Section 8: Use case Project resources This section introduces reverse privilege inheritance direction (top-down inheritance direction). The section shows the difference between the bottom-up and top-down inheritance direction of the privileges and how to implement reverse inheritance.
Section 9: Deleting roles In this section we learn how to delete roles we previously created.
Section 1: Creating the identity store
This section describes how you create and initialize the identity store.
Adding the identity store
First, we create the identity store.
1. Select the entry "Identity stores" in the console tree, and choose New/Identity store... from the context menu to start the Identity store wizard.
2. Choose "Next >".
Enter a name for the identity store.
Disable the automatic attribute creation. This option is used to control what happens when an attribute which does not exist or an attribute which is not defined as a legal attribute on an entry type is written to the identity store.
If the "Automatically create new attributes" is enabled, the new attribute is created and added to the entry type. If the option is disabled, an error is returned.
3. Choose "Next >".
We will use the MX_PERSON entry type, so we do not need any additional entry types.
4. Choose "Next >" and then "Finish" to complete the wizard.
The new Identity Store is created and added to the console tree:
Configuring the identity store
To configure the identity store:
1. Select the "PrivRoles" identity store in the console tree and select the "Workflow" tab:
Select "Identity store" as the authentication method. This is necessary to be able to log into the workflow.
2. Choose "Apply".
3. Choose "Add user…".
Select "MX_PERSON" in the "Entry type" field.
Fill in a user name and password you will use to log in to the Workflow interface.
4. Choose "OK".
Section 2: Building the identity store
In this section we are going to read the contents of the source file hr.csv into the identity store.
Defining a repository definition for the data source
A repository definition is used to hold constants and variables which are common for one data source (repository). The repository constants can be accessed from the context menu in the same way as global constants.
1. Start the repository wizard by selecting the "Repositories" entry in the console tree, and choosing New/Repository… from the context menu.
2. Choose "Next >".
Select "File" as the repository template.
3. Choose "Next >".
Name the repository definition Employees.
4. Choose "Next >".
Fill in the file name.
To do this, click inside the "File name" field and the "…" button will appear.
5. Choose the "…" button.
Navigate to and select the file hr.csv.
6. Choose "Open".
7. Choose "Next >", and then "Finish" to insert the new repository definition.
Reading the source data into the identity store
We have now created a repository definition for the hr.csv file and defined an identity store that we can use when creating the job which will read the source data to the identity store.
Creating the folder and job
First, we are going to create a folder for the jobs in the tutorial, and the job definition for this job.
1. Create a folder called "PrivRoles job folder" that can be used to hold the jobs. Select the Identity Center's entry in the console tree and choose New/Folder… from the context menu to create the folder.
2. Create a job by selecting the folder's entry and choosing New/Empty job from the context menu.
Modify the name of the job in the console tree.
Enable the job and select a dispatcher.
3. Choose "Apply".
This job will contain two passes; one to read the source (ASCII) file hr.csv into the temporary table (tutorial_employees), and another to read from this table into the identity store. This must be done in a single job. The reason is that the first pass will delete the temporary table every time it executes, and then fill it with the data from the hr.csv file. If the second pass was a separate job (which could then be run asynchronously from the first), it could start just when the table was deleted or just partly filled, and then remove the missing people from the identity store.
Reading the source file
First, we will create the pass that reads the source (hr.csv) file:
1. Select the job in the console tree and choose New/From ASCI file from the context menu.
Enter Read Employees as the name of the pass in the console tree.
Repository
Select the "Employees" in the "Repository" list.
2. Select the "Source" tab and fill in the following:
File name
Use the context menu to insert the repository constant %$rep.FILENAME% that refers to the file name.
Field separator
Enter a comma sign (,) as the field separator.
Header line
Make sure that "Header line" is selected.
3. Select the "Destination" tab:
Fill in the fields with the following values:
Database
Use the context menu to insert the system parameter %$ddm.identitycenter% that refers to the Identity Center database.
Table name
Enter tutorial_employees as the table name.
Note:
Do not use hyphen in table names, as this will cause problems with some database drivers.
Definitions
Choose "Insert template" and select "Data source template" to create the pass definitions.
4. Choose "Apply".
Running the job
At this point, we are ready to test the pass. Run the job by viewing the job properties and choosing "Run now". View the job log to verify that the job ran successfully, and that a number of entries have been processed.
