Chapter 8 BridgeStream SmartRoles

The BridgeStream SmartRoles adapter provisions users in SmartRoles. The adapter places these users in the appropriate organizations within SmartRoles so that SmartRoles can determine which business roles those users should have.

Adapter Details

When retrieving a user from SmartRoles, the adapter retrieves the user’s business roles. These business roles can be used within Identity Manager to determine the Identity Manager roles, resources, attributes, and access that user should be assigned.

Additionally, SmartRoles can be a source of user changes using Active Sync. You can load SmartRoles users into Identity Manager and reconcile them.

The BridgeStream SmartRoles resource adapter is defined in the com.waveset.adapter.SmartRolesResourceAdapter class.

Resource Configuration Notes

None

Identity Manager Installation Notes

The SmartRoles adapter is a custom adapter. You must perform the following steps to complete the installation process:

Installing the SmartRules Adapter

1. To add a SmartRoles resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.

   com.waveset.adapter.SmartRolesResourceAdapter

2. Copy the following jar files from the SmartRoles installation directory (SR_install_dir/Foundation/lib) to $WSHOME/WEB-INF/lib:

   • bridgestream-common.jar

     • jgroups-all.jar

     • log4j-1.2.8.jar

     • rowset.jar

     • fxrm.jar

     • jmxri.jar

     • ojdbc14.jar

     • jcert.jar

     • jmxtools.jar

     • ojdbc14_g.jar

3. Copy the following files from the SR_install_dir/Foundation/config directory to the $WSHOME/WEB-INF/classes directory:

   • bridgestream_jaas.config

     • log4j.properties

     • foundation_config.xml

     • foundation_config.dtd

4. Edit the log4j.properties file to specify the path to the log files in the log4j.appender.debuglog.File and log4j.appender.logfile.File properties files. These properties can both specify the same file.

5. Set the following Java system properties in the JVM running Identity Manager:

   System Property	Value
   java.security.auth.login.config	Path to bridgestream_jaas.config file
   brLoggingConfig	Path to log4j.properties file
   brfConfig	Path to foundation_config.xml and foundation_config.dtd files

   ---

   Note –

   If you need to specify these properties on the JVM command line, use the -D option to set the properties as follows:

   ---

   -Djava.security.auth.login.config=PathToBridgestream_jaas.config -DbrLoggingConfig=PathTolog4j.properties -DbrfConfig=PathTofoundation_config.xml and foundation_config.dtd files

Usage Notes

This section provides information related to using the SmartRoles resource adapter. The information is organized as follows:

• General Notes

• Complex Attribute Support

• Limitations

General Notes

The following general notes are provided for this resource:

• The SmartRoles adapter communicates directly with the SmartRoles repository, so the Relationship Manager application does not have to be running for the adapter to work.

• The adapter can generate universal IDs and store connection information in configuration files.

  When configuring the SmartRoles adapter, you can choose to have SmartRoles generate the universal ID for new accounts or have the adapter provide the universal ID. When the adapter provides the ID, it uses the value generated from the Identity Template.

Complex Attribute Support

Identity Manager introduced a new complex attribute type that enables the SmartRoles adapter to support complex attributes. The complex attribute type is used when an attribute value is more complicated than a single value or list of values. This new complex type is used with the following attributes:

• sr_positions

• sr_grantedRolesSphere

• sr_organizations

The attribute value for a complex attribute is an instance of the new com.waveset.object.GenericAttribute class. The GenericAttribute instance wraps a GenericObject instance containing the real attribute value information. The GenericObject stores attributes and values in a hierarchy that can be set and retrieved using path expressions.

ResourceAction Support

Although the adapter does not support before and after actions, it does support running actions using the runResourceAction Provision Workflow Service. You can write a SmartRoles action in javascript or BeanShell, and it can call the SmartRoles APIs to perform custom behavior as part of a workflow. Input to the action script is contained in a Map object named actionContext. The actionContext Map contains the following:

Key	Value
action	String describing the type of action being run. Currently, this action can only be run.
adapter	Contains a reference to the com.waveset.adapter.SmartRolesResourceAdapter instance.
additionalArgs	A Map containing any additional arguments passed in to the runResourceAction Provision Workflow Service call.
result	Reference to the WavesetResult that is returned from the runResourceAction Provision Workflow Service call.
session	Reference to a SmartRoles IOMSession instance. The session is created using the administrator and password defined in the SmartRoles resource.
trace	Reference to the com.sun.idm.logging.trace.Trace instance associated with the com.waveset.adapter.SmartRolesResourceAdapter class. You can use this to output trace messages for use in debugging the action script.

