Symantec IGA

  • Private Community
Back to discussions
Expand all | Collapse all

Get newly added Groups

  • 1.  Get newly added Groups

    Posted Oct 04, 2016 03:57 PM

    Hi, 

     

    Is there any way to get added/ removed groups from user. Tried BLTH, Policy Xpress options both are not working as per product documentation. I am adding new groups to user through  Groups Relationships tab form. Anybody has idea how can i get this info?

     

    Doc reference:

    Using the CA Identity ManagerBLTHContext get... methods to access a run-time instance of a managed object in the task session.
    The information you can access in a task session includes the subject of the task (such as a User object in a Create User task) and the subject’s relationships (such as the roles and groups that a user is assigned to). You can also access any objects that were modified during the task (such as user objects that were disabled or deleted).
    Any changes made to a managed object through BLTHContext get... methods are made to the run-time instance of the managed object in the task session. CA Identity Manager generates events for the task, and workflow approvals, auditing, and security checks can be performed.



  • 2.  Re: Get newly added Groups
    Best Answer

    Posted Oct 10, 2016 09:37 AM

    Hi MK_1,

     

    I'm not sure what you are trying to achieve, so i hope what i'm telling you is of any help. I have written this from a user create/modify perspective. 

     

    If you want to use BLTH the BlthContext indeed contains states but you need to access the proper attribute/method. 

     

    as you probably know a BTLH in this case starts with the handleValidation method

    function handleValidation(BlthContext, errorMessage) {...}

     

     

    to get the groups of the user you need to use the BLTHContext.getUsersGroups() method 

    // get the user groups
    var usergroups = BlthContext.getUsersGroups();
    var added_user_groups = usergroups.getAdditions();
    var deleted_user_groups = usergroups.getDeletions();
    var current_user_groups = usergroups.getCurrentValues();
    var new_current_user_groups = usergroups.getNewCurrentValues();

    You can iterate through these lists, which are Vector, and do with it as you wish.

    // example: iterate through the current group list (vector)
    for(var i = 0; i < current_user_groups.size(); i++ ){
       var group = current_user_groups.get(i);
       // do something with it
    }

     

    Hopefully this helps. 

    Wietse Beerens



  • 3.  Re: Get newly added Groups

    Posted Oct 12, 2016 12:16 AM

    Hi Wieste,

     

    Tq for your reply. BlthContext.getUsersGroups(); alsways retuning null value. I am using Group Relationship tab form to add/ remove values. Even PX option not returinging the changed values.



  • 4.  Re: Get newly added Groups

    Posted Oct 12, 2016 04:40 AM

    Hi MK_1,

     

    Probably its empty because the usergroup tab is not included in the admin task, may be you could try that tab in stead of a group relations tab?  

     

    kr,

    Wietse



  • 5.  Re: Get newly added Groups

    Posted Oct 13, 2016 05:06 PM

    Tq Wietse, For scalability/ Performace of groups CA recommended to use Group Relationship tabs.  We can't able touse user Group tab.



  • 6.  Re: Get newly added Groups

    Broadcom Employee
    Posted Oct 20, 2016 08:59 AM

    Hello,

    This may not be exactly what you are looking for but if all other things fail you could also do the following:

     

    1. Write the first policy xpress that gets the list of groups for a user (Group Membership under Category in the Data tab) BEFORE this user is added to a group or removed from a group. Depending on from where you are adding/removing users to/from groups you may need to execute this policy xpress BEFORE any of the following events: ModifyGroupEvent, AddToGroupEvent, RemoveFromGroupEvent.  As an action of this "BEFORE" policy xpress SET the values returned by Group Membership in the Data tab to a multi-valued attribute of the user object (let's call it ATTR1)

     

    2. write the second policy xpress that gets the list of groups for the user (Group Membership under Category in the Data tab) AFTER the user is added to a group or removed from a group.  Once again, depending on from where you are adding/removing users to/from groups you may need to execute this policy xpress AFTER any of the following events: ModifyGroupEvent, AddToGroupEvent, RemoveFromGroupEvent. This policy xpress will have 2 actions. The first action will SET the values returned by group memberships AFTER the group change to the same multi-valued attribute of the user object (ATTR1) where you wrote group memberships BEFORE the event took place.

    The second action will use the Values Added or Values Removed from ATTR1 (you need to get added values and removed values for ATTR1 - has user attribute changed - in the PX data tab) in whatever form you desire.

