Designer is a great tool that, among other things, allows you to import Roles and Resources from a CSV file and, after that, deploy them as described in the Design Guide Topic 11.6 Importing Roles Defined in CSV Files and Topic 12.3 Importing Resources Defined in CSV Files.

However, it is not possible to make Role-Resource associations this way. I would have to use the UserApp Portal or call a WebService to do it and Resource-Entitlement associations.

For a large Roles-Resource relationship, I would spend a lot of days doing it manually. I would have the same problem if I had to associate Entitlement manually to Resources. So, I imported all the roles, resources and their associations by using a LDIF file.

But, I still have another problem: how to grant these roles to a large number of users at the same time? An approach is to create a Text Driver that grants roles to users. Another approach, that is the object of this Cool Solution, is to create nfrRequest objects by LDIF and let the Role Resource Service Driver (RRSD) do the hard job (grant Resources and Entitlements to the users).

For the record: the solution to import Roles, Resources (with Entitlements) and their associations, I kindly borrow from my project colleagues to post here.

Bulk Creation of Roles

I had to import a large number of Roles by creating a LDIF file. Each record looks like this:

# Record <99999>
dn: cn=<APPLICATION>_<99999>,cn=Level<99>,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>
changetype: add
objectclass: nrfRole
objectclass: Top
nrfLocalizedNames: es~Role Name in Spanish|en~Role Name in English|pt~Role Name in Portuguese
nrfLocalizedDescrs: es~Role Description in Spanish|en~Role Description in English|pt~Role Description in Portuguese
nrfRoleLevel: <99>
nrfRoleCategoryKey: default
owner: CN=TheOwner,OU=Users,O=idv
ACL: 3#subtree#ou=Users,o=idv#[All Attributes Rights]
ACL: 1#subtree#ou=Users,o=idv#[Entry Rights]

As there was a group of Roles by application, I put the application name, followed by a sequential number. I could create a subcontainer for them too. The Role Name displayed to the user is obtained by the RBPM from the attribute nrfLocalizedNames.

The Level 99 varies by the type of Role: Business(30), IT(20) and Permission(10) Role.

ACL grants to all objects on Users container to view and access the Roles by the UserApp.

After all the Roles were imported, it was possible to import the Roles-Relationship via LDIF:

# Record <99999>
dn: cn=<APPLICATION>_<99999>,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>
changetype: nrfChidlRoles
add: nrfChidlRoles
nrfChidlRoles: cn=<APPLICATION>_<99999>,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>
nrfChidlRoles: cn=<APPLICATION>_<99998>,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>
add: nrfParentRoles
nrfParentRoles: cn=<APPLICATION>_<99999>,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>
nrfParentRoles: cn=<APPLICATION>_<99998>,cn=Level30,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>

Each role must exist on IDM BEFORE the relationship between each can be established. Therefore is not possible to do a single step load of role and their relations.

For Roles with only parent roles, the attribute nfrChildRoles is not necessary and the same rule applies to the roles without child roles.

Entitlement Creation

I built and, in some cases, converted the drivers to RBPM model. The conversion was made using the jgdasilva’s article: Convert Driver Entitlements to New RBPM 3.7 Resource Model. By the way, it works with RBPM 4.0.1, as expected.

I had some Entitlement drivers with Administrator Defined values and other ones with Application values.

I had to get the correct path to Entitlement and its value. These two pieces of data will be used in the next step.

Bulk Creation of Resources

The Resource Schema is described at Administration Guide A.0 Schema Extensions for the User Application.

The approach to import Resources via LDIF is similar to Bulk creation of Roles:

dn: cn=<AAAAMMDDHHMMSS>_<99999>,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>
changetype: add
objectclass: nrfResource
objectclass: Top
nrfActive: FALSE
nrfAllowAprOveride: FALSE
nrfAllowMulti: TRUE
nrfCategoryKey: default
nrfLocalizedNames: es~Name in Spanish|en~Name in English|pt~Name in Portuguese
nrfLocalizedDescrs: es~Description in Spanish|en~Description in English|pt~Description in Portuguese
nrfEntitlementRef: cn=MyEntitlement,cn=MyDriver,cn=DriverSet,ou=IDM,ou=services,o=idv#1#<?xml version="1.0" encoding="UTF-8"?><ref><src>LDIF</src><id/><param>MyEntitlementValue</param></ref>
ACL: 3#subtree#ou=People,o=vale#[All Attributes Rights]
ACL: 1#subtree#ou=People,o=vale#[Entry Rights]

I created a timestamp and a counter to create the DN for the Resource, because there were many Resources load and they must not have the same name. As my timestamp goes until seconds, I added a counter to solve it.

