AutoSys Workload Automation

Expand all | Collapse all

safex - appending new identities to existing access policies

  • 1.  safex - appending new identities to existing access policies

    Posted Oct 04, 2018 01:42 PM

    Hello,

     

    I'm in the process of automating access provisioning in EEM.

    Created a script which takes parameters required in our environment in order to create the required policies.

    I have no problems adding new DUG Policies to WCC000x and WAAE.

    It's when I need to add identities to existing Access Policies in WAAE that I'm hitting a bump.

    Issue is when we export a policy, the xml will looks like so (my example):

    <Policy folder="/" name="TD_GLB_APSCHED_apl_appl">
    <ResourceClassName>as-appl</ResourceClassName>
    <PolicyType>identityacl</PolicyType>
    <Disabled>False</Disabled>
    <ExplicitDeny>False</ExplicitDeny>
    <PreDeployment>False</PreDeployment>
    <RegexCompare>False</RegexCompare>
    <Resource>CDA.*</Resource>
    <Action>read</Action>
    <Action>execute</Action>
    <Action>write</Action>
    <Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:MFTT_SCHED" rparens="0" tag="1" />
    <Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="1" />
    <Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:PIT2_SCHED" rparens="0" tag="2" />
    <Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="2" />
    <Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:TSTA_SCHED" rparens="0" tag="3" />
    <Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="3" />
    <Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:ECYMA_SCHED" rparens="0" tag="4" />
    <Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="4" />
    <Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:UPS_SCHED" rparens="0" tag="5" />
    <Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="5" />
    <Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:CLOUD_SCHED" rparens="0" tag="6" />
    <Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="6" />
    <Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:IETL_SCHED" rparens="0" tag="7" />
    <Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="7" />
    <Filter logic="OR" lparens="1" col="req:action" optype="STRING" oper="WITHINSET" val="val:" rparens="0" />
    <Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:MFTT_SCHED" rparens="0" />
    <Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:PIT2_SCHED" rparens="0" />
    <Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:TSTA_SCHED" rparens="0" />
    <Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:ECYMA_SCHED" rparens="0" />
    <Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:UPS_SCHED" rparens="0" />
    <Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:CLOUD_SCHED" rparens="0" />
    <Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:IETL_SCHED" rparens="1" />
    </Policy>

     

    You will notice the rparens="0" tag="1" etc. which will enumerate the existing identities in the access policy.

    With the DUG Policies, it was easy to add a new policies, by simply creating an xml with the information for the new policy and running safex to import the xml.
    But, with adding new identities to existing Access Policies, we need to deal with rparens="0" tag="1".

    So, when simply creating the following xml:

    <Policy folder="/" name="TD_GLB_APSCHED_apl_appl">
    <ResourceClassName>as-appl</ResourceClassName>
    <PolicyType>identityacl</PolicyType>
    <Disabled>False</Disabled>
    <ExplicitDeny>False</ExplicitDeny>
    <PreDeployment>False</PreDeployment>
    <RegexCompare>False</RegexCompare>
    <Resource>CDA.*</Resource>
    <Action>read</Action>
    <Action>execute</Action>
    <Action>write</Action>
    <Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:NEW_SCHED" rparens="0" tag="1" />
    <Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="1" />
    <Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:NEW_SCHED" rparens="1" />
    </Policy>e

    I'm overwriting whatever other identities already existed in that access policy, and adding only the new one.

    What I would like to know is if it is possible to manage those rparens="0" tag="1" in a way that the new identities would be appended to the existing ones?

    Or is the only way to do this by exporting the full policy, parsing, stripping, finding the numbers up to which the 'rprens=' and 'tag=' are, updating the xml with the new identity (with the next numbers for 'rprens=' and 'tag='), and re-importing the whole policy?

     

    Thanks a lot in advance for any help. It's appreciated.

     

    Have a great day,

    Tomasz



  • 2.  Re: safex - appending new identities to existing access policies

    Posted Oct 08, 2018 10:15 AM

    you are better off connecting to AD/LDAP and use string subtraction on group names and do one and done. i would NOT autocreate those policies you have to this extent. 

    just my 3 cents 

    Good luck

     

    Steve C.



  • 3.  Re: safex - appending new identities to existing access policies

    Posted Nov 29, 2018 08:56 AM

    Interesting. Will look into that.

    Thanks a lot.

     

    Have great day!
    Tom