<<TableOfContents>>
Installation Considerations
Policy XPress Supports SOAP and REST Web Services
Policy XPress is enhanced to support Web Services SOAP (with basic authentication method) and REST (with basic authentication, proxy authentication, and OAuth authentication methods) such that it can be integrated with external applications that provide a web service interface.
To use the Policy XPress web services (SOAP and REST) with JBoss 5.1 community edition, copy the following jars into your JBoss 5.1 community edition "\lib\endorsed" directory from the "client" directory, and then restart the application server:
- jbossws-native-jaxrpc.jar
- jbossws-native-jaxws.jar
- jbossws-native-jaxws-ext.jar
- jbossws-native-saaj.jar
Note: You do not need to consider copying these files for the EAP versions.
Limitations
Policy Fails When Trying to Modify an Endpoint Object
Whenever you are trying to modify an endpoint object while using Policy Xpress, use an IM Handle (Provisioning server syntax that represents an endpoint object). To find the handle of the object, go to Modify Users, Endpoint Accounts, click on the Accounts tab and search for the account. If you hover over the value of the object, it will show you the handle in a tool tip.
Avoid Using a “screen message” action rule to fail a TEWS transaction
You should avoid using the "screen message" action rule to fail a TEWS transaction as the task hangs and eventually either fails or does not return a transaction ID.
Avoid Using Friendly Task Names for Policy Xpress Rules
Localization and the reverse (manually un-localizing) corrupt the string (adding spaces), and the Policy Xpress rule fails to execute.
Editing or Modifing Policy Xpress Policies
- You cannot edit Data Field names after policy creation.
- You cannot change the POLICY or EVENT type after policy creation.
- Editing Options:
- Duplicate as existing Policy Xpress rule; then rename and delete the original.
- Directly edit the Environment export XML. Search for POLICY XPRESS EXPORT to update the policy.
- Policy Xpress LDAP is a query only. It may be possible to execute an SQL update via JNDI to LDAP endpoint.
Policy Xpress CLI is unable to call MS Powershell due to Java/PS interaction and output of PS objects.
- Appears to work with a wrapper based on Java 1.6
- Fails towork with a wrapper based on Java 1.5
Policy Xpress CLI requires an external process to be deployed on ALL WebSphere servers
Policy Xpress CLI requires an external process to be deployed on ALL WebSphere servers, and the CLI process must be supported by the OS that WebSphere is installed on. Note the following:
- MS VB will not execute on UNIX OS
- MS Powershell will not execute on UNIX OS
- Recommend using data cluster for shared files between nodes of a cluster; including BLC
Screen Logical Handler may only be managed by the Policy Xpress UI Type
Policy Xpress Action Rules are limited to ~ 50 rules
- Database field is 255
- May be expanded to 1023
- Impacts modify user use case for Active Directory distribution email groups based on country code
Endpoint attributes in Policy Xpress do NOT match endpoint or provisioning server notation
Policy Xpress does not interact with LAH unless UI type is selected
- |passwordConfirm|
- |oldPassword|
- |forcePasswordReset|
- |enable|
- |GroupSubscription|
SychronizationAttributewithAccountsEvent
- Does NOT have access to view the LDAP user store attributes
- EVENT does not use USER as primary object
- Does have the ability to view endpoint attributes
- Use to manage Distribution Email Lists (AD Groups)
Explore & Correlate operations will call MODIFY USER EVENT
- Flooding of VST and possible looping may occur
- Recommend adding Data Entry rules to any MUE Policy Xpress rules to ignore inboundsync ID
Provisioning Modify User Task: Change Account Sync equal to None to avoid looping effect during Explore & Corerlate and inbound sync operations; where Provisioning Modify User Task generates an AccountSync operation.
Naming of Policy Xpress rules
- Do not use ampersand &, greater than >, lesser than <, or forward slash / in the name {or XML code that will be interpreted incorrectly during import/export of environment AND/OR with the tool ConfigXpress }
- Monitor any email templates that are NOT contained by cdata makers
- Recommend using only dash - or underscore _ as separators in naming of the Policy Xpress rules.
UTC - Timing of WebSphere Servers
- Impact: PX or Bulk Load tasks must query by date-time stamp for user populations
- Recommend all Websphere servers be placed on UTC timezone, especially if the Websphere servers are deployed across multiple timezones on a WAN
Call an Oracle Stored Procedure
To call an Oracle stored procedure and get the output, do the following:
- Write the stored procedure call in the "Query" box as follows. The "?" indicates a parameter of the stored procedure:
call PROC_EXAMPLE(?,?,?) - Click the "Add Parameter" button to add parameters and map the "?" in the stored procedure call, as follows:
- For the input parameter, type the value in the "Argument" text box.
- For the output parameter, type "PX_OUTPUT_PARAMETER" in the "Argument" text box. Policy Xpress adds these parameters to the query and returns the output.
