IM Relationship Tab for Groups not reliable in Identity Manager
Article ID: 125091
Updated On:
Products
CA Identity Manager
CA Identity Governance
CA Identity Portal
Issue/Introduction
A particular Identity Manager Scenario has been encountered where the Identity Manager functionality works as expected until the Business Logic Task Handlers (BLTH) is in place.
REQUIREMENT:
An admin can add/remove Groups (based on the admin’s scope) - Also there are rules about what Groups users can have
IMPLEMENTATION:
IM Task: Modify User Groups (used by delegated administrators) - Using Relationship Tab (so bypasses Group administration restrictions) - BLTH added to validate Groups: o Business requirement to check is user is allowed to have Group o Can report errors
PROBLEMS:
Add Groups: Select Group that has already been assigned to user - BLTH validate: cannot get reliable lists of Groups being assigned or revoked - Updates performed by IM may not reflect the actions on the screen
FAULTY BLTH CODE:
function handleSubmission(BlthContext, errorMessage) {
//
// GET TAB
// *******
relTabHandler = null ;
tabsList = BlthContext.getTaskTabHandlers();
tabsIterator = tabsList.iterator();
while(tabsIterator.hasNext()) {
tempTH = tabsIterator.next();
if((tempTH.getTagName()).equalsIgnoreCase("relationship")) relTabHandler = tempTH;
} // end of WHILE
if (relTabHandler==null) {
errorMessage.reference = "TabHandler with name 'relationship' not found - STOP" ;
return false ;
}
//
// Read Relation, Adds
// *******************
relation = relTabHandler.getRelationship();
relAdded = relation.getAdded() ;
// DEBUG
//errorMessage.reference = "TabHandler 'relationship' - Added=" + relAdded.size() ;
//return false ;
//
// GET TAB Resources
// **********************
tabAssignedRscs = relTabHandler.getAssignedResources() ;
tabRevokedRscs = relTabHandler.getRevokedResources() ;
// DEBUG
//errorMessage.reference = "TabHandler 'relationship' - tabAssignedRscs=" + tabAssignedRscs.size() + " tabRevokedRscs=" + tabRevokedRscs.size() ;
//return false ;
//
// Prepare List of ADDs
// ********************
addedGroups = new Packages.java.util.Vector() ;
addMSG="addedGroups: " ;
iterADDs = relAdded.iterator();
while (iterADDs.hasNext()) {
addGROUP = iterADDs.next();
// CHECK is also in tabAssignedRscs
// ********************************
isMatched=false ;
for (ia=0 ; ia<tabAssignedRscs.size() ; ia++) {
thisADD=tabAssignedRscs.get(ia) ;
if (thisADD.getUniqueName().equals(addGROUP.getUniqueName())) {
addedGroups.add( addGROUP ) ;
addMSG+=addGROUP.getUniqueName()+" --- ";
break;
}
} // end of for-tabAssignedRscs
} // end of LOOP through ADDS
// DEBUG
//errorMessage.reference = "TabHandler 'relationship' - addedGroups=" + addedGroups ;
//return false ;
//
// NOW do validate - Adds
// **********************
for (ia=0 ; ia<addedGroups.size() ; ia++) {
groupADD=addedGroups.get(ia) ;
// Validations etc
//
// TEST Validations
// *****************
tempName=""+groupADD.getFriendlyName() ;
if ((tempName=="GroupRel4") || (tempName=="GroupRel5")) {
errorMessage.reference = "You cannt assign or remove GroupRel4, GroupRel5" ;
return false ;
} //end of check
} // end for for-addedGroups
//
// NOW do validate - Revokes
// *************************
remMSG="removedGroups: " ;
for (ia=0 ; ia<tabRevokedRscs.size() ; ia++) {
groupREM=tabRevokedRscs.get(ia) ;
remMSG+=groupREM.getUniqueName()+" --- ";
// Validations etc
//
// TEST Validations
// *****************
tempName=""+groupREM.getFriendlyName() ;
if ((tempName=="GroupRel4") || (tempName=="GroupRel5")) {
errorMessage.reference = "You cannt assign or remove GroupRel4, GroupRel5" ;
return false ;
} //end of check
} // end for for-revokedGroups
// DEBUG
//errorMessage.reference = "TabHandler 'relationship' - remMSG=" + remMSG ;
//return false ;
//
//
// DEBUG - display information
// ***************************
//errorMessage.reference = "TabHandler 'relationship' --- " + addMSG + " --- " + remMSG + " --- " ;