     

    KR
    Russi



  • 7.  Re: Get newly added Groups

    Posted Oct 20, 2016 09:59 AM

    losru01  and MK_1 ,

     

    If we use a ‘Relationship' tab in the task definition, then any of the API calls (or) PX engine calls would result back empty values when trying to fetch group members. ‘Relationship' objects are retrieved dynamically based on the ‘relationship' attribute and therefore the above mechanisms does not work.

     

    Below is a sample snippet that does the fetch part. It throws out all the added and removed groups as an exception message on the screen. The below code snippet tries to get the relationship values and then fetch the added and removed values instead of referencing a group object directly.

     

    function handleSubmission(blthcontext,errormessage)

    {

    var tab_handlers = Packages.java.util.Vector;

    var relation = Packages.com.netegrity.llsdk6.imsapi.managedobject.Relationship;

    var tab_handler = Packages.com.netegrity.ims.tabhandlers.TabHandler;

    var relation_tab_handler = Packages.com.netegrity.ims.tabhandlers.RelationshipTabHandler;

    var group_object = Packages.com.netegrity.llsdk6.imsapi.managedobject.Group;

    var groups_collection = Packages.java.util.Collection;

    var groups_iterator = Packages.java.util.Iterator;

    var tabs_iterator = Packages.java.util.Iterator;

    tab_handlers_list = blthcontext.getTaskTabHandlers();

    tabs_iterator = tab_handlers_list.iterator();

    while(tabs_iterator.hasNext())

    {

    tab_handler = tabs_iterator.next();

    if((tab_handler.getTagName()).equalsIgnoreCase("relationship"))

    {

    relation_tab_handler = tab_handler;

    }

    }

    relation = relation_tab_handler.getRelationship();

    var status_str;

    if((relation.getAdded().size())>0)

    {

    status_str = "Add found, "+(relation.getAdded().size());

    groups_collection = relation.getAdded();

    groups_iterator = groups_collection.iterator();

    while (groups_iterator.hasNext())

    {

    group_object = groups_iterator.next();

    status_str +=" added grp name :"+(group_object.getFriendlyName());

    }

    }

    groups_collection.clear();

    if((relation.getRemoved().size())>0)

    {

    status_str += "Remove found, "+(relation.getRemoved().size());

    groups_collection = relation.getRemoved();

    groups_iterator = groups_collection.iterator();

    while (groups_iterator.hasNext())

    {

    group_object = groups_iterator.next();

    status_str +=" removed grp name :"+(group_object.getFriendlyName());

    }

    }

    errormessage.reference = "Return value: "+status_str;

    return false;

    }



  • 8.  Re: Get newly added Groups

    Broadcom Employee
    Posted Oct 20, 2016 11:43 AM

    Hi Leela Kumar

    Thanks for sharing this very useful code which will be helpful to the original requester. I justed wanted to let you know that policy xpress DOES return the list of groups (Group Member under Group category of the Policy Xpress Data types). I just added and removed groups from a user with Relationship tab (configured for groups) and I DO get the list of groups returned before and after events for the user through policy xpress.

    KR
    Russi



  • 9.  Re: Get newly added Groups

    Posted Oct 20, 2016 02:52 PM

    Thanks Leela, Russi for your suggestions.  Taken Leela approach and able to achieve.

    Policy Express should enhance its cabability to get changed values during runtime in all aspects. Currently its not and long way to achieve desired functionality.



  • 10.  Re: Get newly added Groups

    Posted Sep 12, 2018 05:34 AM

    LEELA: useful.

     

    HOWEVER there is a problem: Items can be in the "added" list, even though the "Members" checkbox is off. 

     

    The methods return as follows:

    - getAdded = all Groups added to the list (whether the "Members" checkbox is on or off)

    - getRemoved = Groups on list where "Members" checkbox is off 

          BUT this does NOT include newly-added Groups, only "currently-assigned" removed items

     

    Somehow we need to ALSO see if the "Members" checkbox is on or off.

    There is a method in TaskTabHandler.getRelationship()  - isObjectRelated() - but this seems to always return true; 

    TaskTabHandler (and related classes) are not in the JavaDoc, so decompile would be needed to see if there is a useful method for this. 



