Failed to remove the role from user profile in userApplication

We have written the policy to remove the role from UserApplication to current object.

<?xml version="1.0" encoding="UTF-8"?><policy>
<rule>
<description>Revoke AD and Exchange role</description>
<comment xml:space="preserve">Revoke the role AD and Exchange role when emptype change to inactive.</comment>
<conditions>
<and>
<if-class-name mode="case" op="equal">User</if-class-name>
<if-op-attr mode="nocase" name="cdsEmpType" op="changing-to">I</if-op-attr>
<if-src-dn op="in-container">~cdsActiveEmployees~</if-src-dn>
</and>
</conditions>
<actions>
<do-remove-role id="~cdsRoleAdministratorDN~" role-id="cn=AD0400,cn=ADRoles,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApp45,cn=DriverSet,ou=System,o=VCC" time-out="0" url="~cdsUserAppURL~">
<arg-password>
<token-named-password name="cdsRoleAdministratorPassword"/>
</arg-password>
<arg-string name="description">
<token-text xml:space="preserve">Revoke the role when employee terminated through Bulk Creation driver</token-text>
</arg-string>
</do-remove-role>
<do-remove-role disabled="true" id="~cdsRoleAdministratorDN~" role-id="cn=Exchange,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApp45,cn=DriverSet,ou=System,o=VCC" time-out="0" url="~cdsUserAppURL~">
<arg-password>
<token-named-password name="cdsRoleAdministratorPassword"/>
</arg-password>
<arg-string name="description">
<token-text xml:space="preserve">revoke the exchange role through Bulk Creation driver</token-text>
</arg-string>
</do-remove-role>
</actions>
</rule>
</policy>

Error message while executing the logic.

DirXML Log Event ------------------- Driver: \ABC\CDF\System\DriverSet\Services Channel: Subscriber Status: Error Message: Code(-9206) Error in vnd.nds.stream://VCC-CDS/VCC/System/DriverSet/Services/Subscriber/Revoke+AD+and+Exchange+roles#XmlData:13 : Couldn't requ est revocation of role: 'cn=AD0400,cn=ADRoles,cn=Level10,cn=RoleDefs,cn=RoleConfig,cn=AppConfig,cn=UserApp45,cn=DriverSet,ou=System,o=VCC' from identity 'CN= TPATTANA,

com.novell.nds.dirxml.soap.UserAppClientException: java.rmi.RemoteException: HTTP 401 [10/25/24 04:46:10.061]:Services ST:Policy returned:

  • Verified Answer

    +1  

    An error 404 would suggest the URL was bad, (I.e. Wrong endpoint.)  401 is usually a permission error. Which is how a Web service indicates that the user making the request did not have permissions.

    Try that with the User App admin account, which has all the permissions and I suspect it will work. So check that the object defined i the GCV cdsRoleAdministratorDN exists and that the password in Named Password cdsRoleAdministratorPassword has a value.

    Very often the Named Password is wiped out, and you do not notice.  I often when using one of these token, drop in a code block, of if Named PAssword not equals Regex .+ then trace out at level 0 that the password is blank. 

  • 0 in reply to   

    Hi Geoffrey Carman,

    We have recently migrated these drivers to new servers (Where IDM newly installed) and old driver the same add logic is working.Not getting how the permissions are failed for same object which using old edirectoy server.

    Thanks

    Naveen 

  • 0   in reply to 

    If this stopped working after moving the drivers to new server, check that all required GCVs and Named passwords are copied to new server.

    Remember, all GCVs and Named passwords are per server.

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Hi Sebastijan,

    Even I have passed the hard coded password in the logic, still same error we have received.

    Thanks

    Naveen

  • 0 in reply to 

    Do we need to pash full URL like "https://userappurl/idmdash or enough https://UserappUrl.

    Currently passing without idmpash. is throwing an error.

    Thanks

    Naveen

  • 0 in reply to 

    Hi Naveen,

    when using the API from driver policies you should not use the URL to "talk to" the frontend, rather the URL to talk to the Web Service layer; typical URL to use for a ADD or REMOVE role looks like this:

    https://ua01.dev.mycorp.me:8543/IDMProv

    The IDMProv endpoint is the one to use in most cases.

    You should have by default a GCV set at driverset level; by default that GCV is called UAProvURL (Display Name = User Application Provisioning Services URL), visible in the "Advanced Settings" GCV tab.

    Hope this helps!

    Jacques Forster (IGA architect)

  • 0 in reply to 

    I'm a bit late, but wanted to add this as a note for anybody else coming across this post, the similarly named UAProvAdmin is in the wrong format to be put in the authorized user DN field, you need a comma-separated QDN

  • 0   in reply to 

    Also as noted earlier, those GCVs are at the DriverSet level. Someone improperly importing a project from IDV is very likely to lose the linkage of those objects to the Driver set object (DirXML-Policy object) and in that case, it would be unavailable.  This and Named Passwords lost are the most common causes I see.

    Also, you can use simply uaadmin if there is but one, in the scope f the User Apps' search for users.  If not, you need to use the full LDAP DN.