FR). The policy generates the xml with 3 different display labels. So far so good.
When, in the user app, I want to select and entitlement or I view a resource with an entitlement, this internationalized value is not displayed. In stead, the (non-internationalizable) display name of the entitlement itself is used.

Stefaan

jgdasilva's picture

Localization Not Used With Current Version

Submitted by jgdasilva on 26 April 2010 - 6:19am.

The localization Map tables are not used with the current version, this will be used in the future with IDM 4 with the RMA tool.

aat385's picture

RE: Query the application for values / Issue Resolved

Submitted by aat385 on 12 May 2010 - 9:49pm.

Novell support remoted in yesterday to look at my setup. The support person pointed me to the a configuration setting on the 'Configure Roles and Resources Settings' page of the UA. There is a setting on that page for the interval refresh (of the code map table I'm guessing) which was set to 1400 minutes (by default I believe). There is also a button beside the refresh status field to perform an instantaneous refresh. When we clicked that button the database was refreshed with the latest query result. Thank you for your assistance.

© 2013 Novell