  • 11.  Re: Get newly added Groups

    Posted Oct 15, 2018 01:57 PM

    Review of Methods

    Relationship.getAdded

    Lists all groups added to screen

    ISSUE: even if member checkbox is turned off

    Relationship.getRemoved

    Lists all  current Groups where checkbox is off

    ISSUE: even if member checkbox is turned on

    RelationshipTabHandler.getAssignedResources

    Lists all Groups assigned to screen, and still members

    ISSUE: if Group is added to screen – but is already a currently assigned Group – it can be on this list

    RelationshipTabHandler.getRevokedResources

    Lists all previously assigned Groups where checkbox has been turned off

    ISSUE: if Group is added to screen – but is already a currently assigned Group – it will not apper on this list

     

     

    DECISION: Use the approach below:

    • ADDs: where Group is in BOTH Relationship.getAdded and RelationshipTabHandler.getAssignedResources
      • This is completely reliable
    • REMOVEs: where Group is in RelationshipTabHandler.getRevokedResources
      • This is not completely reliable
      • It will not notice a Group that was previously assigned, then “Added” to the list by the user, and still removed (checkbox turned off)
      • This will not be validated: but will be removed from the user by the IM

     

     

     

    function handleSubmission(BlthContext, errorMessage) {

      //

      // GET TAB

      // *******

      relTabHandler = null ;  

      tabsList = BlthContext.getTaskTabHandlers();

      tabsIterator = tabsList.iterator();

      while(tabsIterator.hasNext()) {

        tempTH = tabsIterator.next();

        if((tempTH.getTagName()).equalsIgnoreCase("relationship")) relTabHandler = tempTH;

      } // end of WHILE

      if (relTabHandler==null) {

        errorMessage.reference = "TabHandler with name 'relationship' not found - STOP" ;

        return false ;

      }

      //

      // Read Relation, Adds

      // *******************

      relation = relTabHandler.getRelationship();

      relAdded = relation.getAdded() ;

      // DEBUG

      //errorMessage.reference = "TabHandler 'relationship' - Added=" + relAdded.size() ;

      //return false ;

      //

      // GET TAB Resources

      // **********************

      tabAssignedRscs = relTabHandler.getAssignedResources() ;

      tabRevokedRscs = relTabHandler.getRevokedResources() ;

      // DEBUG

      //errorMessage.reference = "TabHandler 'relationship' - tabAssignedRscs=" + tabAssignedRscs.size() + " tabRevokedRscs=" + tabRevokedRscs.size() ;

      //return false ; 

      //

      // Prepare List of ADDs

      // ********************

      addedGroups = new Packages.java.util.Vector() ;

      addMSG="addedGroups: " ;

      iterADDs = relAdded.iterator();

      while (iterADDs.hasNext()) {

        addGROUP = iterADDs.next();

                        //

                        // CHECK is also in tabAssignedRscs

                        // ********************************

                        isMatched=false ;

        for (ia=0 ; ia<tabAssignedRscs.size() ; ia++) {

          thisADD=tabAssignedRscs.get(ia) ;

                          if (thisADD.getUniqueName().equals(addGROUP.getUniqueName())) {

                            addedGroups.add( addGROUP ) ;

                                            addMSG+=addGROUP.getUniqueName()+" --- ";

                                            break;

                          }

        } // end of for-tabAssignedRscs

      } // end of LOOP through ADDS

      // DEBUG

      //errorMessage.reference = "TabHandler 'relationship' - addedGroups=" + addedGroups ;

      //return false ;          

      //

      // NOW do validate - Adds

      // **********************

      for (ia=0 ; ia<addedGroups.size() ; ia++) {

          groupADD=addedGroups.get(ia) ;

                          // Validations etc

                          //

      } // end for for-addedGroups

      //

      // NOW do validate - Revokes

      // *************************

      remMSG="removedGroups: " ;

      for (ia=0 ; ia<tabRevokedRscs.size() ; ia++) {

          groupREM=tabRevokedRscs.get(ia) ;

                          remMSG+=groupREM.getUniqueName()+" --- ";

                          // Validations etc

                          //

      } // end for for-revokedGroups

      // DEBUG

      //errorMessage.reference = "TabHandler 'relationship' - remMSG=" + remMSG ;

      //return false ;          

      //

      //

      // DEBUG - display information

      // ***************************

      errorMessage.reference = "TabHandler 'relationship' --- " + addMSG + " --- " + remMSG + " --- "  ;

      return false ; 

      //

      //

      // END

      return true ;

    }

    // end of FUNCTION

    //