Looking for a way to log privilege adds even when the user has that priv

We've run into a situation where we want IDM to log privilege adds/removes, even when that privilege already exists (for add) or doesn't exist (for remove) on a person.  Let me give some background.
We are a small team working on an IDM project, each team member with 6-30 months of experience with the IDM product.  We're using 7.1.
We have two systems, one of which is queryable and (certain) privileges updatable via REST API -- we'll call this system REST.  The second system of course is IDM.
When an IDM privilege is added or removed, the business requirement is to always keep IDM and REST in sync, privilege-wise.  This is no problem and we have provisioning set up to make the API call, and it works great.  However, if there is a problem with the REST API (network issue, just plain down, etc.) this sync can't happen.  So, within the provisioning framework, if there is a failure, the failure is logged and the privilege is reverted, keeping REST and IDM synced.  A job runs regularly to check this log table and re-attempt the appropriate action, which of course will trigger provisioning again, hopefully successfully.
The problem occurs in a situation like this, where each point comes in chronological order.
1. User X gets privilege Y granted within an IDM UI.
2. Provisioning triggers, but for some reason the REST API call fails (twice, because of retry).
3. The failure task for the REST API call removes privilege Y from user X.  The error is logged.
4. After a while, some job runs which removes privilege Y from all users whose names begin with X.  Even if the job explicitly removes privilege Y from user X, this is not logged in the system in any way, doesn't trigger provisioning, etc.
5. After another while, the "retry job" runs and attempts action #1 again.  This time, the provisioning succeeds.  Now user X has privilege Y on both IDM and REST.  However, because of step 4, clearly user X should not have privilege Y.
The same (well, reverse) issue occurs when removing the priv in step 1 and doing a grant in step 4.  During tests, one can just set up a To Identity Center step and remove/assign a privilege to an arbitrary person, then run the job containing this step repeatedly.  If the action has no net effect, there's no record (in, for example, sentries, oentries, or indeed in mxi_(old)values).  It would be great if there was a generic way to cause these actions to be logged, and we've actually thought of a couple other cases where this logging would be useful as well.  Is there some simple way?  Is it already logged in some esoteric table we haven't thought of?
Any thoughts on this interesting scenario would be appreciated.  Thanks!

Hi Chris,
If I understand correctly, since you are using the log to ensure that the privileges are synced.
Any chance you could enhance step 4 to remove information about the failed assignment from the log, so that it will not be retried?
Note also, that this is improved in IdM7.2 and the framework. You will only get the privilege assigned after the add-member task has successfully assigned the privilege in the back-end system (which is what you are trying to achieve).
Best regard
John Erik Setsaas
Development Architect IdM

Similar Messages

  • I work for the Los Angeles Unified School District. I am looking for a way to remove or hide access to the settings on iPads using Apple Configurator (V1.7.1). Can anyone assist?

    I work for the Los Angeles Unified School District. I am looking for a way to remove or hide access to the settings on iPads using Apple Configurator (V1.7.1). Can anyone assist?

    A similar question came up yesterday. One of the responders posted this:
    Consider DEP, Device Enrollment Program. This will establish the company as the owner of the device.  It will lock an MDM to the divice which in turn will lock profiles to the device.
    Quick overview of zero-touch MDM enrollment, DEP
    http://www.apple.com/education/it/dep/
    "This document offers guidance on some important considerations for getting the most out of your iOS deployment." Covers: Prepare your infrastructure.  Set up devices.  Configure and manage devices.  Deploy apps and content.  Plan for support.
    https://www.apple.com/ipad/business/docs/iOS_Enterprise_Deployment_Overview_EN_F eb14.pdf
    [DocumentBodyEnd:d1616e95-b4ff-4e33-bf0b-3835cf3236c0]

  • How do I sign my VB / VS 2010 based shared COM add-in for Excel so it loads when the user has checked "Require application add-ins to be signed by a trusted publisher"?

