3.2 User Application Cannot Add or Remove Users from Roles if the User have Numerous Role Assignments

Issue: When a new parent role with a child role is assigned to user the nrfInheritedRoles attribute in user, stores the requester and approval information of how the child role is mapped to parent role. If the child role is mapped to numerous parent roles (say 100) and are assigned to same user then, this results in inheritedRoles attribute value exceeding the threshold size limit and does not allow creating new assignments to the user.

Workaround: Include driver configurations in Role and Resource Service Driver that adds the assignment details only if the configuration value is enabled.

Perform the following actions:

  1. Log in to iManager.

  2. Navigate to Identity Manager Overview, select a driver set.

  3. In the Driver Set Overview, click the Role and Resource Driver and select Stop Driver to stop the Role and Resource Service Driver.

  4. Click Role and Resource Driver and select Edit Properties.

  5. Navigate to Driver Configuration > Driver Parameters, and then click Edit XML.

  6. In the Drive Parameters (XML) select the Enable XML editing check Box.

  7. Add below entry in the definitions section.

    <definition display-name="Disable adding assignment details to nrfInheritedRoles attribute" id="115" name="disable-inherited-roles-cause" type="boolean">
    <description>This setting disables the update of requester information in the nrfInheritedRoles attribute.</description>
  <value>true</value>
  </definition>
  <definition display-name="Disable adding assignment details to nrfGroupRoles and nrfContainerRoles attribute" id="116" name="disable-group-container-cause" type="boolean">
    <description>This setting disables the update of requester information in the nrfGroupRoles and nrfContainerRoles attributes.</description>
  <value>true</value>
  </definition>

  8. Click OK. Click Apply and then OK.

  9. Stop eDirectory.

    ndsmanage stopall

  10. Update jar file to the latest version.

    Windows: Navigate to extracted folder of Role Resource Service Driver and copy the nrfdriver.jar file to <Identity Vault installation path>\eDirectory\lib directory. For example, /opt/novell/eDirectory/lib/dirxml/classes

    Linux: Install the new RPMs by running the following command:rpm -Uvh <Driver Patch Directory>/linux/netiq-DXMLrrsd.rpm

  11. Start eDirectory.

    ndsmanage startall