Updating the identity store
The next step is to create the pass that writes the data to the identity store:
1. Select the "Read Employees" pass and choose New/To Identity store from the context menu and select the "Source" tab:
Modify the pass name in the console tree.
Database
Use the context menu to insert the system parameter %$ddm.identitycenter%.
SQL statement
Enter the SQL statement to select all rows from the table created in the previous pass (SELECT * FROM tutorial_employees;).
2. Select the "Destination" tab:
Identity store
Select the "PrivRoles" identity store.
Entry type
Select the entry type "MX_PERSON".
Definitions
Choose "Insert template" and select "Data source template" to insert the definitions for the pass.
Modify the definition to use the attributes from the entry type. You can use the context menu to find the destination attributes. Give the attribute MSKEYVALUE the EmployeeID values, and add the attribute DISPLAYNAME constructed of employee's first and last name (as shown above).
3. Choose "Apply".
Running the job
Run the job and open the job log to verify that 50 entries were added (100 entries processed).
Verifying the contents of the identity store
If everything has gone well, the identity store should now contain all entries from the hr.csv file.
Note:
Make sure that the Monitoring web interface is configured for the Identity Center you are using.
1. Start the Monitoring web interface.
Note:
Notice that login to Monitoring is limited to <prefix>_user. This user is by default set to mxmc_user, but can be configured in config.xml (and needs to be configured by those using a database with prefix other than <mxmc>). To configure the login user, insert the
following line into the config.xml file:
<databaseuser>%PREFIX%_user</databaseuser>.
2. Choose "Identity store" in the menu.
3. Select the "PrivRoles" identity store and then "Search" to return all entries in the identity store.
4. Verify that the entries are present in the identity store.
Enabling the delta
We now have two working passes. The next step is to ensure that only modified entries in the data source are written to the identity store. The delta mechanism must be enabled on the "To Identity store" pass (Employees to ID store) of the "Employees to Identity store" job.
1. Select the "Employees to ID store" pass and select the "Delta" tab:
Fill in the fields with the following values:
Enable delta
Select this check box to enable delta on this pass.
Delta database
Use the context menu to insert the system parameter %$ddm.identitycenter% to specify that you want to use the Identity Center database for the delta database.
Delta identifier
Enter Employees_to_IDStore as the delta identifier. This must be unique within one delta database.
Delta key
This is automatically filled in with the value from the first line of the definitions on the
"Destination" tab.
Skip unchanged entries and Mark for deletion
Make sure that both "Skip unchanged entries" and "Mark for deletion" are selected.
2. Choose "Apply".
Run the job a couple of times and view the job log. You can observe that the first time the job is
Section 3: Creating the privileges
In this section you will learn how to create privileges. The privileges that need to be created are:
PRIV:MainEntrance PRIV:ServerRoom PRIV:ArchiveRoom PRIV:ProjectArchive
The focus in this tutorial is to show the principles and mechanisms of working with roles and privileges, and not so much on configuration of the external systems. So when a user is given a particular privilege, a file will be created (containing the timestamp of when the privilege was assigned to the user) and provisioned to the respective folder. In a production system, these privileges would create and delete users or grant or revoke access rights in target systems.
Creating folders for privileges
Before creating privileges, create folders where users with the given privilege will be
provisioned to. These folders will function as target repositories for the provisioning data. We create the folder building where the users assigned the privileges PRIV:MainEntrance,
PRIV:ServerRoom and PRIV:ArchiveRoom are provisioned to. And we create the folder project where the users with the privilege PRIV:ProjectArchive are provisioned to.
Go to C:\Tutorial (the directory which we created a global constant for) and create the two folders.
Defining repository definitions for folders
Here we will create repository definitions Building and Project for the two target folders building and project.
To create repository definitions for the folders building and project, do the following:
1. Start the repository wizard by selecting the "Repositories" entry in the console tree, and choosing New/Repository… from the context menu.
2. Choose "Next".
Select "Generic repository" as the repository template.
3. Choose "Next >".
Name the repository definition Building.
4. Choose "Next >", and then "Finish", to insert the new repository definition.
5. Expand the "Building" entry (under Management\Repositories) in the console tree, select
"Constants" and choose New/Constant… from the context menu.
