Environment
NetIQ Identity Manager Roles Based Provisioning Module 3.7, 4.x
Situation
RBPM administrator does not have any administrator assignments after the install or change of assignments.
RBPM administrator does not have access to RBPM Provisioning and Security tab under Administration in UA.
Role administrator does have access to any RBPM Provisioning and Security tasks in UA .
RBPM administrator does not have access to RBPM Provisioning and Security tab under Administration in UA.
Role administrator does have access to any RBPM Provisioning and Security tasks in UA .
Resolution
During the initial RBPM install, default administrator and any other role administrators get set in configupdate interface. These administrator assignments are performed when UA interface is accessed for the first time. The assignments are done through Role and Resource service driver.
If the administrator does not receive any of the administrator roles or assignments, you will see the following message in Role and Resource service driver log:
10/08/12 18:00:18.788]:roleResourceDriver0 ST:: Processing request
DN: dc=system\dc=service\dc=idm\CN=driverset0\CN=UserApplication0\CN=AppConfig\CN=RoleConfig\CN=Requests\CN=20121008180018-8766c080a116400cb30f1e8be56acee2-0
[10/08/12 18:00:18.788]:roleResourceDriver0 ST:: Role recalculation operation ignored because identity is out of scope
Identity DN: dc=system\dc=service\dc=idm\CN=driverset0\CN=UserApplication0\CN=AppConfig\CN=RoleConfig\CN=Requests\CN=20121008180018-8766c080a116400cb30f1e8be56acee2-0
User-Group root DN: dc=system\dc=sa\CN=uaadmin
The administrator role or assignment was not performed because the user is out of scope. This scope is set on Role and Resource service driver - Driver configuration - Driver parameters tab - User-group base container DN.
Any user outside of this scope will not be acted upon, granted or revoked any roles, by Role and Resource service driver.
After you correct the User-group base DN to include your administrator scope, you will have to redo the administrator assignments.
Follow the steps in the User application Administration documentation:
https://www.netiq.com/documentation/idm402/agpro/data/bncio25.html
If the administrator does not receive any of the administrator roles or assignments, you will see the following message in Role and Resource service driver log:
10/08/12 18:00:18.788]:roleResourceDriver0 ST:: Processing request
DN: dc=system\dc=service\dc=idm\CN=driverset0\CN=UserApplication0\CN=AppConfig\CN=RoleConfig\CN=Requests\CN=20121008180018-8766c080a116400cb30f1e8be56acee2-0
[10/08/12 18:00:18.788]:roleResourceDriver0 ST:: Role recalculation operation ignored because identity is out of scope
Identity DN: dc=system\dc=service\dc=idm\CN=driverset0\CN=UserApplication0\CN=AppConfig\CN=RoleConfig\CN=Requests\CN=20121008180018-8766c080a116400cb30f1e8be56acee2-0
User-Group root DN: dc=system\dc=sa\CN=uaadmin
The administrator role or assignment was not performed because the user is out of scope. This scope is set on Role and Resource service driver - Driver configuration - Driver parameters tab - User-group base container DN.
Any user outside of this scope will not be acted upon, granted or revoked any roles, by Role and Resource service driver.
After you correct the User-group base DN to include your administrator scope, you will have to redo the administrator assignments.
Follow the steps in the User application Administration documentation:
https://www.netiq.com/documentation/idm402/agpro/data/bncio25.html