Hi Franz,
due to Federico is on holiday, and I am working with him, let me explain two user cases when being able to work with ISIM groups could be interesting (at least for us):
First at all, let me explain how the capabilities in ISIM console are granted to the admin users. Our end users are located in containers. Each container is managed by between 2 or 3 user administrators , who are responsible for the authorizations of the users of their container (by granting ISIM roles) . These capabilities are granted to the user administrators by ISIM groups which are located in the same container and with a well-known name convention (of course, linked to the ACIs which allow to manage the users and roles of this container). Thus, when a new user administrator is nominated, it is needed to grant the ISIM group of the container where he is located. As summary, there are as many ISIM groups as user groups, and the ISIM groups define the scope of the user admintrator.
- First user cases. If we are able to grant the ISIM groups by means of provisioning policies, it could be possible to automate the ISIM groups authorization, and the same time, to enforce the capabilities of the user administrator in ISIM: the user administrator has to belong to the ISIM "administrator" group of his container. Thus, it would be just enough to nominate/dis nominate the user as user administrator whereever he is.
- Second user cases (it is not in relation with this issue, but is linked to be able to manage ISIM groups). Due to it is not possible to define more than one manager of one user (as I said before, it is not our case), we will be able to know who are the managers of one user just having a look who belong to the ISIM "administrator" group of the container where the user is located. It could be interesting for sending notifications, requestinf approvals ….
I hope you understand a bit more our needed. If so, it is my turn :-D to make a question about your proposal. Once the objects and methods of ISIM groups are exposed by an Extension, is it needed to include the importPackage(Packages.com.ibm.itim.dataservices.model.system); statement?
Btw, like there are Extensions for managing people, accounts, … from my point of view, managing ISIM groups should be included as an Extension out-of-the-box. We will open an ER.
Best regards
------------------------------
Felipe Risalde Serrano
Security Expert
Banco de España
------------------------------
Original Message:
Sent: Thu July 08, 2021 05:32 PM
From: Franz Wolfhagen
Subject: Managing ISIM groups (sysroles) inside the Provisioning Policies in JavaScript
@Federico Añino I promised to show a little bit of code - I am sorry it took longer than expected, but I was busy doing billable work...
This piece of code demonstrates the necessary JavaScript to do what you want (I will comment on that after the code) :
importPackage(Packages.com.ibm.itim.dataservices.model);importPackage(Packages.com.ibm.itim.dataservices.model.domain);importPackage(Packages.com.ibm.itim.dataservices.model.system);myTenant = (new DirectorySystemSearch()).lookupDefault().getDistinguishedName();mySRS = new SystemRoleSearch();myCDN = new CompoundDN(myTenant );mySP = new SearchParameters();mySP.setScope(SearchParameters.SUBTREE_SCOPE);myResults = mySRS.searchByName(myCDN,"System Administrator", mySP) ;//Assuming only one role returnedfor (myResult in myResults.toCollection()) { //search will return an SystemRoleEntity convert to DN myRole = myResult.getDistinguishedName();}return myRole;
You will of course need to change it to match your usecase - but this has been tested and works (if you have added the necessary statements in your scriptFramework.properties as @Stephen Swann mentioned above - Hi Stephen - hope you are well :-))
Now - the code is non-trivial - there is a lot to learn from it - I am not going to do that here - you will have to try to understand it looking at the code.
I still do not understand your usecase - what your trying to do does not make sense for ITIM accounts - it would make sense for something like AD or LDAP groups or other complex systems where you need a "hybrid" model. You do not need that for ITIM accounts - the purpose of systemRoles (ITIM groups) is only to manage accesses within ISIM and that should not be necessary to be anything but RBAC governed. So I believe you are actually going to hurt yourself if you try to use this piece of code - but I may be wrong, so please explain your detailed usecase if you can...
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Wed July 07, 2021 09:42 AM
From: Stephen Swann
Subject: Managing ISIM groups (sysroles) inside the Provisioning Policies in JavaScript
Federico,
As you surmised earlier, in order to do that, you would need to expose that class in the scriptframework.properties file and restart your system.
As an example, if I have my own class (com.madigansolutions.isim.madextensions), I would add the following to scriptframework.properties:
ITIM.extension.ProvisioningPolicy.madextensions=com.madigansolutions.isim.madextensions
Obviously, you will need to replace the highlighted elements above with names and classes appropriate to your needs.
Good luck.
------------------------------
Stephen Swann
Original Message:
Sent: Wed July 07, 2021 08:47 AM
From: Federico Añino
Subject: Managing ISIM groups (sysroles) inside the Provisioning Policies in JavaScript
Hi Stephen,
I have included the dn of the OU, but I get this error in trace.log:
CTGIMO002E ...
Error: java.lang.ClassCastException: com.ibm.itim.dataservices.model.system.SystemRoleSearch incompatible with com.ibm.itim.script.ScriptExtension
Is there a way to use SystemRoleSearch from the Provisioning Policies?
