Revoking Roles and Resources

ggilbe

By: ggilbe

May 5, 2011 12:26 pm

Reads: 401

Comments:1

Rating:0

Introduction

A resource is any digital entity such as a user account, computer, or database in which a business user may require access. The Novell User Application provides a convenient way for end users to request resources they may need. With the introduction of the new Resource Module starting in RBPM 3.7, administrators can define resources and users can be assigned resources via a Resource Catalog.

Generally, resources are assigned or granted to a user based on roles, groups, or entitlements. It is also possible that additional resource assignments may be requested on a one-by-one basis. Over time, a user can have resources assigned via a variety of different ways.

Suppose we wanted to remove all the resources assigned to a user and we wanted to do it quickly such as in the event of a user termination. For roles, we can do this fairly easily with a workflow using the Role Request Activity. This activity uses the underlying Roles API of the Roles Based Provisioning Module engine. Unfortunately, for resources it is not quite as easy since RBPM 3.7/4.0 does not have a comparable Resource Request Activity. Therefore, this Cool Solution was written to describe how to get around this limitation by using Integration Activities to access resource methods available through the Resource Web Services API.

The following sections describe how to setup a workflow solution that will revoke all of a user’s Roles and Resources.

Setting up a Workflow to Revoke All Roles

The following workflow snippet (see Figure 1) shows the activities needed to revoke all roles assigned to a user. Each of the essential activities that make up this workflow is explained below.

Click to view.

Figure 1 – Revoking Roles Workflow

  1. Get Roles Assigned – In order to determine if a user has existing roles assigned, we can use the Role Vault API. The API includes a set of methods for reporting role assignments or determining whether a user is in a particular role. The Role Vault API can be accessed from any activity that has access to the ECMA Expression Builder. We use a Data Mapping activity to access the expression builder. The following figure shows the Role Vault and its available methods. In our case, we are only interested in the user method called RoleVault.getRolesUserIn which we assign to a flowdata variable in the Data Mapping activity.

    Click to view.

    Figure 2 – Role Vault API

  2. Check If Roles Exists? – In the workflow, we use a Condition Activity to determine if the Role Vault returned any user assigned roles. The following expression in the Condition Activity is used to check if there are user assigned roles:
    (function () {
    	//An object is always returned even if there are no roles.
    	var roles = flowdata.getObject('roles');  
    	Packages.java.lang.System.out.println("ROLE OBJECT RETURNED: " + roles);
    
    	//Always check the first element: roles[1].
    	var role = flowdata.get('roles[1]');	     
    	Packages.java.lang.System.out.println("FIRST ROLE: " + role);
    
    	if (role != null && role != "") {
    		Packages.java.lang.System.out.println("TOTAL ROLES FOUND: " + roles.size());
    		return true;
    	} else return false;
    })();
    
    

    Check if Roles Exist

  3. Revoke All Roles – Without accessing the underlying Roles Based Provisioning Module (RBPM) API’s for manipulating user roles, we can automate the basic revoke role method using the “out-of-the-box” Role Request Activity in our workflow. Here we set the following properties to revoke all of the user’s roles by setting the Action to “Revoke” and providing the flowdata object containing the roles we retrieved in the Data Mapping Activity.

    Click to view.

    Figure 3 – Role Request Activity Properties

Setting up a Workflow to Revoke All Resources

The following workflow snippet (see Figure 4 ) shows the activities needed to revoke all resources assigned to a user. Each of the essential activities that make up this workflow is explained below.

Click to view.

Figure 4 – Revoking Resources Workflow

  1. Get Resources Assigned – In order to determine if a user has existing resources assigned, we can use the underlying RBPM Resource Web Services for manipulating user resources. The Resource Web Service exposes methods of the resource model to allow manipulation of user resources. We can access Resource Web Services in the workflow by using an Integration Activity. There are several steps involved in setting up an Integration Activity to access the Resource Web Services:
    1. When adding the Integration Activity, you must import the Resource Service WDSL document. The document can be downloaded from the User Application resource URL: http://server:port/IDM/resource/service

      Click to view.

      Figure 5 – WSDL Document URL

    2. After the WSDL is imported, click on the Integration Tab to display the Integration Activity Editor Interface. Right-click on line below the “EXECUTE” line and select “Edit Action”.

      Click to view.

      Figure 6 – Integration Activity Editor

    3. Click on the WSDL tab and enter the Endpoint Location: http://server:port/IDM/resource/service

      Click to view.

      Figure 7 – Endpoint Location

    4. Click on the Connection tab and enter the Provisioning Admin User ID / Password.

      NOTE: The password is treated as a string and must contain quotes around it.

      Next, choose getResourceAssignmentsForUser for the Resource Web Service SOAP action. This action will get all the user’s assigned resources.

      Click to view.

