Symantec IGA

Hi All,

How can we trigger any policies (PX or Identity ) from BLTH. AS per our requirement, the code needs to trigger an identity policies before exit.  Is there specific method/function/class that needs to be invoked for this.

Thanks,

Vasu

You can't directly trigger PX from BLTH but you can take some action from BLTH that can be used as condition to trigger PX. For e.g. From BLTH you set user attribute "zipcode" = 1234, then PX is executed on "Task Completion " and entry rule as "zipcode" = 1234.

Can we execute any identity policy from BLTH. As per our requirement, the BLTH set's the value for attribute "IsManager=Y" and based on that the identity policy needs to assign a specific application role. BTLH is able to set this attribute, but policy is not able to assign the role to the userID.

Hi Verma,

As said before you can't execute a PX or Identity Policy directly from within your BLTH java code. There is no such API for you to call. You may post an idea for future enhancement for that.

What you will need to do is make sure you account for the data flow of your use-case where your BLTH will need to execute first, set a value to an attribute where later this attribute will take part in your policy. This , in itself is not enough. You also need to make sure that the event that triggers your policy will trigger only after your BLTH. This will guarantee that your attribute value will be in sync and the data flow will execute correctly.

I hope this helps. This is not very straight forward or ideal.

Thanks,

Sagi

Every task has a synchronous state and an asynchronous state. Until you hit submit, your task is in synchronous state. Once you hit submit, task goes to async state and breaks down into events. BLTH works in sync state of the task. There are many ways you can assign your role. here are some examples:

1) Set "IsManager=Y" from BLTH then trigger PX on event state "After".

2) Set "IsManager=Y" from BLTH then trigger PX on "Task Completion".

3) Set "IsManager=Y" from BLTH then assign role within BLTH itself.

What kind of task are you performing? Is it modify user task?

Hi Praveen,

It needs to execute for both modify and create user task.

Let me educate you about the requirement.

Suppose we create  a new user or modify an existing user say "user1" in IDM and sets "user2" as his manager, IDM should set "IsManager=Y" for "user2"  and make "user2" member of the Admin Role "SuperVisors" . The code which we have developed is able to set "IsManager=Y" for user2 but we are struggling in making user2 member of admin role because the task executed is for "user1" , so the synchronisation done is for user1 only. We tried creating a Identity Policy, allowing users with "IsManager=Y"  to be member of the Admin Role "SuperVisors" but didn't had any luck.

Thanks

Vasu

If you are able to set user2's IsManager from BLTH then you dont need to write any additional policy to make him member of admin role SuperVisors. Just modify member policy of admin role to "IsManager=Y". As soon as user2's IsManager is updated, user will become member of admin role SuperVisors.

Hi Praveen,

We did tried this and but the problem is, when  user2's  "IsManager" value is cleared, means, user2 is no more manager of anyone, the Admin role is still assigned to the user. We checked the value of IsManager attribute in ldap , it was cleared. So now IDM should not assign the SuperVisors admin role.

Thanks,

Vasu

You can go with option #3 as well. Assign/Remove admin role from BLTH itself. here is a sample code you can try:

AdminRoleProvider adminRoleProvider = new AdminRoleProvider();

  AdminRole adminRole = adminRoleProvider.findAdminRole("SuperVisors");

  blthContext.getUser().makeRoleMember(adminRole);

Thanks for sharing the piece of code.

My concern with this code is that, since we are updating the user1 attributes, so the blthContext.getUser() will fetch the user as user1 but the Admin role needs to be assigned to user2 . Now if we go ahead with this code, when user1 will be modified , the code will assign the "SuperVisor" admin role to user1. Can we specify for which user role needs to be assigned.

You can use same API method makeRoleMember() on same user object that you are using to update User2's attribute.

Hi Vasu,

If I got your question right, you can assign the role to user2 like this:

UserProvider userProv = blthContext.getUserProvider();

User user2 = userProv.findUser("user2", null);

AdminRoleProvider adminRoleProvider = new AdminRoleProvider();

AdminRole adminRole = adminRoleProvider.findAdminRole("SuperVisors");

user2.makeRoleMember(adminRole);

Regards,

Arij

Hi Arji,

I tried the above code but it is not able to search the user user2.

Hi Vasu,

The findUser method takes first parameter as the unique or friendly name of the Global User you are trying to search.

See the following Java Doc for more info:

https://support.ca.com/cadocs/0/CA%20IdentityMinder%2012%206%203-ITA/Bookshelf_Files/javadoc-im/index.html

Import the following packages:

import com.netegrity.imapi.*;

import com.netegrity.llsdk6.imsapi.managedobject.User;

import com.netegrity.llsdk6.imsapi.provider.UserProvider;

import com.netegrity.llsdk6.imsapi.type.ObjectType;

If it still doesn't work, then please share your code.

Regards,

Arij

HI Arij,

The findUser() is able to search the user find no action can be performed on this searched user. PFB my code.  

/* **************************************************************************************
User user2 = blthContext.getUserProvider().findUser("UserTobeSearched",null); // working
user2.addValueToAttribute("mobile","0123456789"); // not working
user2.setAttribute("street","abcdef"); // not working

AdminRoleProvider adminRoleProvider = blthContext.getAdminRoleProvider();
AdminRole adminRole = adminRoleProvider.findAdminRole("Supervisors");

user2.makeRoleMember(adminRole); // not working

**************************************************************************************** */

I tried searching for user name "qwerty" and the output was [qwerty] uid=qwerty,ou=people,ou=users,dc=users,dc=com

Thanks,

Vasu

I think you mentioned before that you were able to set attribute isManager of user2 before.

Anyway, I think you need to commit the changes done to user2 object by following code in the end.

user2.modifyObject();

Thanks,

Praveen

Yes, Praveen is correct. That would immediately reflect the changes.

Also, make sure that the attributes you are modifying are present on the profile screen.

Thanks, It worked. 

Also can you log the task performed by objects ?

Do you mean server logs? Yes all API methods are logged. You can add custom log messages by using following methods.

logWarningMessage - prints log in WARN mode which is default mode

logDebugMessage - prints log in DEBUG mode. You will have to turn on DEBUG logging to see these messages.

One more thing, you will loose auditing by making User Provider call because User Provider doesn't generate events.