The following ResourceAction XML is an example of a BeanShell action. (Set the actionType to JAVASCRIPT for a javascript action.) This action script takes an argument named user (retrieved from the additionalArgs Map) and searches the SmartRoles repository for one or more Person objects with a LOGON_ID that matches the value in the user argument. The string representation of each matching Person is then returned in the WavesetResult in the ACTION_RC ResultItem.

<?xml version=’1.0’ encoding=’UTF-8’?>
<!DOCTYPE ResourceAction PUBLIC ’waveset.dtd’ ’waveset.dtd’>
<!--  MemberObjectGroups="#ID#Top"-->
<ResourceAction createDate=’1148443502593’>
   <ResTypeAction restype=’SmartRoles’ timeout=’0’ actionType=’BEANSHELL’>
      <act>
         import bridgestream.core.*;
         import bridgestream.util.*;
         import bridgestream.temporal.person.*;
         import java.util.*;
         import com.waveset.object.*;
         IOMSession session = actionContext.get("session");
         OMEngine engine = OMEngine.getInstance(session);
         String user = actionContext.get("additionalArgs").get("user");
         UTNameValuePair[] criteria = new UTNameValuePair[] { new UTNameValuePair
            ("LOGON_ID", user) };
         UTTimestamp time = UTTimestamp.getSystemTimestamp();
         List list = session.search("PERSON", criteria, time, null, null);
         Iterator iter = list.iterator();
         StringBuffer buf = new StringBuffer();
         while (iter.hasNext()) {
            ENPerson person = (ENPerson)iter.next();
            buf.append(person.toString());
            buf.append("\n\n");
         }
         WavesetResult result = actionContext.get("result");
         result.addResult("ACTION_RC", buf.toString());
      </act>
   </ResTypeAction>
   <MemberObjectGroups>
      <ObjectRef type=’ObjectGroup’ id=’#ID#Top’ name=’Top’/>
   </MemberObjectGroups>
</ResourceAction>

Limitations

Currently, this adapter has the following limitations:

• Roles can only be granted to SmartRoles person objects. You cannot grant roles to position objects.

• An Identity Manager installation can only be configured to communicate with a single SmartRoles installation.

• When assigning a granted role sphere of control, the organizations in the sphere of control include organizations that are directly assigned as well as all descendants of those organizations. If you attempt to assign a descendant of an organization that is assigned, an error will occur.

• Because the adapter references SmartRoles organizations by name, the organization names within SmartRoles must be unique.

• When you assign a SmartRoles person object to a position, the adapter does not attempt to find an available position. Instead, the adapter always creates a new position object and assigns the person object to the new position.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

The SmartRoles adapter communicates with the SmartRoles repository as specified in the configuration files copied from the SmartRoles installation. See the SmartRoles product documentation for details about configuring this connection.

Required Administrative Privileges

The user that the adapter uses to connect to SmartRoles must be assigned to a role (such as the SmartRoles Administrator role) that can manage SmartRoles users.

Provisioning Notes

The following table summarizes the provisioning capabilities of this adapter:

Feature	Supported?
Enable/disable account	Yes  Disabling the account prevents the account from logging into SmartRoles.
Rename account	Yes
Pass-through authentication	No
Before/after actions	No  You can run actions from workflows using the runResourceAction Provision Workflow Service. See the ResourceAction Support section for more information.
Data loading methods	Import from resource Active Sync Reconciliation

Account Attributes

The SmartRoles adapter provides the following Identity system user attributes:

User Attribute	Data Type	Description
sr_allRoles	String	List of granted and derived roles (read only)
sr_departments	String	List of departments where user is a member (read only)
sr_derivedRoles	String	Roles that are assigned based on rules or policies (read only)
sr_financialGroups	String	List of FinancialGroups where user is a member (read only)
sr_financialTeams	String	List of FinancialTeams where user is a member (read only)
sr_grantedRoles	String	Roles that are granted directly to Person (read only)
sr_grantedRolesSphere	complex	Complex attribute providing granted roles and sphere of control for each role. Sphere of control specifies for which organizations the account has that role.  The schema for the GenericObject in the GenericAttribute is as follows: roles[*]— List of roles granted to account. roles[index].roleName— Name of granted role. roles[index].organizations— List of organizations in which the account has the role. Note: Specifying an organization in this list implies all child organizations as well. If you also explicitly specify a child organization in this list, an error will occur.
sr_groups	String	List of Groups in which user is a member (read only)
sr_organizations	complex	Complex attribute providing organization membership either directly or through the worker. Organization membership applies to all organization types; including departments, groups, and teams. (read/write)  The schema for the GenericObject in the GenericAttribute is as follows: organizations[*]— List of organizations in which the account is a member. organizations[index].orgName— Name of the organization (required). organizations[index].duties— String describing the account’s responsibilities within the organization (optional). organizations[index].memberRoles— List of membership roles that describe the account’s relationship(s) to the organization. Valid values are: HEAD, PRIMARY, SECONDARY, LIAISON, CONTRIBUTOR, TEAM ADMINISTRATOR, and TEAM MEMBER (optional– but should be specified). organizations[index].viaWorker— Boolean value indicating whether to assign organizational membership directly to the account that is assigned to the worker associated with that account (Person).
sr_positions	complex	Complex attribute providing positions and organization memberships through the position. Organization membership applies to all organization types; including departments, groups, and teams. (read/write)  The schema for the GenericObject in the GenericAttribute is as follows: positions[*]— List of positions to which the account is assigned. positions[index].title— Position title (required). positions[index].jobCode— Job code associated with the position (optional). positions[index].duties— String describing the position’s responsibilities (optional). positions[index].organizations[*]— List of organizations in which the position is a member. The attributes for each organization are described for the sr_organizations attribute– except for the viaWorker attribute, which is not valid in this context.
sr_teams	String	List of Teams in which user is a member (read-only)

Use attribute namespaces to specify attributes generically on related or underlying objects. Use dotted syntax, as follows:

namespace.attribute_name

• Use WORKER for Worker attributes (for example, WORKER.WORKER_TYPE)

• Use X500_PERSON and AUTHENTICATION_INFO namespaces for information objects containing additional attributes for the Person object.

• X500_PERSON contains attributes such as POSTAL_ADDRESS and SECRETARY

• AUTHENTICATION_INFO contains attributes such as LOGON_ATTEMPTS and PASSWORD_CHANGED (date)

Resource Object Management

The SmartRoles adapter supports listing objects only, and it supports the following object types:

• Organizations

• Roles

When listing objects, you can specify the following options in the option Map:

Option Name	Description
searchContext (ResourceAdapter.RA_SEARCH_CONTEXT)	Determines the context in which to perform the search. Use this option only if you are using a searchScope other than subTree to list organizations. If you do not specify this option, top-level organizations are listed. Otherwise, you must use the name of an organization from which to start the search.
searchScope (ResourceAdapter.RA_SEARCH_SCOPE)	Specifies whether to search the current object within the context of the specified searchContext only or in all subcontexts within the specified searchContext. Valid values are  object oneLevel subTree (default) This option is ignored for all object types except organizations.
searchFilter (ResourceAdapter.RA_SEARCH_FILTER)	Specifies a Map containing a set of key/value pairs that are used to filter the list of objects returned. These objects will have attributes with values that match corresponding values in the Map.  If you do not specify this option, the adapter returns all objects of the specified type.
searchAttrsToGet (ResourceAdapter.RA_SEARCH_ATTRS_TO_GET)	Specifies a list of objectType-specific attribute names to get per object.

Identity Template

$Logon ID$

Sample Forms

The following sample forms are provided with the SmartRoles resource adapter:

Built-In

None

Also Available

SmartRolesUserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the com.waveset.adapter.SmartRolesResourceAdapter class.

You can also enable DEBUG logging in the SmartRoles APIs by editing the log4j.properties file that is configured in your JVM’s system properties.

Enabling DEBUG Logging in SmartRoles APIs

1. Ensure that the log4j.appender.debuglog.File and log4j.appender.logfile.File properties are set to a valid file path.

2. Set the log4j.logger.bridgestream property to DEBUG as follows:

   log4j.logger.bridgestream=DEBUG

3. You must then restart your server for these log settings to take effect.