Thanks and best regards,
Federico.
Original Message:
Sent: 7/7/2021 5:12:00 AM
From: Stephen Swann
Subject: RE: Managing ISIM groups (sysroles) inside the Provisioning Policies in JavaScript
Federico,
I think you are missing something here... there are three parameters that should be supplied to the searchByName method, but you are only supply two so it won't find that method. Check out the JavaDoc which states:
Parameters
searchContext - CompoundDN that defines the base of the search. At least one (1) element and at most three (3) are expected:
- searchContext.elements[0] must contain the tenant DN
- searchContext.elements[1] may contain the organization DN
- searchContext.elements[2] may contain the parent DN (optional)
name - Name of the role to search for.
params - SearchParameters that provide additional context for how the search should be performed. If the search scope is ONELEVEL_SCOPE, the search is limited only to the system roles that belong to the given parent (searchContext.last()). Otherwise, the whole organizational logical subtree will be searched.
------------------------------
Stephen Swann
Original Message:
Sent: Tue July 06, 2021 08:38 AM
From: Federico Añino
Subject: Managing ISIM groups (sysroles) inside the Provisioning Policies in JavaScript
Hi again!
I am having problems when managing systemRole class into the Provisioning Policy. This is part of my code:
...
var group="MyGroup"
var dn="ou=sysRoles,erglobalid=00000000000000000000,ou=BE,DC=COM"
var role = (new SystemRoleSearch()).searchByName(dn, "errolename="+group);
...
but if fails to find that class. This is the trace.log:
Error: Script interpreter error, line=18, col=56: [ReferenceError] 'com' not found
How can I use that class in the Provisioning Policy and should I modify scriptframework.properties?
Thank you very much in advance and best regards!
Federico Añino
------------------------------
Federico Añino
Original Message:
Sent: Fri June 25, 2021 04:27 AM
From: Franz Wolfhagen
Subject: Managing ISIM groups (sysroles) inside the Provisioning Policies in JavaScript
Sorry for not answering immediately - but your question was getting delayed as this was you first interaction here....
Now - I am not fully understanding why you would need JavaScript assignments of groups (systemroles) in an ITIM service provisioning policy - in general you should avoid having JavaScript assignment of group objects - that is not a good practice and will hurt you more than it will help in the general case. There are valid reasons for scripting to build a hybrid scenario - but that does not apply to the ITIM accounts. So please explain
Now on your usecase - you cannot return a group name - you need to return the system role dn - so basically you will have to use a search and then get the DN from that search.
The steps are basically using SystemRoleSearch which will return a list of roles in a SearchResults : https://www.stephen-swann.co.uk/javadoc/tim5.0/com/ibm/itim/dataservices/model/system/SystemRoleSearch.html#searchByName(com.ibm.itim.dataservices.model.CompoundDN,%20java.lang.String,%20com.ibm.itim.dataservices.model.SearchParameters)
As you can probably see there is a little work of API programming to do - I can post some sample code after you have explained the usecase (because I do not believe you are on the right track here :-)) - I believe there are probably better ways to solve your real problem than do JavaScripting of system roles in the ITIM Service provisioning policies...
------------------------------
Franz Wolfhagen
IAM Technical Architect for Europe - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Wed June 23, 2021 02:02 PM
From: Federico Añino
Subject: Managing ISIM groups (sysroles) inside the Provisioning Policies in JavaScript
Hello Team!
I am trying to set the ITIM groups from a Provisioning Policy written in JavaScript, but I have encountered a weird behaviour:
When I set the group name (for instance "group1") into the attribute group (set as mandatory) Provisioning policy for ITIM Account and I try to modify an account which already has the same group is evaluated, the ISIM console warns me that the value of the field Groups is incorrect, and it shows that the incorrect value is the same as the correct value (incorrect value "group1" and correct value: "group1"), and it does not allow to send the change because the warn box .
I think that it is because the value stored in the ISIM account (or "systemuser") is actually the DN of the group, rather than its the name.
If that is the expected behaviour, how can I search inside the Provisioning Policy for the DN of the group (or "sysrole") having its name, so that I the policy returns the DN of the group instead of its name?
What ProvisioningPolicyExtension should I add in scriptframework.properties?
Steps for reproducing the issue:
1. Connect role "role1" to a user that already has group1 in its ITIM account
2. Create a Provisioning policy for Everyone with an Entitlement for ITIM service: attribute "ITIM group(s)", enforcement: Exclude. Value type: Regular Expression, value: group.*
3. Create another Provisioning policy for the members of role2 with an Entitlement for ITIM service: attribute "ITIM group(s)", enforcement: mandatory. Value Type: JavaScript. Value: return "group1"
4. Access ITIM account of the user and just submit the request
Thank you very much,
Federico Añino
CyberSecurity unit at BDE