Bulk Load Limitations
- Generate Unique User ID - Generates a unique identifier in both the corporate directory and the provisioning server userstore and endpoints.
- Uniqueness and Policy Xpress
- If the unique identifier uses a non-random business logic, the likelihood of generating a similar identifier is high during the onboarding process. One method is to generate the user identifier with sequential numbers appended to the end of the string, while considering the allowed maximum length of the string; then check uniqueness against the corporate directory.
- Operation in memory may run in parallel and collide
- During the bulk onboarding process, multiple accounts (1000) have unique identifiers generated. If there is no similarity between sequential IDs and the business logic used to generated the unique identifier, Policy Xpress generates a unique identifier as expected. If there is the possibility of a similar ID and/or a workflow process is to be introduced into the onboarding process, then a temporary database table is required to retain the generated unique identifier until the unique identifier has been committed to the corporate directory; otherwise the single uniqueness check against the corporate directory will not be sufficient. A secondary uniqueness checker is required against the temporary database table to ensure that no two IDs are used prior to being written to the corporate directory.
- Bulk Load (feed) Challenges
- Policy Xpress, while fast enough for most bulk load processes, appears to have challenges when multiple similar accounts have similar unique identifiers and are arranged in the bulk feed sequentially.
- Observation: If twenty (20) John Smiths are bulk loaded and the business logic is using parts of the LastName and FirstName; the eighth or ninth object will fail during creation due to failing to write to the temporary database table while the operations are still in memory. Meaning, the ninth object finished the generation of the unique identifier before the eighth object did; and the ninth wrote to the temporary database a fraction quicker. Workaround: Move the unique identifier (uid & cn) to a BLTH.
Known Issues
Populating Combo Boxes
When populating a drop-down control, if the user selects a value other than the initial value selected in the drop-down list, the options in the drop-down list disappear.
Policy Fails to Trigger when Create Events for all Types of AccountTemplate and Endpoint Type are Used
Symptom: Policy Xpress policy fails to trigger when Create Events for all types of AccountTemplate and Endpoint Type are used with object attribute plugin.
Solution: Use ModifyAccountTemplate and ModifyEndpointType events instead to trigger the Policy Xpress policies.
Return Value: External CLI - None Returned
Generated Password is not passed to Provisioning server unless Policy is of UI type or the Event leveraged uses the User object as the primary object.
Symptoms:If a Policy Xpress rule assigns a provisioning role and the global user needs to be created; the password from the user store is not passed. When the global user receives a create user notification without a password, the Provisioning server will generate a password and push this generated password to provisioned endpoints. This password will be unknown to the user and the administrator, and will not sync back to the user store.
May be monitored with the UPO Exit (see tech notes?)
Manage Endpoint Accounts
- Technote TEC505246
- Ensure that the tasks have AccountSync=OnEveryEvent instead of AccountSync=OnTaskCompletion, Otherwise the accounts could be toggled back to Enabled right away, even if the Account Template is configured to create the accounts as Disabled.
- Do not configure Policy Xpress policies to run against the SynchronizeAttributesWithAccountsEvent, because ideally that event will never happen if the tasks are configured per recommendation of AccountSync=OnEveryEvent.
Search on Policy Xpress names is case sensitive
- Does not match other search screens.
- Change the default screen from equals to contains to promote a better search routine.
Delete User
There are only 4 attributes (givenName, %ORG_MEMBERSHIP_NAME%, uid, sn) available during a delete user event or task. Note: The identity policy attribute is not one of them. When a PX add action executes, it writes the unique ID of that policy to the identity policies attribute which is not an available property in the task *or* event context. Currently, any policy run on DeleteUser fails. This is being addressed in the next major release.
Submitted Task policy type with a Throw an Exception action causes Policy Xpress to hang
Problem: I want to create a policy that stops a Create User task when the username provided is a duplicate. I set up my policy to be of Submitted Task type with an action of Throw an Exception. The result was that the task was submitted and a Task Failed was seen on the screen. However, in VST, I see that the task did get submitted but all of the events appear to be stuck In Progress (i.e. CreateUserEvent, AssignProvisioningRoleEvent). At this point, Policy Xpress just hangs.
Solution: Instead, you should create a policy of type UI with a Validation step. Then use the Throw an Exception action with the onsceen validation. This policy will throw an exception before the task is submitted and will not hang. Policy Xpress will either complete or move on to the next policy.
Errors Running a Unix Script in Policy Xpress
IOException: “/bin/sh” not found.
This issue is due to the UNIX concept of hard links. When you run a shell script, the "sh" command needs to be in the application server's path and /bin/sh should be in the same link (a hard link) where the application is deployed.
How to kill a system (or Don’t Do This!)
- Create a Bulk Task with a search screen set to auto-search and no filter.
- Create a Policy Xpress policy of UI type to execute on Set Subject
- Click on the task in the User Console.
- Watch java memory run to maximum and then lock the system.