We are trying to set up a resource which adds a user to a group. We have
a loopback driver with an entitlement which, when granted, adds the user
to the group specified in the entitlement value. The potential
entitlement values are queried from the application (i.e. the Vault),
doing a substree search for Groups under our top-level Group OU.
Textbook stuff really (quite literally!).

The issue that we are experiencing is that when we try to link the
entitlement to a resource, assigning specific entitlement values when
the entitlement is linked, not all groups show up in the list of
entitlement values. The group in question is a recently added group
(although by recently I'm talking a couple of weeks ago now).

The attributes of the group are essentially identical to that of another
group that does show up in the list and was successfully selected as an
entitlement value for a different resource - the only significant
difference is that the second group has a couple of members (which were
added by assigning roles/resources to the users). For info, these groups
are used to control which users can grant and revoke the equivalent User
role (via RBPM Provisioning and Security -> Administrator Assignments),
thus the role assignment that is present on these groups.

Our first thought was that it is likely to be a caching issue, however
we have flushed both the entitlement query cache (Configure Roles and
Resources Settings -> Entitlement Query Settings) and the main UserApp
cache (Application Configuration -> Caching). We have also tried
restarting the UserApp to no effect. And it has been almost two weeks
since the group was created so any cache should have expired by now
anyway.

We are running IDM 4.0.2 AE, which was patched and up-to-date as of
June/July.


The two groups are as follows. The 'Traka Administrators' group is one
of the groups which appears in the list and has been linked to a
resource, while the 'Terminal4 Administrators' group does not show up in
the list and is what prompted this query.


Code:
--------------------
# Traka Administrators, Applications, Groups, Vault
dn: cn=Traka Administrators,ou=Applications,ou=Groups,o=Vault
nrfAssociatedRoles: cn=roleManager,cn=System,cn=Level20,cn=RoleDefs,cn =RoleCon
fig,cn=AppConfig,cn=User Application,cn=Drivers,ou=Resources,o=Vault#0#<ass ig
nment><start_tm>20130926145454Z</start_tm><req_tm>20130926145454Z</req_tm><re
q>cn=Admin,ou=Resources,o=Vault</req><req_desc>Traka administration</req_desc
></assignment>

DirXML-ADAliasName: Traka Administrators
DirXML-ADContext: CN=Traka Administrators,OU=Applications,OU=Groups,DC=exampl e
,DC=com
DirXML-Associations: cn=LDAP,cn=Drivers,ou=Resources,o=Vault#1#cn=traka admini
strators,ou=applications,ou=groups,dc=example,dc=c om
DirXML-Associations: cn=Active Directory,cn=Drivers,ou=Resources,o=Vault#1#fb0
d4729627c234aa0dec5eb2b3ffd5a
equivalentToMe: cn=user1,ou=People,ou=Identities,o=Vault
equivalentToMe: cn=user2,ou=People,ou=Identities,o=Vault
owner: cn=Admin,ou=Resources,o=Vault
objectClass: groupOfNames
objectClass: Top
objectClass: DirXML-ApplicationAttrs
objectClass: nrfGroup
member: cn=user1,ou=People,ou=Identities,o=Vault
member: cn=user2,ou=People,ou=Identities,o=Vault
description: Traka Administrators
cn: Traka Administrators
ACL: 2#entry#[Root]#member
--------------------



Code:
--------------------
# Terminal4 Administrators, Applications, Groups, Vault
dn: cn=Terminal4 Administrators,ou=Applications,ou=Groups,o=Vault
nrfAssociatedRoles: cn=roleManager,cn=System,cn=Level20,cn=RoleDefs,cn =RoleCon
fig,cn=AppConfig,cn=User Application,cn=Drivers,ou=Resources,o=Vault#0#<ass ig
nment><start_tm>20130930091503Z</start_tm><req_tm>20130930091503Z</req_tm><re
q>cn=Admin,ou=Resources,o=Vault</req><req_desc>Role assignment for Terminal4
Users</req_desc></assignment>
DirXML-ADAliasName: Terminal4 Administra
DirXML-ADContext: CN=Terminal4 Administrators,OU=Applications,OU=Groups,DC=exa
mple,dc=com
DirXML-Associations: cn=Active Directory,cn=Drivers,ou=Resources,o=Vault#1#4f8
8c335536fa943b31bdbd5aa2ffd3e
DirXML-Associations: cn=LDAP,cn=Drivers,ou=Resources,o=Vault#1#cn=termi nal4 ad
ministrators,ou=applications,ou=groups,dc=example, dc=com
owner: cn=Admin,ou=Resources,o=Vault
objectClass: groupOfNames
objectClass: Top
objectClass: DirXML-ApplicationAttrs
objectClass: nrfGroup
description: Terminal4 Administrators
cn: Terminal4 Administrators
ACL: 2#entry#[Root]#member
--------------------


Thanks in advance for any help...
Chris


--
ChrisReeves
------------------------------------------------------------------------
ChrisReeves's Profile: https://forums.netiq.com/member.php?userid=346
View this thread: https://forums.netiq.com/showthread.php?t=48931