    My COM add-in is developed using VS 2010 and VB. It's a shared COM add-in (not VSTO) and it works with Excel 2007 - 2013. My installer is signed with a code signing certificate but it would appear that my add-in's .dll should also be signed if the user has
    checked the "Require application add-ins to be signed by a trusted publisher" option.
    The "Sign the assembly" option is checked in my add-in's VB -> My Project -> Signing. I have a .snk file selected which I seem to recall generating 6 or 7 years ago when I ported the COM add-in from VB6 to .NET. 
    I have an up-to-date Comodo code signing certificate (a pfx file called MyCompanyCodeSigningCertificatePrivateKey.pfx) which I purchased to use with the installer and was wondering if and how I could use this.
    I tried selecting my pfx file in the My Project -> Signing -> "Choose a strong name key file" dialog. It made a copy of the pfx file in my project folder but when I tried to build the project, I got the following error:
    Error 1 Cannot import the following key file: MyCompanyCodeSigningCertificatePrivateKey.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the
    following key container name: VS_KEY_C0B6F251F0FB6016
    After a little research, I found out I might be able to use signtool to sign the dll in a post-build step.
    I added the following command to the post-build event, before the command I use to regasm the assembly.
    "path to signtool\signtool" sign /f "MyCompanyCodeSigningCertificatePrivateKey.pfx" /p "xxxx" /v "$(TargetPath)"
    When I built the project, the dll appeared to get signed (the output window showed a bunch of confirming text as well as "Successfully signed: c:\MyAddIn\bin\Release\MyAddIn.dll") but the next step in the post-build (regasm myaddin.dll /codebase)
    issued a warning RA0000 (see below) but reported "Types registered successfully".
    Here's the message I get from regasm, even though the output window says the dll was sucessfully signed:
    RegAsm : warning RA0000: Registering an unsigned assembly with /codebase can cause your assembly to interfere with other applications that may be installed on the same computer. The /codebase switch is intended to be used only with signed assemblies. Please give your assembly a strong name and re-register it.
    Types registered successfully
    I'm not using a shim if that makes a difference.
    How do I sign my add-in so it loads when the user has checked "Require application add-ins to be signed by a trusted publisher"?
    Any tips would be appreciated.

    Hello,
    Why do you need to use the regasm utility from the post-build action?
    There is a difference between signing the assembly with a strong name and digital signature. The
    How to: Sign an Assembly with a Strong Name article in MSDN explains how to sign an assembly with a strong name (.snk). See
    How to digitally sign a strong named assembly for adding a digital signature.
    You may also find the
    What's the Difference, Part Five: certificate signing vs strong naming article helpful.

  • Looking for a way to broadcast a line in to the Airpot Express?

    Looking for a way to run line input into my macbook and broadcast it to the Airport Express to Play on my Stereo..

    It is discussed on the xfce forums but unfortunately that solution requires editing by hand. However it does seem relatively easy to automate. Writing a graphical program for those tasks is something you'd only have to do once.

  • Is there any way to log web traffic information of the users with RV082 router ?

    Dear all,
    I just bought a RV082 router. I can't find any way for logging the web traffic of the users.
    Can it be done with the router ?
    Thanks
    Fabio

    Hello,
    If I am not mistaking the best you can do is to send syslog traffic to a server or locally (to a server being preferred) .
    But you are going to see stuff like this:
    30>Aug 3 22:12:40 2005 gw RGFW-OUT: ACCEPT (TCP 192.168.1.111:2101->212.5.219.46:80 on ppp0) [0,0]
    <30>Aug 3 22:12:40 2005 gw RGFW-OUT: ACCEPT (TCP 192.168.1.111:2102->81.0.235.240:80 on ppp0) [0,0]
    <30>Aug 3 22:12:40 2005 gw RGFW-OUT: ACCEPT (TCP 192.168.1.111:2103->81.0.235.251:80 on ppp0) [0,0]
    <30>Aug 3 22:12:41 2005 gw RGFW-OUT: ACCEPT (TCP 192.168.1.111:2104->212.5.219.46:80 on ppp0) [0,0]
    <30>Aug 3 22:12:41 2005 gw RGFW-OUT: ACCEPT (TCP 192.168.1.111:2105->81.0.235.250:80 on ppp0) [0,0]
    <30>Aug 3 22:12:41 2005 gw RGFW-OUT: ACCEPT (TCP 192.168.1.111:2106->212.5.219.46:80 on ppp0) [0,0]
    You will need an external device to make this happen, Having a proxy server such as Squid would do it for you and not just that but will optimize the newtork :)
    Regards,
    Jcarvaja
    CCIE 42930

  • I cannot upload even a small (30kB) photo to my Kijiji website add even though the site states that it accepts up to 4MB

    ''dupe of https://support.mozilla.org/en-US/questions/916099''
    That is about it - my small jpeg photos are being rejected by the Kijiji web site for upload.

