I have an authorized user that is assigned to the provadmin role. RR
driver confirms that the assignment was a success.

My recipient is the group SuspenseGroup.sa.data and is a Trustee DN on
the workflow, I also added the authorized user as a trustee as well.

As part of troubleshooting I added some eDir rights. I found in the 402
documentation the following statement: Notice that
nrfAccessMgrTaskAddressee is not listed with the write permission
checked, which means that the user does not have the proper rights for
the provisioning request definition.

I have added nrfAccessMgrTaskAddressee with write permission checked to
the Workflow object for both the authorized user. I also did this for
nrfAccessMgrTaskRecipient. However, I'm not sure why a write right would
be needed... Very little is documented about these rights.

I added these rights to the recipient as well as the authorized user.

The error we receive is below:

DirXML Log Event -------------------
Driver: \OU-IDM-POC\system\driverset\PS-Test
Channel: Publisher
Object: 19017
Status: Error
Message: Code(-9194) Error in
: Couldn't
start workflow 'CN=Suspense
handling,CN=RequestDefs,CN=AppConfig,CN=UserApplic ation,CN=driverset,O=system'
for recipient 'cn=suspensegroup,ou=
sa,o=data': java.rmi.RemoteException: HTTP 401 Unauthorized
[08/15/16 05:30:07.328]:PS-Test PT: Action: do-veto().
[08/15/16 05:30:07.328]:PS-Test PT:Policy returned:
[08/15/16 05:30:07.328]:PS-Test PT:
<nds dtdversion="1.1" ndsversion="8.6" xml:space="default">

I don't see anything in the catalina.out log file when triggering the
workflow from a driver. However, I'm not sure if we would with it doing
a soap call.

The URL to connect to userapp is right. http://<ipaddr>:8180/IDMProv
(not using https currently, correct ip address is entered in)

There are some empty values as part of the request. I'm assuming this is
okay. None of the values on the request form are set to required, just
sending over what data the driver has on the existing user. Some of the
values being sent over are local variables. So not sure how we could
strip empty values on those if we needed to.

The purpose of the workflow is to start it when a match is found that
isn't specific enough and requires an administration review to make sure
the user is an actual match and that we aren't creating duplicate


fp_IDMWORKS's Profile: https://forums.netiq.com/member.php?userid=9869
View this thread: https://forums.netiq.com/showthread.php?t=56433