      Figure 8 – Admin Credentials and SOAP Action

    5. From the workflow view, you need to populate the Data Mappings for the Integration Activity. On the pre-activity mapping, you must provide the user recipient for the Web Service input field.

      Click to view.

      Figure 9 – Integration Pre-Activity Data Mapping

    6. On the post-activity mapping, you will retrieve the resource results in the Web Service output field.

      Click to view.

      Figure 10 – Integration Post-Activity Data Mapping

  2. Initialize Counter – After retrieving the user’s assigned resources using the Integration Activity, we can now iterate through each resource and revoke them one at a time. In order to keep track of the iteration count, you need to determine the total count of resources that have been returned using a Data Mapping Activity.
    (function () {
    	var resources = 	flowdata.getObject('Activity10/getResourceAssignmentsForUserOutput/
    	getResourceAssignmentsForUserResponse/result/resourceassignment/resourceDn');
    
    	if (resources) {
    		totalResources = resources.size();
    		Packages.java.lang.System.out.println( "TOTAL RESOURCES FOUND:" + 				totalResources);
    	} else {totalResources = 0;}
    
    	return totalResources;
    })();
    
    

    Total Resources Retrieved

  3. Check If More Resources? – In the workflow, we use a Condition Activity to determine if there are more resources to process:
    function getResource() {
    
    	var totalResources = Number( flowdata.get('totalResources') );
    	var i = Number( flowdata.get('count') );
    
    	if ( totalResources >= i ) {
    		Packages.java.lang.System.out.println( "REVOKING RESOURCE [" + i + "] = " + 		flowdata.get('Activity10/getResourceAssignmentsForUserOutput/
    		getResourceAssignmentsForUserResponse/result/resourceassignment['+ i 			+']/resourceDn') );
    		return true;
    	}
    	return false;
    };
    
    getResource();
    
    

    Check if more Resources

  4. Revoke Resources – In order to revoke existing resources assigned, we can use the underlying RBPM Resource Web Services. We can access Resource Web Services in the workflow by using an Integration Activity. There are several steps involved in setting up an Integration Activity to access the Resource Web Services. Repeat steps 1a – 1c above to setup the Integration Activity.
    1. Click on the Connection tab and enter the Provisioning Admin User ID / Password.

      NOTE: The password is treated as a string and must contain quotes around it.

      Next, choose requestResourceRevoke for the Resource Web Service SOAP action. This action will revoke the user’s assigned resource.

      Click to view.

      Figure 11 – Admin Credentials and SOAP Action

    2. From the workflow view, you need to populate the Data Mappings for the Integration Activity. On the pre-activity mapping, you must provide the resourceDN, initiator, recipient, reason, requestParams, and instanceGuid, for the Web Service input fields. For the revoke action, there are no post-activity mappings.

      Click to view.

      Figure 12 – Integration Pre-Activity Data Mapping

  5. Increment Counter – Each time this Integration Activity in the previous step is executed, a user resource is revoked. Therefore, to revoke the next user assigned resource, we must increment the iterator. A Data Mapping Activity is used to increment the flowdata variable counter.
    Number( flowdata.get('count') ) + 1;
    
    

    Increment Counter

    The workflow will continue to loop through each resource until there are no longer any resources to revoke.

Testing Your Workflow to Revoke all Roles and Resources

The following section shows an example of what to expect after building the workflow to revoke all roles and resources as described in the previous sections.

  1. To test your workflow, select a user that has existing roles and resource assigned.

    Click to view.

    Figure 13 – User with Roles and Resources

    Depending on how you setup the workflow, you may decide to run it as a self-service process request or a team process request initiated by the user’s team manager or admin. The workflow could also be initiated via a driver as well. In any case, the recipient of the request will be the user in which the roles and resources are revoked.

  2. Once the workflow is submitted, you can trace the workflow actions in the JBoss server log:

    Click to view.

    Figure 14 – Server Log – Roles

    Click to view.

    Figure 15 – Server Log – Resources

  3. After the workflow has completed, you can display the user’s Work Dashboard and click refresh on the Role and Resource Assignment panels to verify that there are no roles and resources assigned any longer.

    Click to view.

    Figure 16 – User with Roles and Resources Removed

Summary

Using the above methods for revoking roles and resources should be thoroughly tested in your test environment prior to releasing into your production environment. It is anticipated that the new RBPM release 4.01 will provide a new Resource Activity available for the matching Designer version. In this case, the Integration Activities will no longer be necessary and revoking resources can be achieved similar to how we revoke roles as explained in this article.

An XML export of this the “Revoke Roles and Resources” workflow can be found at http://www.netiq.com/communities/media/revokeallrolesandresources.zip.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

1 Comment

  1. By:6525036

    This cool solution has to be the coolest solution ever. Nice explanations, nice examples. And I needed the info and everything works.
    Thank you very much, your work is greatly appreciated.

Comment