Specify the name of the constant and the directory where the target repository (folder) is stored. Use the context menu to insert the constant %$glb.TUTORIAL_PATH%.
6. Choose "OK" to close the dialog box and insert the constant.
7. Repeat the same procedure to define the repository definition for the project folder. Name the repository definition Project and define a constant PATH with the value
%$glb.TUTORIAL_PATH%\project.
Creating the privileges
The target folders and their repository definitions are defined and we can now add the privileges:
1. Select "Identity store metadata\Privileges" under your identity store in the console tree and choose New/Privilege… from the context menu.
Name
Enter the name of the privilege.
Repository
Select the correct repository definition for this privilege. By adding the repository reference to the privilege, you could re-use the tasks for other privileges controlling other folders.
2. Choose "OK" to close the dialog box and insert the new privilege.
3. Repeat the process for privileges PRIV:ServerRoom, PRIV:ArchiveRoom and PRIV:ProjectArchive. For the PRIV:ProjectArchive privilege, select Project in the
"Repository" field.
Section 4: Creating the provisioning tasks
In this section, the tasks for provisioning and de-provisioning of users are created. It is also shown how you define these on the repository definitions Building and Project created in previous section. To easily identify the tasks we use the following syntax:
#<Repository name>_<Operation>
For instance:
#Building_Provisioning
#Building_Deprovisioning
Before the provisioning tasks are created, the Java script GetMskeyvalueFromPriv used by the provisioning tasks need to be defined.
Creating global Jscript GetMskeyvalueFromPriv
When a user is given a particular privilege, a file will be created (containing the timestamp of when the privilege was assigned to the user) and provisioned to the respective folder. Name of the file has the following naming convention:
<MSKEYVALUE of the provisioned user>-<cleaned MSKEYVALUE of the privilege>.txt
For instance:
3001-PRIV_MainEntrance.txt
Cleaned MSKEYVALUE of the privilege is MSKEYVALUE where the colon (":") is replaced by the underscore ("_") – for MSKEYVALUE "PRIV:MainEntrance" the cleaned
MSKEYVALUE will be "PRIV_MainEntrance". The reason is that it is not possible to use the colon (":") in a file name.
The global Java script GetMskeyvalueFromPriv is used by the provisioning tasks to obtain the cleaned MSKEYVALUE of the privilege assigned to the user.
To create the script, do the following:
1. Go to Management\Global scripts and select "JScript" in the console tree.
2. Choose New/Script… from the context menu.
Name the script "GetMskeyvalueFromPriv".
3. Choose "OK".
Define the following script (you can copy and paste the script defined under and replace the template definition):
// Main function: GetMskeyvalueFromPriv
// --- This function returns the MSKEVALYE for the privilege which caused this task // to execute.
// Some UserFunc.uErrMsg calls are included for debugging. Remove the comment "//"
// before these calls to get the information in the log file.
function GetMskeyvalueFromPriv() {
// get audit ID, then changevalues which holds the mskey of the privilege added // then get the value of the attribute MSKEYVALUE for that entry
// --- First get the AuditID which is currently executing AuditID = UserFunc.uGetAuditID();
// UserFunc.uErrMsg(1,"AuditID:"+AuditID);
// --- Then get which values were changed
// This returns "<Attribute name>:<OPERATION>;<New value>!!<Old value>"
ChangeValues = UserFunc.uGetChangeValues("!!",AuditID);
// UserFunc.uErrMsg(1,"ChangeValues:"+ChangeValues);
Values = temp[1].split("!!");
// UserFunc.uErrMsg(1,"Values (New/Old):"+Values[0]+"/"+Values[1]);
// --- If privilege was deprovisioned, its in Old Value, return [1]
Val0len = UserFunc.Len(Values[0]);
// --- Got MSKEY of privilege, now get the MSKEYVALUE
PrivMSKEYVALUE = UserFunc.uIS_GetValue(PrivAssignedMSKEY,0,"MSKEYVALUE");
// --- Replace : with _ to make it "file-name friendly"
PrivMSKEYVALUEclean = UserFunc.uReplaceString(PrivMSKEYVALUE, ":", "_");
// UserFunc.uErrMsg(1, "Returning MSKEYVALUE:" + PrivMSKEYVALUEclean);
return PrivMSKEYVALUEclean;
}
4. Choose "OK" and the global script is added.
Creating the provisioning tasks for the Building repository definition
Here we create the tasks for provisioning and de-provisioning to the Building repository definition.