//return false ;
//
//
// END
return true ;
}
// end of FUNCTION
//
REQUIREMENT:
An admin can add/remove Groups (based on the admin’s scope) - Also there are rules about what Groups users can have
IMPLEMENTATION:
IM Task: Modify User Groups (used by delegated administrators) - Using Relationship Tab (so bypasses Group administration restrictions) - BLTH added to validate Groups: o Business requirement to check is user is allowed to have Group o Can report errors
PROBLEMS:
Add Groups: Select Group that has already been assigned to user - BLTH validate: cannot get reliable lists of Groups being assigned or revoked - Updates performed by IM may not reflect the actions on the screen
FAULTY BLTH CODE:
function handleSubmission(BlthContext, errorMessage) {
//
// GET TAB
// *******
relTabHandler = null ;
tabsList = BlthContext.getTaskTabHandlers();
tabsIterator = tabsList.iterator();
while(tabsIterator.hasNext()) {
tempTH = tabsIterator.next();
if((tempTH.getTagName()).equalsIgnoreCase("relationship")) relTabHandler = tempTH;
} // end of WHILE
if (relTabHandler==null) {
errorMessage.reference = "TabHandler with name 'relationship' not found - STOP" ;
return false ;
}
//
// Read Relation, Adds
// *******************
relation = relTabHandler.getRelationship();
relAdded = relation.getAdded() ;
// DEBUG
//errorMessage.reference = "TabHandler 'relationship' - Added=" + relAdded.size() ;
//return false ;
//
// GET TAB Resources
// **********************
tabAssignedRscs = relTabHandler.getAssignedResources() ;
tabRevokedRscs = relTabHandler.getRevokedResources() ;
// DEBUG
//errorMessage.reference = "TabHandler 'relationship' - tabAssignedRscs=" + tabAssignedRscs.size() + " tabRevokedRscs=" + tabRevokedRscs.size() ;
//return false ;
//
// Prepare List of ADDs
// ********************
addedGroups = new Packages.java.util.Vector() ;
addMSG="addedGroups: " ;
iterADDs = relAdded.iterator();
while (iterADDs.hasNext()) {
addGROUP = iterADDs.next();
// CHECK is also in tabAssignedRscs
// ********************************
isMatched=false ;
for (ia=0 ; ia<tabAssignedRscs.size() ; ia++) {
thisADD=tabAssignedRscs.get(ia) ;
if (thisADD.getUniqueName().equals(addGROUP.getUniqueName())) {
addedGroups.add( addGROUP ) ;
addMSG+=addGROUP.getUniqueName()+" --- ";
break;
}
} // end of for-tabAssignedRscs
} // end of LOOP through ADDS
// DEBUG
//errorMessage.reference = "TabHandler 'relationship' - addedGroups=" + addedGroups ;
//return false ;
//
// NOW do validate - Adds
// **********************
for (ia=0 ; ia<addedGroups.size() ; ia++) {
groupADD=addedGroups.get(ia) ;
// Validations etc
//
// TEST Validations
// *****************
tempName=""+groupADD.getFriendlyName() ;
if ((tempName=="GroupRel4") || (tempName=="GroupRel5")) {
errorMessage.reference = "You cannt assign or remove GroupRel4, GroupRel5" ;
return false ;
} //end of check
} // end for for-addedGroups
//
// NOW do validate - Revokes
// *************************
remMSG="removedGroups: " ;
for (ia=0 ; ia<tabRevokedRscs.size() ; ia++) {
groupREM=tabRevokedRscs.get(ia) ;
remMSG+=groupREM.getUniqueName()+" --- ";
// Validations etc
//
// TEST Validations
// *****************
tempName=""+groupREM.getFriendlyName() ;
if ((tempName=="GroupRel4") || (tempName=="GroupRel5")) {
errorMessage.reference = "You cannt assign or remove GroupRel4, GroupRel5" ;
return false ;
} //end of check
} // end for for-revokedGroups
// DEBUG
//errorMessage.reference = "TabHandler 'relationship' - remMSG=" + remMSG ;
//return false ;
//
//
// DEBUG - display information
// ***************************
//errorMessage.reference = "TabHandler 'relationship' --- " + addMSG + " --- " + remMSG + " --- " ;
//return false ;
//
//
// END
return true ;
}
// end of FUNCTION
//
Environment
Identity Manager 14.2 on RHEL (on-premise not VAPP).
Cause
The provided BLTH verifies groups in the 'handleSubmission' function, which is called after Add/Remove group events already generated.
