Trustee rights assignment to UserApp workflows do not work

  • 7002828
  • 25-Mar-2009
  • 26-Apr-2012

Environment

Novell Identity Manager 3.5
Identity Manager User Application

Situation

  • Workflow limited to a single management group
  • Several user accounts not in the management group can see and execute the workflows

Resolution

All workflows that a user has eDirectory rights to see will be listed in the UserApp, even if the user or a group of which they are a member is not specifically listed in Designer or iManager.  The user accounts in question here had inherited rights to the cn=requestdefs.cn=appconfig structure of the User Application driver from higher in the tree.  This container structure is common to all User Application driver deployments, and is the immediate parent of the workflow objects in eDirectory.  Since the user had rights to this parent container, the query for workflows returned all workflows even though the administrator did not expect this.

Removing these rights resolved the issue.

Additional Information

How do I specify access rights to a workflow object?

The User Application Administrator's guide covers setting up access rights to a workflow here:

https://www.novell.com/documentation/idm35/agpro/data/b2ifsaq.html#b2ifsce


How else can a user get rights to a workflow object?

Using the user interface ensures that a given user or group has rights to the workflow, but does not necessarily preclude anyone else from getting rights to it indirectly.  One way to find who else may have access to a workflow is to walk in iMonitor from the workflow object up to the root of the tree observing specific ACL assignments along the way that will be inherited.

For more information on how effective rights are calculated and how to block effective rights, refer to the eDirectory Administration Guide:

http://https://www.novell.com/documentation/edir88/edir88/index.html?page=/documentation/edir88/edir88/data/fbachifb.html


What changes are made in eDirectory when trustees are specified in the Request Configuration Wizard?

The user interface makes the following changes to the Workflow object in the requestdefs.appconfig container of the User Application Driver:

  1. Two eDirectory ACLs are placed on the workflow object, giving Read/Browse entry rights and Read/Compare All Attributes rights to the specified user or group.
  2. The XMLData attribute is modified to add a <trustee> XML tag with the specified user or group in it

What if users do NOT see the workflow even if they should?

In the event that workflow visibility isn't working as expected, check the following:

  • Verify the ACL and XMLData attributes on the workflow object on all eDirectory replicas
  • Verify effective rights of the user in question via iManager or ConsoleOne