Symantec IGA

Expand all | Collapse all

Execute policyXpress before an event to assign provisioning role

Jump to Best Answer
  • 1.  Execute policyXpress before an event to assign provisioning role

    Posted 05-02-2018 06:18 AM

    Hello,

     

    I'm facing a problem when I try to execute a policyXpress before an event.

     

    Here is my use case :

     

    I have two custom connectors linked to 2 Account Templates (1 each) and 2 Provisioning Roles (1 each):
       o Jupiter --> Jupiter_GDA_Role (main role triggered manually)
       o GDA --> GDA_Role (secondary role triggered by policyXpress)

     

    I have created a policy which starts before AssignProvisioningRoleEvent. I have configured the action rule to assign GDA_Role to the user when the name of the role I first give (Jupiter_GDA_Role) contains "_GDA_". When I assign Jupiter_GDA_Role to the user, the policy starts and the GDA_Role is also assigned but not always on the order we expect.

     

     

    I would like to first assign Jupiter_GDA_Role which should start the policyXpress. This policyXpress should assign the GDA_Role first and THEN the Jupiter_GDA_Role (only on the success of the previous action if possible).

     

     

    I also tested the solution with two PX (1 for each role): I used two PX triggered using EMPTY_JUPITER_GDA_ROLE (not linked to any connector):

       o If this role contains "_GDA_", we start PX1 to assign GDA_Role (priority=0 highest priority task)

       o If this role contains "JUPITER_", we start PX2 to assign JUPITER_Role (priority=1)

     

    It seems we don't have control over the execution order of the two PX.

     

    Do you know what could be the reason why it doesn’t work or do you have any other way to implement this ?

     

     

    Regards,
    Nassim



  • 2.  Re: Execute policyXpress before an event to assign provisioning role

    Posted 05-04-2018 08:56 AM

    I think you might be best served by opening a support case so that logs/configuration can be reviewed further.



  • 3.  Re: Execute policyXpress before an event to assign provisioning role

    Broadcom Employee
    Posted 05-08-2018 03:11 AM

    Support has asked for the this thread to be raised, as part of a Support case, as dealing with a specific onsite customization query.



  • 4.  Re: Execute policyXpress before an event to assign provisioning role

    Broadcom Employee
    Posted 05-04-2018 11:49 AM

    Hi Nassim,

     

    You can control the execution order of PXs but you can’t control execution of actual events that perform your actions. PXs performs actions in form of triggering events. Events are executed in asynchronous phase. Events that you see in "View Submitted Tasks" are asynchronous, i.e. events are executing regardless of waiting for prior events to finish. What you are looking for is a synchronous behavior.

     

    You might have to try executing 2 PXs at different trigger points that are very away for e.g. PX1 on "After" on "ModifyUserEvent" and PX2 on "Task Completion". There is no guarantee that will always give you synchronous behavior.

     

    If it doesnt work then you can try introducing a delay in PX if you are on new versions.

     

    Another option is to have a loop in PX. PX1 will execute same way i.e. "After" on "ModifyUserEvent" and then have loop in PX2. PX2 will check if user has account linked for the endpoint Jupiter, then only assign 2nd provisioning role. If user doesnt have account linked for the endpoint Jupiter, then restart the PX. Please make sure this PX runs in loop for a finite number of times such as 10 times.Please let me know if you want to try this option, I can give you an example of PX. This method will give you more certainty of achieving synchronous behavior.

     

    Last option is to use custom code to call JIAM API. JIAM API will definitely give you synchronous behavior. 

     

    Thanks,

    Praveen Jain

     

     

    RinatM

    #Sequenced Provisioning

    #Loop in PX

    #Synchronous PX



  • 5.  Re: Execute policyXpress before an event to assign provisioning role

    Broadcom Employee
    Posted 05-04-2018 03:36 PM

    Hi Nassim,

     

    I have uploaded one example of FOR looping in PX here.

     

    Example - FOR looping in PX 

     

    Thanks,

    Praveen Jain



  • 6.  Re: Execute policyXpress before an event to assign provisioning role

    Posted 05-15-2018 11:11 AM

    Hi Praveen,

     

    Thank you for your answer.

    I'm using 12.6.8 version.

     

    The option with loop PX seems more efficient. But I already tried to check if user has an account linked to Endpoint using PX based on "AssignProvisioningRoleEvent" and the result was empty. I was able to get a user's account linked to EndPoint only when I used "ModifyUserEvent" and I don't have this event when I try to assign provisioning roles to a user. Do you know how to get the endpoint account name when we assign provisioning role event?

     

    For the last option (JIAM API) do you have an example of how it works?

     

    Regards

    Nassim



  • 7.  Re: Execute policyXpress before an event to assign provisioning role

    Broadcom Employee
    Posted 05-15-2018 01:43 PM

    Hi Nassim,

     

    Do you have a "profile" tab in your admin task? ModifyUserEvent will get triggered if you have "profile" tab. here is how it looks like -

     

     

    You have 2 options to trigger ModifyUserEvent explicitly. 

     

    1. Modify a physical or logical attribute in "profile" screen manually or programmatically(PX or code).

    2. Select this checkbox on "profile" tab. It will definitely trigger ModifyUserEvent even if no attribute has been changed. 

     

    You can even hide this tab if you dont want user to see "profile" tab by selecting check-box "Hide tab"

     

    Now you can run your PXs on ModifyUserEvent following approach that I shared in earlier note.

     

    Please let me know if it doesnt work for you. I can share the JIAM API code in that case.



  • 8.  Re: Execute policyXpress before an event to assign provisioning role
    Best Answer

    Posted 05-23-2018 05:26 AM

    Hi Praveen,

     

    I have enabled "Always generate event" option, I could start PXs depending on "ModifyUserEvent" but, I noticed that IM first gathers all the actions of the PXs related to a task, including actions of each iteration in "FOR" loop and executes them thereafter. I realized this by increasing the MaxCounter = 1000 (~ 1 minute of waiting) and I have 1 minute wait before the execution of the two PXs. Event when JUPITER_PX depend on GDA_PX, like in this example:

    • PX_GDA: priority=0 execution=|Before|AssignProvisioningRoleEvent|
      • Action1: assign GDA role and trigger ModifyUserEvent
    • PX_JUPITER: priority=99 exécution=|After|ModifyUserEvent|
      • Action1: initialisation compteur=0
      • Action2: if GDA_Account not null --> log endPX et assign JUPITER role
      • Action3: if counter<30 (MaxCounter) reruns PX_GDA else --> EndPX

     

    Another point, I think both PXs should be executed in two different tasks. In JUPITER_PX I do not have access to the GDA account name even if I wait for infinite time. But when I run them separately, the "if GDA Account not null" condition is checked and the Jupiter role is assigned to the user.

     

    You can find attached my PXs.

     

    PX_GDA:

    PX_GDA

     

    PX_JUPITER:

     

    Regards,

    Nassim

    Attachment(s)

    zip
    PX_GDA.xml.zip   1K 1 version
    zip
    PX_JUPITER.xml.zip   1K 1 version