Hello all,

I'm attempting to create resource associations between resources and roles via a web services call to the role service endpoint, as documented here:

https://www.netiq.com/documentation/identity-manager-46/identity_apps_admin/data/bdux8cm.html

When attempting to assign a resource with an entitlement where the EntitlementParam needs to be defined in the assignment, it errors:

<ns1:stackTrace xsi:type="ns1:stackTrace" xmlns:ns1="http://www.novell.com/wssdk">
<ns1:dump xsi:type="xsd:string">com.novell.soa.ws.binding.Ma rshalerNotFoundException: no serializer found for "java.io.EOFException"
at com.novell.soa.ws.impl.soap.LiteralEncodingStyle.w riteObject(LiteralEncodingStyle.java:414)
at com.novell.soa.ws.impl.xml.OutputStreamImpl.writeO bject(OutputStreamImpl.java:122)
at com.novell.soa.ws.impl.soap.ServerResponseImpl.wri teException(ServerResponseImpl.java:81)
at com.novell.idm.nrf.soap.ws.role.IRemoteRole_Servic eSkeleton._invoke(IRemoteRole_ServiceSkeleton.java :1625)

More stack trace removed.

The request looks like this:

Code:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://www.novell.com/role/service">
   <soapenv:Header/>
   <soapenv:Body>
      <ser:createResourceAssociationRequest>
         <ser:resourceAssociation>
            <dynamicParameters>
               <dynamicparameter>
                  <expression>false</expression>
                  <key>EntitlementParamKey</key>
                  <value>{"ID":"\\TREE\\data\\groups\\grp1"}</value>
               </dynamicparameter>
            </dynamicParameters>
            <ser:localizedDescriptions>
               <ser:localizedvalue>
                  <ser:locale>en</ser:locale>
                  <ser:value>fdas</ser:value>
               </ser:localizedvalue>
            </ser:localizedDescriptions>
            <ser:resource>cn=IDVGroup,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system</ser:resource>
            <ser:role>cn=target,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system</ser:role>
         </ser:resourceAssociation>
      </ser:createResourceAssociationRequest>
   </soapenv:Body>
</soapenv:Envelope>
Here is a getResourceAssociation response from a similar assignment, which was made in the web UI by hand:

Code:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <SOAP-ENV:Body>
      <ns1:getResourceAssociationResponse xmlns="http://www.novell.com/role/service" xmlns:ns1="http://www.novell.com/role/service">
         <result>
            <approvalOverride>false</approvalOverride>
            <dynamicParameters>
               <dynamicparameter>
                  <expression>false</expression>
                  <key>EntitlementParamKey</key>
                  <value>{"ID":"\\TREE\\data\\groups\\grp1"}</value>
               </dynamicparameter>
            </dynamicParameters>
            <entityKey>cn=20170503133951-3dc4d897d2114a1f8bed8530b2a9e239,cn=ResourceAssociations,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system</entityKey>
            <localizedDescriptions>
               <localizedvalue>
                  <locale>en</locale>
                  <value>Group1 Assignment</value>
               </localizedvalue>
            </localizedDescriptions>
            <resource>cn=IDVGroup,cn=ResourceDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system</resource>
            <role>cn=ITRoleTest1,cn=Level20,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=User Application Driver,cn=driverset1,o=system</role>
            <status>50</status>
         </result>
      </ns1:getResourceAssociationResponse>
   </SOAP-ENV:Body>
</SOAP-ENV:Envelope>
If I remove the dynamicParameters section, I can create the assignment with no errors.

This is with IDM 4.6 on SLES 12, all in one server install for a test lab.

I've dialed up a lot of the logging, but I cannot seem to find what's going wrong here.

Anyone have any pointers?

Thanks,
Mike