Roles Based Provisioning Tools: Readme

January 28, 2008

For the latest version of the Readme, visit the Roles Based Provisioning Module documentation Web page.

1.0 General Issues
1.1 Problems running Designer on Windows XP using the Windows Classic Theme
1.2 Problems with Outline view refresh after Import

2.0 Provisioning View
2.1 Problems with Provisioning view refresh
2.2 Localization and national characters
2.3 Document Generator incorrectly generates provisioning object documentation
2.4 Deleting protected objects does not display error message
2.5 Adding a new locale to the roles resource group does not make the locale available to Roles Tab
2.6 Problems exporting localization data for provisioning teams and provisioning request definitions

3.0 Role Catalog
3.1 Specifying custom SoD provisioning request definitions
3.2 Copying roles across drivers
3.3 Importing roles
3.4 Problems modifying trustees for a role
3.5 Adding undeployed Entitlement to role might cause misleading validation message
3.6 Problems with delete button in Role Editor Entitlements and Contained Roles Sections
3.7 Export of SoD does not preserver default approvers selection

4.0 Provisioning Teams
4.1 Provisioning team wizard no longer allows single quotes in CN

5.0 Provisioning Request Definition Editor
5.1 Problems with provisioning request definitions and dynamic assigned rights
5.2 Problems with provisioning request definition editor refresh after import
5.3 Problems removing trustees from multiple provisioning request definitions
5.4 Problems editing trustees for multiple provisioning request definitions


1.0 General Issues

1.1 Problems running Designer on Windows XP using the Windows Classic Theme

If you run Designer on Windows XP using the Windows Classic Theme, you might encounter problems when you tab between radio buttons. The radio buttons disappear. To work around this problem, use the Windows XP theme.


1.2 Problems with Outline view refresh after import

You might encounter refresh problems when importing provisioning objects using Designer's outline view. For example, if you import a provisioning request definition using the Outline view, you might not see the object in the Outline view after the import completes. To workaround this problem, you can either restart Designer after performing the import from the Outline view, or use the Provisioning view to perform any import operations. The Provisioning view is the preferred method for performing actions (edit, import, export, deploy) on provisioning objects.

2.0 Provisioning View Issues

2.1 Problems with Provisioning View refresh

When you delete certain objects from the Modeler view (for example, the User Application driver or the Identity Vault) the Provisioning view does not always refresh automatically to reflect the changes. Even though these objects still display in the Provisioning view, they do not function properly. To ensure that both views are synchronized, refresh the Provisioning view after making changes in the Modeler view. The Refresh button is available in the Provisioning view's toolbar.

2.2 Localization and national characters

If you export localization data that contains national characters (for example, the Danish ורז character) in XML format, you cannot use Wordpad to edit the file. If you use Wordpad to edit an XML file containing localization data, the characters are not displayed correctly. If you export localization data that contains national characters (for example, the Danish ורז character)to a properties file, the national characters are always escaped.

2.3 Document Generator incorrectly generates provisioning object documentation

The Document Generator tool uppercases letters and inserts spaces in some provisioning object documentation. For example, a list key of integrationActivity becomes Integration Activity.

2.4 Deleting protected objects does not display error message

If you select both protected and unprotected provisioning objects, then attempt to delete the set, the Provisioning view does not perform an action. It should notify you that the set of objects cannot be deleted because it includes one or more protected objects.

2.5 Adding a new locale to the roles resource group does not make the locale available to roles

To add a locale to Roles tab, you must add it to the following Localization Resource groups:

If you add it to only the Roles localization resource group, the locale will not appear as an option in the localization dialog box.

2.6 Problems exporting localization data for teams and provisioning request definitions

When you export provisioning team and provisioning request definition data using Localize > Export Localization Data, the generated output files are locked. To workaround this problem, restart Designer to release the locks.


3.0 Role Catalog Issues

3.1 Specifying custom SoD conflict approval provisioning request definitions

The Roles Catalog editors do not allow you to specify a custom SoD conflict approval provisioning request definition. Use the Roles tab of the User Application (Role Management > Configure Role Subsystem) to specify the name of a custom SoD conflict approval provisioning request definition.

3.2 Copying roles across drivers

When you copy a role from one driver to another, you cannot paste the copied role more than once. If you need multiple copies of the same role, copy the role from the source driver to the target driver, then use the copy/paste within the target driver to make additional copies.

3.3 Importing roles container

If you attempt to import a roles container, and that container includes roles that already exist in the target driver the import will fail; however, the Import Results dialog incorrectly states that the import of the container was successful.

3.4 Problems modifying trustees for roles

If you modify the Trustees for an existing role, save your changes, then redeploy it, Designer prevents the redeploy. Designer displays a message that the roles are equal. To work around this problem, modify some other property for the role, then redeploy.

3.5 Adding undeployed entitlement to a role might cause misleading validation message

If you create a new entitlement (but do not deploy it), then add the entitlement to an existing (and deployed) role, Designer's project checker generates a validation error message because the entitlement is not yet deployed. If you then deploy the entitlement, then run Project Checker against the role, the validation message is still generated. You can prevent this second occurrence of the validation message from occurring in one of these ways:


3.6 Problems with delete button in role editor entitlements and contained roles sections

If you delete the first row of the table in either the Contained Roles or Entitlements sections, then undo the deletion, the delete button is disabled. You might have to click within the table twice before the delete button is enabled.

3.7 Export of SoD does not preserve default approvers selection


When you export an SOD definition (either as part of a driver export or as a single object export), the export does not preserve the Use Default Approvers selection. As a result, you might encounter validation errors. To work around this problem, review the Use Default Approvers selection after you import the definitions to make sure the selection is correct.

4.0 Provisioning Teams Issues

4.1 Provisioning team wizard no longer allows single quotes in CN

The Provisioning Team wizard no longer allows you to use single quotes in the CN field. The valid characters are alphanumeric, underscore (_), dash (-), and spaces.


5.0 Provisioning Request Definition Editor Issues

5.1 Problems with provisioning request definitions and dynamic assigned rights

When you deploy a provisioning request definition whose trustee is defined as a dynamic group, the trustee information in the Identity Vault is modified so that the Dynamic Assigned Rights checkbox is unselected for the All Attribute Rights and Entry Rights properties. When these properties are unselected, the provisioning request definition is not visible User Application. To work around this problem, use iManager > Modify Trustees and select the Dynamic Assigned Rights checkbox on the provisioning request definition within the User Application driver.

5.2 Problems with provisioning request definition editor refresh after import

You might not see the most recent values for a provisioning request definition after performing an import. For example, if you:

  1. Create a provisioning request definition.
  2. Deploy it.
  3. Modify one or more properties such as Display Name, Display Description, or Flow Strategy.
  4. Save the changes.
If you then import the provisioning request definition, you still see the modified properties rather than imported values. To work around this problem, close the Provisioning Request Definition Editor and reopen it.

5.3 Problems removing trustees from multiple provisioning request definitions

You might encounter problems when you select multiple provisioning request definitions and attempt to delete ALL of the trustees. The delete will work as long as you do not choose to delete them all. To work around this problem, you can delete the trustees from each individual provisioning request definition.

5.4 Problems editing trustees for multiple provisioning request definitions with Process Type of Role Approval

You might encounter problems when you select two or more provisioning request definitions (whose Process Type is Role approval), and edit the trustees for these definitions. One or more of the definitions might become read-only. To work around this problem, select one Role approval provisioning request definition at a time to edit the trustees.