Hi,
I've a problem with the configuration of SAP UM driver and the
entitlement UserAccount. As the result of a query from RMA, the policy
NOVLSAPUFENT-itp-FanoutEntitlementsImpl behaves in a weird way.

The following is an extract of the driver trace where the rule is unable
to find "UserAccountEntitlementQuery" on the operation-data:

[08/11/14 15:46:16.900]rvSAP_SRM ST:Policy returned:
[08/11/14 15:46:16.900]rvSAP_SRM ST:
<nds dtdversion="1.0" ndsversion="8.5">
<source>
<product build="20120601_172242" instance="DrvSAP_SRM"
version="3.6.12">Identity Manager Driver for User Management of SAP
Software</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="__driver_identification_class__">
<attr attr-name="driver-id">
<value type="string">SAPUM</value>
</attr>
<attr attr-name="driver-version">
<value type="string">3.6.12</value>
</attr>
<attr attr-name="min-activation-version">
<value type="int">1</value>
</attr>
</instance>
<status event-id="query-driver-ident" level="success"
type="driver-general">
<operation-data UserAccountEntitlementQuery="\ALST1100">
<rmap-data>
<rmap-identity format="ldap"
type="dn">cn=uaadmin,ou=sa,o=data</rmap-identity>
</rmap-data>
</operation-data>
</status>
</output>
</nds>
[08/11/14 15:46:16.907]rvSAP_SRM ST:Applying policy:
%+C%14CNOVLSAPUFENT-itp-FanoutEntitlementsImpl%-C.
[08/11/14 15:46:16.908]rvSAP_SRM ST: Applying to instance #1.
[08/11/14 15:46:16.909]rvSAP_SRM ST: Evaluating selection criteria
for rule 'Intercept LogicalSystem (tagged identity query) query
response'.
[08/11/14 15:46:16.910]rvSAP_SRM ST: (if-operation equal
"instance") = TRUE.
[08/11/14 15:46:16.911]rvSAP_SRM ST: (if-class-name equal
"__driver_identification_class__") = TRUE.
[08/11/14 15:46:16.911]rvSAP_SRM ST: (if-xpath true
"//status[@event-id='query-driver-ident']/operation-data/@UserAccountEntitlementQuery")
= *FALSE*.
[08/11/14 15:46:16.913]rvSAP_SRM ST: Rule rejected.


What has puzzled me is that if I use the Policy Simulator on Designer,
it's able to find it and does what is expected from it:

Adding the same document as Input Document on the Simulator:

<nds dtdversion="1.0" ndsversion="8.5">
<source>
<product build="20120601_172242" instance="DrvSAP_SRM"
version="3.6.12">Identity Manager Driver for User Management of SAP
Software</product>
<contact>Novell, Inc.</contact>
</source>
<output>
<instance class-name="__driver_identification_class__">
<attr attr-name="driver-id">
<value type="string">SAPUM</value>
</attr>
<attr attr-name="driver-version">
<value type="string">3.6.12</value>
</attr>
<attr attr-name="min-activation-version">
<value type="int">1</value>
</attr>
</instance>
<status event-id="query-driver-ident" level="success"
type="driver-general">
<operation-data UserAccountEntitlementQuery="\ALST1100">
<rmap-data>
<rmap-identity format="ldap"
type="dn">cn=uaadmin,ou=sa,o=data</rmap-identity>
</rmap-data>
</operation-data>
</status>
</output>
</nds>

It returns the following result:

DrvSAP_SRM :Applying policy:
%+C%14CNOVLSAPUFENT-itp-FanoutEntitlementsImpl%-C.
DrvSAP_SRM : Applying to instance #1.
DrvSAP_SRM : Evaluating selection criteria for rule 'Intercept
LogicalSystem (tagged identity query) query response'.
DrvSAP_SRM : (if-operation equal "instance") = TRUE.
DrvSAP_SRM : (if-class-name equal
"__driver_identification_class__") = TRUE.
DrvSAP_SRM : (if-xpath true
"//status[@event-id='query-driver-ident']/operation-data/@UserAccountEntitlementQuery")
= TRUE.
DrvSAP_SRM : Rule selected.
DrvSAP_SRM : Applying rule 'Intercept LogicalSystem (tagged identity
query) query response'.
DrvSAP_SRM : Action:
do-set-local-variable("lsname",scope="policy",token-xpath("substring-after(//status[@event-id='query-driver-ident']/operation-data/@UserAccountEntitlementQuery,
'\')")).
DrvSAP_SRM :
arg-string(token-xpath("substring-after(//status[@event-id='query-driver-ident']/operation-data/@UserAccountEntitlementQuery,
'\')"))
DrvSAP_SRM :
token-xpath("substring-after(//status[@event-id='query-driver-ident']/operation-data/@UserAccountEntitlementQuery,
'\')")
DrvSAP_SRM : Token Value: "ALST1100".
DrvSAP_SRM : Arg Value: "ALST1100".


Anyone know why it might fail in the driver when works correctly on the
simulator?

Regards
Jose Luis


--
jlrodriguez
------------------------------------------------------------------------
jlrodriguez's Profile: https://forums.netiq.com/member.php?userid=359
View this thread: https://forums.netiq.com/showthread.php?t=51505