Cybersecurity
DevOps Cloud
IT Operations Cloud
A resource is any digital entity such as a user account, computer, or database in which a business user may require access. The Novell User Application provides a convenient way for end users to request resources they may need. With the introduction of the new Resource Module starting in RBPM 3.7, administrators can define resources and users can be assigned resources via a Resource Catalog.
Generally, resources are assigned or granted to a user based on roles, groups, or entitlements. It is also possible that additional resource assignments may be requested on a one-by-one basis. Over time, a user can have resources assigned via a variety of different ways.
Suppose we wanted to remove all the resources assigned to a user and we wanted to do it quickly such as in the event of a user termination. For roles, we can do this fairly easily with a workflow using the Role Request Activity. This activity uses the underlying Roles API of the Roles Based Provisioning Module engine. Unfortunately, for resources it is not quite as easy since RBPM 3.7/4.0 does not have a comparable Resource Request Activity. Therefore, this Cool Solution was written to describe how to get around this limitation by using Integration Activities to access resource methods available through the Resource Web Services API.
The following sections describe how to setup a workflow solution that will revoke all of a user’s Roles and Resources.
The following workflow snippet (see Figure 1) shows the activities needed to revoke all roles assigned to a user. Each of the essential activities that make up this workflow is explained below.
(function () {
//An object is always returned even if there are no roles.
var roles = flowdata.getObject('roles');
Packages.java.lang.System.out.println("ROLE OBJECT RETURNED: " roles);
//Always check the first element: roles[1].
var role = flowdata.get('roles[1]');
Packages.java.lang.System.out.println("FIRST ROLE: " role);
if (role != null && role != "") {
Packages.java.lang.System.out.println("TOTAL ROLES FOUND: " roles.size());
return true;
} else return false;
})();
Check if Roles Exist
The following workflow snippet (see Figure 4 ) shows the activities needed to revoke all resources assigned to a user. Each of the essential activities that make up this workflow is explained below.
NOTE: The password is treated as a string and must contain quotes around it.
Next, choose getResourceAssignmentsForUser for the Resource Web Service SOAP action. This action will get all the user’s assigned resources.
(function () {
var resources = flowdata.getObject('Activity10/getResourceAssignmentsForUserOutput/
getResourceAssignmentsForUserResponse/result/resourceassignment/resourceDn');
if (resources) {
totalResources = resources.size();
Packages.java.lang.System.out.println( "TOTAL RESOURCES FOUND:" totalResources);
} else {totalResources = 0;}
return totalResources;
})();
Total Resources Retrieved
function getResource() {
var totalResources = Number( flowdata.get('totalResources') );
var i = Number( flowdata.get('count') );
if ( totalResources >= i ) {
Packages.java.lang.System.out.println( "REVOKING RESOURCE [" i "] = " flowdata.get('Activity10/getResourceAssignmentsForUserOutput/
getResourceAssignmentsForUserResponse/result/resourceassignment[' i ']/resourceDn') );
return true;
}
return false;
};
getResource();
Check if more Resources
NOTE: The password is treated as a string and must contain quotes around it.
Next, choose requestResourceRevoke for the Resource Web Service SOAP action. This action will revoke the user’s assigned resource.
Number( flowdata.get('count') ) 1;
Increment Counter
The workflow will continue to loop through each resource until there are no longer any resources to revoke.
The following section shows an example of what to expect after building the workflow to revoke all roles and resources as described in the previous sections.
Using the above methods for revoking roles and resources should be thoroughly tested in your test environment prior to releasing into your production environment. It is anticipated that the new RBPM release 4.01 will provide a new Resource Activity available for the matching Designer version. In this case, the Integration Activities will no longer be necessary and revoking resources can be achieved similar to how we revoke roles as explained in this article.
An XML export of this the “Revoke Roles and Resources” workflow can be found at https://community.microfocus.com/communities/media/revokeallrolesandresources.zip.