Symantec Identity Management

Expand all | Collapse all

Unable to see the CA IDM roles in siteminder

Jump to Best Answer
  • 1.  Unable to see the CA IDM roles in siteminder

    Posted 05-15-2018 08:42 AM

    Experts,

     

    I have followed the below steps to enable access roles for use with siteminder.

    Follow these steps:

    1. Open the Management Console.
    2. Select Environment, Your Environment, Advanced Settings, Miscellaneous.
    3. Add a property by providing the following information:
      • In the Property field, enter the following text:
        EnableSMRBAC
      • In the Value field, enter the following text:
        true
    4. Click Add. Then, click Save.
      A message appears indicating that the environment to restart.
    5. Click Restart Environment.

     

    Post this, i have added the IDM environment in the domains>policy, but i am unable to see the access roles from CA IDM. 

     

    Am i missing anything here ?

     

    Attached the snapshot below.

     

    Thanks,

    Shivam



  • 2.  Re: Unable to see the CA IDM roles in siteminder
    Best Answer

    Posted 05-15-2018 03:48 PM

    I have noticed this behavior if you have created IDM roles before enabling the EnableSMRBAC.

    Can you create new role now and check whether it is reflecting or not?

     

    Additionally, you can verify SM database table for IM related stuff.

    i.e. IMSROLE6 , IMSTASK6 and IMSROLETASK6 Role table has the entries related to your IDM task.

     

    Check the following image here "IMSROLE6 " and "IMSTASK6" has entries but  Role and TAsk mapping table "IMSROLETASK6 " were missing those entries.

    Either you create these missing entry manually or recreate those roles and task again in IM console.

     

     

     



  • 3.  Re: Unable to see the CA IDM roles in siteminder

    Posted 05-16-2018 01:49 AM

    Also, verify that In "CA Identity Manager Environments screen" make sure you have unchecked "Disable Policy Store Update" checkbox before you start creating new IDM role and task.



  • 4.  Re: Unable to see the CA IDM roles in siteminder

    Posted 05-17-2018 05:40 AM

    Thanks kumsa29

    I was able to see the IDM roles after creating the new one. Is this a bug ?

    Also, can we also use CA IDM provisioning roles in the CA SSO or we can only use CA IDM access roles in CA SSO ?

     

    Thanks again.

    Shivam



  • 5.  Re: Unable to see the CA IDM roles in siteminder

    Posted 05-17-2018 02:24 PM

    I think this behavior is based on design than a bug. Access role and Task mapping should be published after you enable the  "Policy Store Update" flag. Having said that you should still open an enhancement request for the reconciliation of Role and Task mapping and I do see a value of such a functionality especially in the scenarios where SSO integration pitched in IDM solution later on.

     

    CA SSO uses access role than the provisioning role. 

    Reson: Access Role and Task need to be correlated via Application ID and This application ID is used by SSO to evaluate the access role & task for an application.