Groups validation should be done in the 'handleValidation' function instead
Groups validation should be done in the 'handleValidation' function instead
Resolution
WORKING BLTH
function handleValidation(BlthContext, errorMessage) {
//
// GET TAB
// *******
relTabHandler = null ;
tabsList = BlthContext.getTaskTabHandlers();
tabsIterator = tabsList.iterator();
while(tabsIterator.hasNext()) {
tempTH = tabsIterator.next();
if((tempTH.getTagName()).equalsIgnoreCase("relationship")) relTabHandler = tempTH;
} // end of WHILE
if (relTabHandler==null) {
errorMessage.reference = "TabHandler with name 'relationship' not found - STOP" ;
return false ;
}
//
// GET TAB Resources
// **********************
tabAssignedRscs = relTabHandler.getAssignedResources() ;
tabRevokedRscs = relTabHandler.getRevokedResources() ;
// DEBUG
//errorMessage.reference = "TabHandler 'relationship' - tabAssignedRscs=" + tabAssignedRscs.size() + " tabRevokedRscs=" + tabRevokedRscs.size() ;
//return false ;
//
//
// NOW do validate - Adds
// **********************
for (ia=0 ; ia<tabAssignedRscs.size() ; ia++) {
groupADD=tabAssignedRscs.get(ia) ;
// Validations etc
//
// TEST Validations
// *****************
tempName=""+groupADD.getFriendlyName() ;
if ((tempName=="GroupRel4") || (tempName=="GroupRel5")) {
errorMessage.reference = "You cannt assign or remove GroupRel4, GroupRel5" ;
return false ;
} //end of check
} // end for for-addedGroups
//
// NOW do validate - Revokes
// *************************
remMSG="removedGroups: " ;
for (ia=0 ; ia<tabRevokedRscs.size() ; ia++) {
groupREM=tabRevokedRscs.get(ia) ;
remMSG+=groupREM.getUniqueName()+" --- ";
// Validations etc
//
// TEST Validations
// *****************
tempName=""+groupREM.getFriendlyName() ;
if ((tempName=="GroupRel4") || (tempName=="GroupRel5")) {
errorMessage.reference = "You cannt assign or remove GroupRel4, GroupRel5" ;
return false ;
} //end of check
} // end for for-revokedGroups
// DEBUG
//errorMessage.reference = errorMessage.reference + " TabHandler 'relationship' - remMSG=" + remMSG ;
//return false ;
//
//
// DEBUG - display information
// ***************************
//errorMessage.reference = "TabHandler 'relationship' --- " + addMSG + " --- " + remMSG + " --- " ;
//return false ;
//
//
// END
return true ;
}
// end of FUNCTION
//
function handleValidation(BlthContext, errorMessage) {
//
// GET TAB
// *******
relTabHandler = null ;
tabsList = BlthContext.getTaskTabHandlers();
tabsIterator = tabsList.iterator();
while(tabsIterator.hasNext()) {
tempTH = tabsIterator.next();
if((tempTH.getTagName()).equalsIgnoreCase("relationship")) relTabHandler = tempTH;
} // end of WHILE
if (relTabHandler==null) {
errorMessage.reference = "TabHandler with name 'relationship' not found - STOP" ;
return false ;
}
//
// GET TAB Resources
// **********************
tabAssignedRscs = relTabHandler.getAssignedResources() ;
tabRevokedRscs = relTabHandler.getRevokedResources() ;
// DEBUG
//errorMessage.reference = "TabHandler 'relationship' - tabAssignedRscs=" + tabAssignedRscs.size() + " tabRevokedRscs=" + tabRevokedRscs.size() ;
//return false ;
//
//
// NOW do validate - Adds
// **********************
for (ia=0 ; ia<tabAssignedRscs.size() ; ia++) {
groupADD=tabAssignedRscs.get(ia) ;
// Validations etc
//
// TEST Validations
// *****************
tempName=""+groupADD.getFriendlyName() ;
if ((tempName=="GroupRel4") || (tempName=="GroupRel5")) {
errorMessage.reference = "You cannt assign or remove GroupRel4, GroupRel5" ;
return false ;
} //end of check
} // end for for-addedGroups
//
// NOW do validate - Revokes
// *************************
remMSG="removedGroups: " ;
for (ia=0 ; ia<tabRevokedRscs.size() ; ia++) {
groupREM=tabRevokedRscs.get(ia) ;
remMSG+=groupREM.getUniqueName()+" --- ";
// Validations etc
//
// TEST Validations
// *****************
tempName=""+groupREM.getFriendlyName() ;
if ((tempName=="GroupRel4") || (tempName=="GroupRel5")) {
errorMessage.reference = "You cannt assign or remove GroupRel4, GroupRel5" ;
return false ;
} //end of check
} // end for for-revokedGroups
// DEBUG
//errorMessage.reference = errorMessage.reference + " TabHandler 'relationship' - remMSG=" + remMSG ;
//return false ;
//
//
// DEBUG - display information
// ***************************
//errorMessage.reference = "TabHandler 'relationship' --- " + addMSG + " --- " + remMSG + " --- " ;
//return false ;
//
//
// END
return true ;
}
// end of FUNCTION
//
Feedback
Yes
No
Powered by
