Environment
Novell Roles Based Provisioning Module 3.7
Novell Roles Based Provisioning Module 4.0 AE
Novell Roles Based Provisioning Module 4.0.1 SE
Novell Roles Based Provisioning Module 4.0.1 AE
Novell Roles Based Provisioning Module 4.0 AE
Novell Roles Based Provisioning Module 4.0.1 SE
Novell Roles Based Provisioning Module 4.0.1 AE
Situation
When mapping a resource to an entitlement, cannot see the driver that contains the entitlement on the list.
When mapping a resource to an entitlement, the driver is listed with some of its entitlements but not all of them appear.
When mapping a resource to an entitlement, the driver and entitlement are listed but the entitlement's values don't appear.
My query-based entitlement is not adding new values on RBPM
When mapping a resource to an entitlement, the driver is listed with some of its entitlements but not all of them appear.
When mapping a resource to an entitlement, the driver and entitlement are listed but the entitlement's values don't appear.
My query-based entitlement is not adding new values on RBPM
Resolution
Novell Roles Based Provisioning Module (RBPM) can map resources to entitlements. It periodically reads all drivers under the driverset that its User Application driver resides, looking for the EntitlementConfiguration object under those drivers, and reads/caches the entitlements and their values based on the settings in that object.
First step in troubleshooting these issues is to make sure that the desired entitlement is listed on the XML insidr the EntitlementConfiguration object under the driver. The coolsolution "Convert Driver Entitlements to New RBPM 3.7 Resource Model" at https://www.novell.com/communities/node/9702/convert-driver-entitlements-new-rbpm-37-resource-model has more details on how to automatically build the object whenever a driver starts.
Here is a sample of the XML inside the EntitlementConfiguration object:
<?xml version="1.0" encoding="UTF-8"?><entitlement-configuration modified="20110712033327">
<entitlements>
<entitlement dn="CN=BuildingEntry,CN=LoopBack,CN=driverset,O=services" resource-mapping="true" role-mapping="true">
<type>
<display-name>
<value langCode="EN"/>
</display-name>
</type>
</entitlement>
<entitlement dn="CN=LabEntry,CN=LoopBack,CN=driverset,O=services" resource-mapping="true" role-mapping="true">
<type>
<display-name>
<value langCode="EN"/>
</display-name>
</type>
</entitlement>
</entitlements>
</entitlement-configuration>
In the sample above, 'BuildingEntry' and 'LabEntry' are entitlement objects under the 'LoopBack' driver. The XML parameters resource-mapping and role-mapping are read by RBPM, and used to determine if the entitlement should be made available for resource and role mappings. "true" means its available, "false" means RBPM should not list them.
If the EntitlementConfiguration object exists under the driver and has the correct settings, then there are several places that could be causing the problem. To troubleshoot the issue at this point it is necessary to capture a level 3 trace of the driver that holds the entitlements as well as enable further tracing in RBPM to output the steps performed while reading and caching the information.
To enable the trace on the IDM driver go to its properties, 'Misc' link, then enter '3' on the 'Trace level' field and a path + filename for the driver's trace file on 'Trace file'. This file will reside in the IDM server's filesystem.
To enable logging on the RBPM side open a browser and go to the RBPM URL. Log in as a user with administrative rights on RBPM. Click on 'Administration' > 'Application Configuration' > 'Logging'. On the Logging Configuration change the packages 'com.novell.idm.nrf.persist' and 'com.novell.idm.nrf.service' to 'Trace'. Mark the check box by 'Persist the logging changes' then hit submit.
The next step is to cause RBPM to refresh the cached information about entitlements and their mappings. Still as a RBPM administrative user in the browser interface go to 'Roles and Resources' > 'Configure Roles and Resources Settings'. Under the 'Entitlement Query Settings' heading click on the button with a blue arrow by 'Refresh Status'. The text by the arrow should change from 'Not Running' to 'Running'. Once RBPM finishes refreshing the information the text will go back to 'Not Running'. At this point the driver trace and RBPM's 'server.log' file will contain verbose information on the refresh process, along with any errors and java stacks related to them.
First step in troubleshooting these issues is to make sure that the desired entitlement is listed on the XML insidr the EntitlementConfiguration object under the driver. The coolsolution "Convert Driver Entitlements to New RBPM 3.7 Resource Model" at https://www.novell.com/communities/node/9702/convert-driver-entitlements-new-rbpm-37-resource-model has more details on how to automatically build the object whenever a driver starts.
Here is a sample of the XML inside the EntitlementConfiguration object:
<?xml version="1.0" encoding="UTF-8"?><entitlement-configuration modified="20110712033327">
<entitlements>
<entitlement dn="CN=BuildingEntry,CN=LoopBack,CN=driverset,O=services" resource-mapping="true" role-mapping="true">
<type>
<display-name>
<value langCode="EN"/>
</display-name>
</type>
</entitlement>
<entitlement dn="CN=LabEntry,CN=LoopBack,CN=driverset,O=services" resource-mapping="true" role-mapping="true">
<type>
<display-name>
<value langCode="EN"/>
</display-name>
</type>
</entitlement>
</entitlements>
</entitlement-configuration>
In the sample above, 'BuildingEntry' and 'LabEntry' are entitlement objects under the 'LoopBack' driver. The XML parameters resource-mapping and role-mapping are read by RBPM, and used to determine if the entitlement should be made available for resource and role mappings. "true" means its available, "false" means RBPM should not list them.
If the EntitlementConfiguration object exists under the driver and has the correct settings, then there are several places that could be causing the problem. To troubleshoot the issue at this point it is necessary to capture a level 3 trace of the driver that holds the entitlements as well as enable further tracing in RBPM to output the steps performed while reading and caching the information.
To enable the trace on the IDM driver go to its properties, 'Misc' link, then enter '3' on the 'Trace level' field and a path + filename for the driver's trace file on 'Trace file'. This file will reside in the IDM server's filesystem.
To enable logging on the RBPM side open a browser and go to the RBPM URL. Log in as a user with administrative rights on RBPM. Click on 'Administration' > 'Application Configuration' > 'Logging'. On the Logging Configuration change the packages 'com.novell.idm.nrf.persist' and 'com.novell.idm.nrf.service' to 'Trace'. Mark the check box by 'Persist the logging changes' then hit submit.
The next step is to cause RBPM to refresh the cached information about entitlements and their mappings. Still as a RBPM administrative user in the browser interface go to 'Roles and Resources' > 'Configure Roles and Resources Settings'. Under the 'Entitlement Query Settings' heading click on the button with a blue arrow by 'Refresh Status'. The text by the arrow should change from 'Not Running' to 'Running'. Once RBPM finishes refreshing the information the text will go back to 'Not Running'. At this point the driver trace and RBPM's 'server.log' file will contain verbose information on the refresh process, along with any errors and java stacks related to them.