    Please do the following.<br><br>
    #In the location bar where you normally type in a web address, type '''about:config''' and hit Enter.<br><br>
    #If you see a window which says "This might void your warranty!", click the button which says "I'll be careful, I promise" so you can continue with the next step.<br><br>
    #In the filter at the top, type: '''keyword.URL'''<br><br>
    #Double click it and remove whatever's in there and replace it with http://www.google.com.au/search?q= and then click OK.<br><br>
    #Close the tab
    The URL to add in "keyword.URL" becomes a link in this post, so right click it and choose "Copy Link Location" to copy it to the Windows clipboard. Then hit CTRL+V to paste it. Saves you having to type the whole thing.
    '''To reset your home page, do the following'''.<br><br>
    * Go to the site you want to set as your homepage.<br><br>
    * Click the Firefox button, go to '''Options '''| '''Options '''| '''General'''.<br><br>
    * Make sure it says "''Show My Homepage''" in the first dropdown menu.<br><br>
    * Click the button called "'''Use Current Pages'''" to set the homepage to the one you have on the screen.<br><br>
    If this suggestion resolves the problem for you, please click the '''Solved it''' button next to this post after you log in into the forum. This will help others searching for a solution to the same problem.
    Thanks.

  • Is there a way to insert a string even if the value has a single quote in it?

    Hi,
    I have a varchar string like
    Name: D'souza
    I am getting an error when i am inserting  like this.
    insert into table (D'souza)
    Is there any way to allow inserting the exact value even if it has single quotes attached to it like set define off in oracle ?
    Regards
    Gautam S
    Gautam S

    insert into table values('D''souza')
    insert into table values('D'''+'souza')
    Try also this one
    SET QUOTED_IDENTIFIER { ON | OFF }
    http://msdn.microsoft.com/en-us/library/ms174393.aspx

  • HT4137 got an iphone 4s for christmas.  everyday it shuts down even when the battery is charged and locks up.  won't come on nor will it charge.  anybody know what the problem might be?

    Got an iphone 4s for christmas.  having problem with it shutting off even with fully charged battery.  will not come back on nor can it respond to charger.  next day usually comes back on then does same thing over again.

    Perhaps you got a bad iPhone. Take it to an Apple store or an authorized service center.

  • The menues are not appearing for me to work on a photo, even though the program has downloaded?

    The meues are not visable on the photoshop window to work on a photo.  I downloaded a bunch of photos to work on but all I can do is archive or rename.  How do I get to edit them? Where are the menues?  I downloaded the program and it is open.

    Most menus will be greyed out until you have an image open, but you can do that via the file menu, or using Ctrl o (Cmd o).  Does that work?

  • Hi I am looking for a way to have trace32 open multiple files on remote computers

    Simply put I am looking for someone who could afford to give me a basic script (vbs) that I could run from an elevated command prompt. It would need to be available for me to type in the name of a remote computer or (mulitple if possible) and also
    allow me to choose log files to open or multiple files and then open them using trace 32. Hopefully it would detect the available log files and show me what is available to choose to open... anyone know of such a thing or know how to go about setting up something
    like this for people to use?
    EDIT
    I was able to create a basic script to do what I wanted but I want to be able to add wildcards for the rollover logs... Can someone suggest the easiest way to do that as I am not sure how to add the wildcards directly before the .log
    here is the script.
    ' ******Created by Luis Delgado*********
    'This script will get a remote computers .log files depending on which documents you enter in the "files to open on remote computer using trace32" section
    'Get and open log files on remote Computer
    on error resume next
    Set WshShell = Wscript.CreateObject("Wscript.Shell")
    strcomputer   = inputbox("Enter remote computer name or leave as localhost for this computer","Get log files from a remote computer with Trace32","Localhost")
    If strComputer = "" Then
      WScript.Quit
    End If
    'Opens trace32
    wshShell.run "C:\Program Files\ConfigMgr 2007 Toolkit\CCM Tools\Trace32.exe"
    'Files to open on remote computer using trace32
    wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\datatransferservice.log"
    wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\ccmexec.log"
    wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\locationservices.log"
    !!!!NOTE!!!
    What I need is for any file that starts with datatransferservices, ccmexec, or locationservices to open in trace32
    my thought would be place a wild card in its respective spots but it does not work see below
    wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\datatransferservice*.log"
    wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\ccmexec*.log"
    wshShell.Run "\\" & strcomputer & "\c$\Windows\System32\CCM\Logs\locationservices*.log"

