We recently decided to migrate our Role-Based entitlement setup to Roles
and Resources driver in an existing IDM 4.0.2 setup.
I seem to hit a strange IDM4 (JSON) parameter formatting problem in the
RRS Driver for a SOAP driver entitlement that I can't reproduce in the
AD driver, so I suspect the SOAP driver (version 3.5.7) to be broken, or
I miss some configuration or policy I'm not aware of?

The problem is as follows: I have a simple entitlement without
parameters in the SOAP driver. I created an EntitlementConfiguration.xml
by hand (the SOAP driver doesn't seem to be equiped to create this
I map the simple entitlement to the Roles & Resources Driver by adding
this line, which is the most simple form of mapping as far as I

<entitlement data-collection="false" dn="CN=Zimbra
Email,CN=Zimbra,CN=driverset1,O=system" resource-mapping="true"
role-mapping="true" />

When I sync the Roles & Resource cache, I'm able to find the new
entitlement and assign it to a resource. After that, I assign a user to
the resource and then things start to go wrong.
The RRSD driver spits out the following error:

Driver: \SURF\system\driverset1\Role and Resource Service Driver
Channel: Subscriber
Status: Error
Message: Error processing request
DN: O=system\CN=driverset1\CN=User Application
Driver\CN=AppConfig\CN=RoleConfig\CN=ResourceReque sts\CN=20141128151421-26a4ffd683dc451a8d6136f9412e25e5-0
Reason: java.lang.Exception: Error. Entitlement
parameter value is not in the expected JSON format, defined by the
entitlement configuration setting named parameter-format. This can
occur from malformed JSON in the parameter value, or an entitlement was
provisioned with a legacy parameter value before the entitlement
parameter support was upgraded to IDM4.
DN: O=system\CN=driverset1\CN=Zimbra\CN=Zimbra Email
Agent: UA
Parameter Value:

I've read 1001 pages on the Legacy to IDM4 migration issues, but there
seems to be a fundamental problem here: there is no paramater, but it's
still incorrect encoded. I assign a test user that has all RBS
entitlements removed before the assignment so there are no legacy xml

If I recreate this scenario in the AD driver by adding a simple
parameter-less entitlement and add the entitlement to the
EntitlementConfiguration resource in the driver in the same way, resync
user app and add the entitlement to a resource, and add a user, the
output of the RRS driver is:

Driver: \SURF\system\driverset1\Role and Resource Service Driver
Channel: Subscriber
Status: Success
Message: Transitioned request status from 30 to 50
DN: O=system\CN=driverset1\CN=User Application
Driver\CN=AppConfig\CN=RoleConfig\CN=ResourceReque sts\CN=20141128150034-4d9d8ed59eb54f229f2912b830558bf3-0

Both drivers werre added in Designer and originate from the same 4.0.2
installation. I would expect both drivers to be IDM4 entitlement
parameter format compatible?
What am I missing?

Best regards,

mrvanes's Profile: https://forums.netiq.com/member.php?userid=4768
View this thread: https://forums.netiq.com/showthread.php?t=52317