Creating a folder for the Building tasks
First create a folder that will be used for the tasks:
Note:
When creating a new identity store, a folder "Provisioning folder" is added to the identity store.
Instead of creating new folder for provisioning to the Building repository definition, you could also rename the already existing folder.
1. Select the "PrivRoles" identity store and choose New/Folder… from the context menu.
Enter Building provisioning folder as the name for the folder.
2. Choose "OK". The folder is included in the console tree.
Deselect "Show folder in workflow" as the tasks in this folder should not be displayed in the workflow.
3. Choose "Apply".
Adding the task #Building_Provisioning
This task will create a file in the building folder. The contents of the file are date and time when the user was provisioned.
Note:
Note that this is given as an example only, and that there are no checks for illegal characters in the file name.
To create the task "#Building_Provisioning":
1. Select the folder you just created and choose New/Action task/Empty job from the context menu.
Rename this task to #Building_Provisioning.
Select the Building repository definition in the "Repository" field.
2. Choose "Apply".
3. Select the job in the console tree:
Modify the job name in the console tree.
Modify the job properties:
Enabled
Select this check box to enable the job to be run by a dispatcher.
Run by dispatchers
Select a dispatcher that should be responsible for running this job.
4. Choose "Apply".
5. Select "Script" in the console tree (under the job), then choose New/Link global script and select "GetMskeyvalueFromPriv" to establish the link to the global script
GetMskeyvalueFromPriv.
6. Select the job and choose New/Shell execute to create a pass in the console tree.
In a "Destination" tab add the following line to the definitions (you can use the context menu to insert the constants/attributes/scripts or copy and paste the lines below):
cmd /c echo Privilege assigned %$ddm.date% %$ddm.time% >
"%$rep.PATH%\%MSKEYVALUE%-$FUNCTION.GetMskeyvalueFromPriv(???)$$.txt"
Adding the task #Building_Deprovisioning
This task will delete the file created by the #Buildling_Provisioning task. To create the task
"#Building_Deprovisioning":
1. Select the folder Building provisioning folder and choose New/Action task/Empty job from the context menu.
Rename this task to #Building_Deprovisioning.
Select the Building repository definition in the "Repository" field.
2. Choose "Apply".
3. Select the job in the console tree:
Modify the job name in the console tree.
Modify the job properties:
Enabled
Select this check box to enable the job to be run by a dispatcher.
Run by dispatchers
Select a dispatcher that should be responsible for running this job.
4. Choose "Apply".
5. Select "Script" in the console tree (under the job), then choose New/Link global script and select "GetMskeyvalueFromPriv" to establish the link to the global script
GetMskeyvalueFromPriv.
6. Select the job and choose New/Shell execute to create a pass in the console tree.
In a "Destination" tab add the following line to the definitions (you can use the context menu to insert the constants/attributes/scripts or copy and paste the line below):
cmd /c Del "%$rep.PATH%\%MSKEYVALUE%-$FUNCTION.GetMskeyvalueFromPriv(???)$$.txt"
7. Choose "Apply".
Creating the provisioning tasks for the Project repository definition
Here we create the tasks for provisioning and de-provisioning to the Project repository definition.
Creating a folder for the Project tasks
First create a folder that will be used for the tasks:
1. Select the "PrivRoles" identity store and choose New/Folder… from the context menu.
Enter Project provisioning folder as name for the folder.
2. Choose "OK". The folder is included in the console tree.
Deselect "Show folder in workflow" as the tasks in this folder should not be displayed in the workflow.
3. Choose "Apply".
Adding the task #Project_Provisioning
This task is similar to the task "#Building_Provisioning" created previously. Thus, we can copy this task from folder Building provisioning folder to Project provisioning folder:
1. Copy the #Building_Provisioning task into the Project provisioning folder:
2. Select the task in the console tree:
Rename this task to #Project_Provisioning.
Select the Project repository definition in the "Repository" field.
3. Choose "Apply".
4. Select the job in the console tree:
Modify the job name in the console tree.
Modify the job properties:
Enabled
Select this check box to enable the job to be run by a dispatcher.
Run by dispatchers
Select a dispatcher that should be responsible for running this job.
Select a dispatcher that should be responsible for running this job.