    The roll over logs all have the same name exact the extension is .lo_ , So.. I'm not sure what you are looking for.
    Garth Jones | My blogs: Enhansoft and
    Old Blog site | Twitter:
    @GarthMJ

  • Looking for a way to Export Still Image to iPhoto

    Hi I'm looking for a way to export a still image from iMovie 08 to iPhoto 08? The simple drag, help, web search etc doesn't seem to come up with an answer but it's been a long day.
    Thanks

    Find the still within an event clip, right mouse, select add still frame to project. Repeat for all the stills you want.
    In Finder under pictures, you should find files for all the stills you created. Import them into Iphoto and there you have it.
    There is probably an easier way but this is not too bad.

  • Hola a todos , busco una manera de crear un pdf desde la impresora de ios, como lo puedo resolver, gracias. Hi all, I look for a way to create a PDF from the printer ios, as I can solve, thanks

    Hi all, I look for a way to create a PDF from the printer ios, as I can solve, thanks

    Try this process on your Mac. These files will be regenerated by Mac OS X with default settings.
    1. Quit the Mac App Store
    2. Trash the following folders and files; (~ is your Home folder)
    ~/Library/Caches/com.apple.appstore
    ~/Library/Caches/com.apple.storeagent
    ~/Library/Cookies/com.apple.appstore.plist
    ~/Library/Preferences/com.apple.appstore.plist
    ~/Library/Preferences/com.apple.storeagent.plist
    ~/Library/Preferences/com.apple.streagent.plist.lockfile
    Mac HD/Library/Preferences/SystemConfiguration/networkinterfaces.plist
    3. Restart your Mac
    4. Open the Mac App Store
    5. Log into your MAS account

  • I am looking for a way to enter multiple dates into a field without the form becoming too long.

    I am looking for a way to enter multiple dates into a field without the form becoming too long.
    This will be used by an old school bookeeper who needs the form to fit on one page.
    Any ideas?

    Hi,
    If you don't need the field to provide a date picker, verify it's a date, or don't need to sort the dates in the table, you can just use a text area field, and have your form filler enter the dates comma separated.  Otherwise you'd have to add multiple fields.  However, you can lessen the space each field takes up veritically, by using the "Labels Left" option (in the toolbar).
    Thanks,
    Todd

  • Looking for a way to install Windows Intune via powershell

    I'm very new to Powershell and completely lost on how to do this.
    Looking for a way to install Windows Intune via powershell from a self extracting zip file I will send to remote users. This will also need to run Corp admin level privileges to install.
    Thank you in advance for your help.

    Hi Mtirado,
    For Windows Intune issue, I recommemd you can post in dedicated forum for more effective support:
    https://social.technet.microsoft.com/Forums/en-US/home?category=windowsintune
    If you get the initial Powershell script, and the script encounter error or problem, you can post back with current script and issue.
    Thanks for your understanding.
    If you have any feedback on our support, please click here.
    Best Regards,
    Anna Wang
    TechNet Community Support

  • Looking for a way to get built in audio to be heard out of AirTunes

    Looking for a way to get built in audio to be heard out of AirTunes, not just iTunes.

    thanks for the post, i downloaded that app but like i read, its really a worthless piece of junk, the 2 second delay yet alone i did not succeed to send my iChat audio to my airTunes speakers.

Maybe you are looking for