AnsweredAssumed Answered

safex - appending new identities to existing access policies

Question asked by Tomasz Podlesncy on Oct 4, 2018
Latest reply on Nov 29, 2018 by Tomasz Podlesncy

Hello,

 

I'm in the process of automating access provisioning in EEM.

Created a script which takes parameters required in our environment in order to create the required policies.

I have no problems adding new DUG Policies to WCC000x and WAAE.

It's when I need to add identities to existing Access Policies in WAAE that I'm hitting a bump.

Issue is when we export a policy, the xml will looks like so (my example):

<Policy folder="/" name="TD_GLB_APSCHED_apl_appl">
<ResourceClassName>as-appl</ResourceClassName>
<PolicyType>identityacl</PolicyType>
<Disabled>False</Disabled>
<ExplicitDeny>False</ExplicitDeny>
<PreDeployment>False</PreDeployment>
<RegexCompare>False</RegexCompare>
<Resource>CDA.*</Resource>
<Action>read</Action>
<Action>execute</Action>
<Action>write</Action>
<Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:MFTT_SCHED" rparens="0" tag="1" />
<Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="1" />
<Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:PIT2_SCHED" rparens="0" tag="2" />
<Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="2" />
<Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:TSTA_SCHED" rparens="0" tag="3" />
<Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="3" />
<Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:ECYMA_SCHED" rparens="0" tag="4" />
<Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="4" />
<Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:UPS_SCHED" rparens="0" tag="5" />
<Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="5" />
<Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:CLOUD_SCHED" rparens="0" tag="6" />
<Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="6" />
<Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:IETL_SCHED" rparens="0" tag="7" />
<Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="7" />
<Filter logic="OR" lparens="1" col="req:action" optype="STRING" oper="WITHINSET" val="val:" rparens="0" />
<Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:MFTT_SCHED" rparens="0" />
<Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:PIT2_SCHED" rparens="0" />
<Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:TSTA_SCHED" rparens="0" />
<Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:ECYMA_SCHED" rparens="0" />
<Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:UPS_SCHED" rparens="0" />
<Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:CLOUD_SCHED" rparens="0" />
<Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:IETL_SCHED" rparens="1" />
</Policy>

 

You will notice the rparens="0" tag="1" etc. which will enumerate the existing identities in the access policy.

With the DUG Policies, it was easy to add a new policies, by simply creating an xml with the information for the new policy and running safex to import the xml.
But, with adding new identities to existing Access Policies, we need to deal with rparens="0" tag="1".

So, when simply creating the following xml:

<Policy folder="/" name="TD_GLB_APSCHED_apl_appl">
<ResourceClassName>as-appl</ResourceClassName>
<PolicyType>identityacl</PolicyType>
<Disabled>False</Disabled>
<ExplicitDeny>False</ExplicitDeny>
<PreDeployment>False</PreDeployment>
<RegexCompare>False</RegexCompare>
<Resource>CDA.*</Resource>
<Action>read</Action>
<Action>execute</Action>
<Action>write</Action>
<Filter logic="OR" lparens="1" col="dug:GroupName" optype="STRING" oper="EQUAL" val="val:NEW_SCHED" rparens="0" tag="1" />
<Filter logic="AND" lparens="0" col="req:action" optype="STRING" oper="WITHINSET" val="val:read,write,execute" rparens="1" tag="1" />
<Filter logic="AND" lparens="0" col="dug:GroupName" optype="STRING" oper="NEQ" val="val:NEW_SCHED" rparens="1" />
</Policy>e

I'm overwriting whatever other identities already existed in that access policy, and adding only the new one.

What I would like to know is if it is possible to manage those rparens="0" tag="1" in a way that the new identities would be appended to the existing ones?

Or is the only way to do this by exporting the full policy, parsing, stripping, finding the numbers up to which the 'rprens=' and 'tag=' are, updating the xml with the new identity (with the next numbers for 'rprens=' and 'tag='), and re-importing the whole policy?

 

Thanks a lot in advance for any help. It's appreciated.

 

Have a great day,

Tomasz

Outcomes