CA Service Management

Expand all | Collapse all

Get EEM Group Members from Service Catalog or PAM

  • 1.  Get EEM Group Members from Service Catalog or PAM

    Posted Jan 25, 2017 10:17 AM

    Hi.

     

    Is there any way to fetch members of a specific application group in EEM using reports, web service etc? 

     

    I have defined a number of application groups and populated them with members in EEM.

    These groups are used for policy approval, and the assignment works fine. Although, for some services we want to assign the approval task to a specific member in an application group using the workflow driven approval. 

     

    Thanks,

    Karolin 



  • 2.  Re: Get EEM Group Members from Service Catalog or PAM
    Best Answer

    Posted Jan 25, 2017 11:53 AM

    Hi Karolin,

     

    Unfortunately I don't think there is a straight forward way to return EEM application group membership as EEM doesn't expose web services and there is no retrieve function for safex (EEM command line utility). That being said, I could suggest creating a database table with the group/approver information that your PAM process could query to assign the approval tasks for the workflow driven offerings.

     

    Thanks,
    Jason



  • 3.  Re: Get EEM Group Members from Service Catalog or PAM

    Posted Jan 26, 2017 11:03 AM

    Is EEM accessible as a standard LDAP directory?

     

    If yes you can create a Java catalog plugin to query it

     

    We did it with Active Directory.



  • 4.  Re: Get EEM Group Members from Service Catalog or PAM

    Posted Feb 01, 2017 02:44 PM

    Hi! 

    Yes, we ended up writing a .net application for getting the members of the different eem groups, to store them in the db and then fetch the user(s) in the catalog form with the standard reports. 

     

    Thanks for the input! 



  • 5.  Re: Get EEM Group Members from Service Catalog or PAM

    Posted Feb 01, 2017 03:09 PM

    If you did it with .net, you can create a Java plugin to query EEM directly from Service Catalog

     

    You just need to understand how to create plugin, and port your code from .net to java.



  • 6.  Re: Get EEM Group Members from Service Catalog or PAM

    Posted Feb 01, 2017 02:48 PM

    Hi Jason, thanks for the input. 

    We created a .net application for getting the users from eem and store them in the db. We start the application from Pam, scheduled.

     

    We thought that it's less maintenance than adding the approvers manually. 

     

    Would be a really nice feature for the catalog if one could query eem directly  

     

    /Karolin 



  • 7.  Re: Get EEM Group Members from Service Catalog or PAM

    Posted Feb 01, 2017 03:48 PM

    Glad to help, Karolin! The programmatic approach definitely makes sense in reducing maintainability. And agreed it would be nice if it was easier to query EEM, maybe create an Idea as an enhancement request?



  • 8.  Re: Get EEM Group Members from Service Catalog or PAM

    Broadcom Employee
    Posted Jan 26, 2017 02:38 AM

    Good Morning Karolin.

     

    Please check the following information.
     
    https://comm.support.ca.com/?legacyid=TEC586117
     
    It is possible to 'read' users from EEM, through the safex.exe program.
    What you can do is the following:
     
    1. cd C:\Program Files\CA\SharedComponents\iTechnology
    1. cd C:\Program Files\CA\SC\EmbeddedEntitlementsManager\bin
    2. Create the file named "export_gusers.xml" with the following content:
    <?xml version="1.0" standalone="yes" ?>
    <Safex>
    <Attach label="CA Service Catalog"/>
    <Attach label="Service Catalog"/>
    <Export file="EEMusers_export.xml" globalfolders="n" globalsettings="n" globalusergroups="y" globalusers="y" folders="n" usergroups="y" users="y" calendars="n" policies="n" appobjects="n" maxsearchsize="50000" />
    <Detach/>
    </Safex>
    ---------------------------------------------------------------
    <Safex>
    <Attach label="Process Automation"/>
    <Export file="PRDProcessAutomation.xml" globalfolders="n" globalusergroups="n" globalusers="n" globalsettings="n" folders="y" usergroups="y" users="y" calendars="y" policies="y" appobjects="y"/>
    <Detach/>
    </Safex>
    ----------------------------------------------------------------- 
    NOTE: The line starting "<Export..." should be on one line.
     
    3. Execute the following command:
    safex.exe -h <hostname> -u EiamAdmin -p <password> -f export_gusers.xml
       
    This will produce a file called "EEMusers_export.xml".
    The file is named however is "path of XML file to be exported" (locally).
    And in there, the EEM user-definitions are shown.
    Some of the tags for the usesrs are:
    <GlobalUser folder="/" name="CASMAdmin">
    <UserName>CASMAdmin</UserName>
    <PasswordDigest>{SHA512}ZGdEuvAKXGn3fFJ3Sxf8kmpTUakAthp3uBxnAUwXW3vVFp6l1NP2hLoE6qFKy1Q85qkhHEqyo5KEze76WQA1Rw==</PasswordDigest>
    <PasswordChangeDate>1415797940</PasswordChangeDate>
     
    If you look at this file, it should have all of the "tags"
    which you need to use to add the users.
     
    Thanks and kind regards, Louis.



  • 9.  Re: Get EEM Group Members from Service Catalog or PAM

    Broadcom Employee
    Posted Jan 26, 2017 02:48 AM

    Good Morning Karolin.

    I also sent you an email message with WSDL_getUser_Demo.docx attached.

    Which might help you further on this subject.

     

    Kind regards, Louis.



  • 10.  Re: Get EEM Group Members from Service Catalog or PAM

    Posted Feb 01, 2017 02:45 PM

    Thank you for your input, Louis!