Symantec IGA

  • Private Community

  • 1.  Access Role Events not firing

    Posted Jan 02, 2018 06:41 PM
    Hi,
    We’ve defined several Access Role using the Organizations in the User Store as criteria in the membership rule 
    es:
    Access_Role_1: Member Rule in Organization “SALES"
    Access_Role_2: Member Rule in Organization “MARKETING"
    So that every user contained in the organisation SALES will be given Access_Role_1 and those in MARKETING will be given Access_Role_2.
    In the “Add Action” section we’ve configured that when a user is added/removed as a member of this role a multi value attribute of the user profile should be set.
    We need to bind  the assign and revoke Access Roles events to some Policy Express to perform some business logic; so we created one Policy Express bound to AssignAccessRoleEvent and another one to RevokeAccessRoleEvent.
     
    It looks like those two events never fires, as:
    - The Add Action is not performed; the multi value attribute of the user is not updated when a user achieves the role by being moved to one of the organisations mentioned before.
    - The PXs are not called.
    Christian.


  • 2.  Re: Access Role Events not firing

    Posted Jan 08, 2018 01:09 PM

    UP



  • 3.  Re: Access Role Events not firing
    Best Answer

    Posted Jan 08, 2018 06:40 PM

    Are you using Organizations with a hierarchical OU structure or as a flat-directory where Organization is simply a user attribute?

    Regardless, you will need to track the events that are actually triggering the assignment of the access role as you do not appear to be doing it explicitly. It may be that either a create or modify user event and/or an organization event may be the trigger.



  • 4.  Re: Access Role Events not firing

    Posted Jan 08, 2018 07:16 PM

    1° of all, thanks for your reply.

     

    I'm using a hierarchical OU structure, the user store is a supported Relational Database.

    Apart from the Organization Access Roles i mentioned in my question, we also have defined typical Access Roles having member rules such as "where ( Access Roles contains “DELIVERY” )" & Add Action: "Add to “DELIVERY  access role" & Remove Action “Remove from DELIVERY Access Role"; in this case manually assigning the role to a user does trigger the Assign|Revoke AccessRoleEvent.

    Going back to my original Question & your suggestion, at the moment the create or modify user event is the solution we have in place but i would like to get rid of it with a more elegant way because :

    - In the PXs i've to check the type of modification performed on the user; as of today we are only using Organization as Access Roles, but in future we may use also other filters in the member rule, such as user's company, user's office and so on, or even create complex member rule (es. 'In organisation X' & 'In office Y' & 'user not disabled' & 'is internal user'), and its gonna be hard to evaluate all that in PXs; I wouldn't have to deal with all that if even in the case of automatic membership, IDM would generate some events like Assign|Revoke AccessRoleEvent.

    - The actuals PXs are evaluated in every user modification, and appear in the VST adding a extra informations which may cause mistakes in troubleshooting problems.

     

    Thank you,

    Christian.