ACL grants to all objects on Users container to view and access the Resources by the UserApp.

As nrfEntitlementRef is a structured attribute, this value is created in a single line, as shown above. The necessary changes are the Entitlement DN and the Entitlement value. Note that it is important that the Entitlement be recognized by UserApp (REFRESH CODE MAP option).

Bulk Assignment to Resources to Roles

At this point, I just imported the Roles, the Roles Associations and the Resources with their respective Entitlements. The next step is to create the association between Resource and Roles.

Again, I used the same way – LDIF:

dn: cn=<ROLE_CN_NAME>-<RESOURCE_CN_NAME>,cn=ResourceAssociations,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>
changetype: add
objectclass: nrfResourceAssociation
objectclass: Top
nrfResource: cn=<AAAAMMDDHHMMSS>_<99999>,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>
nrfRole: cn=<APPLICATION>_<99999>,cn=Level<99>,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>
nrfAllowAprOveride: FALSE
nrfStatus: 50

If you wish, you can put a description:

nrfLocalizedDescrs: en~Description in english

Bulk Assignment Roles to Users

After having all the Roles (and Roles x Roles) x Resources x Entitlements created and ready to go, at this point, Roles could be requested by the users through the user app portal.

If your solution allows, users could request Resources too.

A colleague that rocks on Java, created a portlet, that imports a spreadsheet and saves it as CSV, and a Text Driver to automate the creation of Roles and Resources. But, it is another discussion why import Roles and Resources this way, instead of using Designer.

I had received some very large spreadsheets filled up with Roles which must be user granted; a task almost impossible to do using the UserApp Portal in a short period time.

The Role requests are created on: cn=Requests,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>. So, I created a LDIF for each request:

dn: cn=<AAAAMMDDHHMMSS>_<99999>,cn=Requests,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>
objectClass: nrfRequest
objectClass: Top
cn: <AAAAMMDDHHMMSS>_<99999>
nrfStatus: 0
nrfCategory: <99>
nrfCorrelationId: LDIF#RoleRequest#AAAAMMDDHHMMSS
nrfDecisionDate: <AAAAMMDDHHMMSS>Z
nrfDescription: Granted by massive Bulk
nrfImmediate: TRUE
nrfOriginator: My Project
nrfRequester: cn=admin,ou=Administrators,ou=services,o=idv
nrfSourceDN: cn=<APPLICATION>_<99999>,cn=Level<99>,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApplication,<IDM_DRIVERSET>
nrfTargetDN: cn=TheIdentity,ou=Users,o=idv

I created a timestamp and a counter to create the DN for the Request. I created a timestamp and a counter to create the DN for the Request, because there were many Requests load and they must not have the same name. As my timestamp goes until seconds, I added a counter to solve it.

After the creation of these objects on Requests container, the RRSD identifies and grant all subroles, resources and Entitlements to the target user.

As I said before, I had to grant Roles to many Users in a short time. When IDM associates Entitlements to the User, the Driver is sensitized and try to provision that user.

So, it is important to pay attention and do some estimates to find the amount of requests that can be granted so the drivers can work (matches, associations, etc).

As strategy, it might be interesting to split the LDIF files in sub files, containing each one the maximum number of Entitlements that each driver can be process in a minute. And do a staged import of the files: one each minute.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply


  • afuhrmann says:

    Hi there

    I justed posted a new tool that probably could solve a lot of your issues. Have a look at PowerRole.



  • alancota says:

    My friend that article have helped me a lot!

    I wanna share with you something I figured out about automatic association and revoke of changed associated resources within a Role. Look that:


  • cpedersen says:

    Please be advised; NetIQ will not support any issues which are inherited from this.

    The only supported ways to import Role/Resources, and creating Associations are:
    – UserApp UI
    – Designer
    – REST / WebServices end-point

    If this comes up, it could result in a rip and replace….


  • belaie says:

    We had to do the same thing , and achieved it through the built-in webservice within userapplication. And it worked just great.

  • afuhrmann afuhrmann says:

    With the new version or PowerRole you can choose between two modes how to assign roles to users. Either the role assignment driver uses the build in “add role” and “add resource” functions or the driver creates the nrfRequest object by itself. The big difference is when the driver creates the nrfRequst object we can bypass the approval workflow. This can be very important because on an initial role assignment load, where you may assign thousands of roles to users, nobody really wants to approve all these role assignments. You can even define a prefix for the nrfRequest object the PowerRole driver is using so you can easily keep track of nrfRequest objects created by our driver. You can also define a static reason the driver sets on each role assignment. This way you have a footprint an each role assignment.

Feb 17, 2012
12:11 pm