IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Adding roles to user in workflow on ISIM.

    Posted Thu February 27, 2020 06:23 PM
    hi,

    I'm trying to add static roles to Person through workflows but so far is not working, this is what i try so far:

    • On the person class JavaAPI (com.ibm.itim.dataservices.model.domain.Person) using the method addRoles() but is not working.
    var PersonData = Entity.get();
Enrole.log("INFO", PersonData);
if(PersonData != null)
{
    Enrole.log("INFO", PersonData);
    Enrole.log("INFO", "PERSON CN -> " + PersonData.getProperty("cn")[0]);
    var roles = (new RoleSearch()).searchByName("Test Role");
    if (roles.length > 0)
    {
        
        Enrole.log("INFO", "MODIFICAR ROL");
        var RoleDATA = roles[0];
        Enrole.log("INFO", "ROLE NAME -> " + RoleDATA.getProperty("errolename")[0]);
        Enrole.log("INFO", "ROLE DN -> " + RoleDATA.dn);
        var DNRaw = com.ibm.itim.dataservices.model.DistinguishedName(RoleDATA.dn);
        PersonData.addRole(DNRaw);
    }
}
    • Directly adding the role the DN to the "erroles" property on the person.

    So far neither of this methods are working, anyone have any idea or workaround?

    Now can you create com.ibm.itim.dataservices.model.domain.Person objects? to use this method?


  • 2.  RE: Adding roles to user in workflow on ISIM.

    Posted Thu February 27, 2020 08:07 PM
    Hi Gabriel...

    You seem to be mixing ISIM's JavaScript Objects/Methods and Java Objects/Methods. There is no addRole() method on ISIM's Person JavaScript object (which is what you're getting with Entity.get() (for your PersonData variable).

    Typically what you'd do here is get the current Roles from the Person object....create a new Array, iterate through all the current Roles, to add to the new Array, and add the new Role as well...then add that to the Person's...erRoles Attribute.

    You'd probably want to be doing something like this (note: it's late here and I don't have access to any of my ISIM systems...so doing this off the top of my head and might have some syntax issues):

    var PersonData = Entity.get();
Enrole.log("INFO", PersonData);
if (PersonData != null) {
    Enrole.log("INFO", PersonData);
    Enrole.log("INFO", "PERSON CN -> " + PersonData.getProperty("cn")[0]);
    var newRoles = new Array();
    var currentRoles = PersonData.getRoles();
    for (var role of currentRoles){
        newRoles.push(role.dn);
    }
    var roles = (new RoleSearch()).searchByName("Test Role");
    if (roles.length > 0) {
        Enrole.log("INFO", "MODIFICAR ROL");
        var RoleDATA = roles[0];
        Enrole.log("INFO", "ROLE NAME -> " + RoleDATA.getProperty("errolename")[0]);
        Enrole.log("INFO", "ROLE DN -> " + RoleDATA.dn);
        newRoles.push(RoleDATA.dn);
        PersonData.setProperty("erRoles",newRoles);
        Entity.set(PersonData);
    }
}


    I

    ------------------------------
    Grey Thrasher
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Adding roles to user in workflow on ISIM.

    Posted Thu February 27, 2020 09:31 PM
    Hi, well don't know what happens but i try this yesterday and today after this post and wont work, so decided to restart ISIM server and try again and waster the ISIM reboot works.

    Thank you.

    ------------------------------
    Gabriel Labarrera Vega
    ------------------------------

    Original Message


  • 4.  RE: Adding roles to user in workflow on ISIM.

    Posted Fri February 28, 2020 09:17 AM
    ​The JavaScript api is alas somewhat inconsistent - it uses a mixture of role objects (DNs) and rolename (e.g. isInRole is using name which is not good if you have multiple roles with the same name…
    You can instead of using 
     RoleDATA.getProperty("errolename")[0]
    just use
    RoleDATA.name​
    Same goes for the DN.
    Being bad at a keyboard shorter code is always a preference for me :-)


    A general advice that I am pretty sure @Grey Thrasher shares - use JavaScript where ever possible - APIs are a can of worm unless you REALLY know what you are doing - and stay away from the dataservices API for updates - it is not working the way normal people thinks it would. The external APPS API is recommended in most cases - it is although somewhat tricky to use in the workflow engine - which is also why it is a good idea to stick to JavaScript whenever possible.

    I am personally a great fan of the JAVA APIs in ISIM JavaScript - it is in most cases much faster to work with than building real JAVA code extensions - but it comes with a can of worm in terms of security that most people are not aware of. So if you are concerned about internal ISIM security do not use the Java APIs or get some help from IBM Product Services.

    HTH



    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------

    Original Message