Dynamic role membership is not evaluated while suspending or restoring a person
The default person suspend and restore operation workflow does not invoke policy evaluation after the person is suspended or restored. To recreate this problem, create a dynamic role containing erpersonstatus in the filter (example, (erpersonstatus=0) as filter), then all the applicable persons become member of this dynamic role. Now suspend or restore any user who is a member of the dynamic role such that after suspend or restore operation the user does not satisfy the filter. Ideally the person must be removed from dynamic role membership after suspend or restore operation. However, the person still remains as the member of dynamic role even though the person’s status gets updated.
After fixing the described issue, the person entity is updated and role membership is added or removed from it, if the person being suspended or restored satisfies a dynamic role filter. In this scenario, if the added or removed dynamic role is a member of any provisioning policy then the said policies must be enforced after the person is suspended or restored. Unfortunately, the default person suspend and restore operation workflow does not invoke policy evaluation after the person is suspended or restored. To resolve the problem, make the following changes in suspend and restore person workflows (if not already present). Make the changes to suspend and restore operation for "Person" entity type and also for individual person entities for suspend or restore workflows that are customized.
- Update Suspend Person workflow.
- Open "suspend" person workflow in workflow designer.
- Add a new script node after "SUSPENDPERSON" extension. Add the following script in new script
node to refresh the "Entity" relevant data as shown in the following screenshot.
<scrript> var oldPerson = Entity.get(); var updatedPerson = new Person(oldPerson.dn); Entity.set(updatedPerson); </script>
- Add a new extension node after UPDATEPERSONSCRIPT script node to enforce the policy.
- Save the workflow.
See the following tables for node properties and link properties of the suspend person workflow.
Node Feature Value Start Activity ID START Join Type AND Split Type AND Extension Activity ID SUSPENDPERSON Join Type AND Split Type AND Extension Name suspendPerson (Person person, String accountSuspend) Postscript WorkflowRuntimeContext.setProcessResult(WorkflowRuntimeCo ntext.getActivityResult()); WorkflowRuntimeContext.setProcessResultDetail(WorkflowRunti meContext.getActivityResultDetail());
Script Activity ID UPDATEPERSONSCRIPT Join Type AND Split Type AND JavaScript var oldPerson = Entity.get(); var updatedPerson = new Person(oldPerson.dn); Entity.set(updatedPerson);
Extension Activity ID ENFORCEPOLICYFORPERSON Join Type AND Split Type AND Extension Name enforcePolicyForPerson(Person person) Postscript WorkflowRuntimeContext.setProcessResult(WorkflowRuntimeCo ntext.getActivityResult()); WorkflowRuntimeContext.setProcessResultDetail(WorkflowRunti meContext.getActivityResultDetail());
End Activity ID END Join Type AND Split Type AND From To Feature Value Start STAR.
Extension SUSPENDPERSO.
Custom Condition true Extension SUSPENDPERSO.
Script UPDATEPERSONSCRIP.
Custom Condition activity.resultSummary != activity.FAILED Script UPDATEPERSONSCRIP.
Extension ENFORCEPOLICYFORPERSO.
Custom Condition true Extension ENFORCEPOLICYFORPERSO.
End EN.
Custom Condition true Extension SUSPENDPERSO.
End EN.
Custom Condition activity.resultSummary == activity.FAILE.
- Update Restore Person workflow.
- Open "restore" person workflow in workflow designer.
- Add a new script node after RESTOREPERSON extension. Add the following script
in new script node to refresh the "Entity" relevant data.
<script> var oldPerson = Entity.get(); var updatedPerson = new Person(oldPerson.dn); Entity.set(updatedPerson); </script>
- Add a new extension node after UPDATEPERSONSCRIPT script node to enforce the policy.
- Save the workflow.
See the following tables for node and link properties of the Restore Person workflow.
Node Feature Value Start Activity ID START Join Type AND Split Type AND Extension Activity ID RESTOREPERSON Join Type AND Split Type AND Extension Name restorePerson(Person person, String accountRestore) Postscript WorkflowRuntimeContext.setProcessResult(WorkflowRuntimeCo ntext.getActivityResult()); WorkflowRuntimeContext.setProcessResultDetail(WorkflowRunti meContext.getActivityResultDetail());
Script Activity ID UPDATEPERSONSCRIPT Join Type AND Split Type AND JavaScript var oldPerson = Entity.get(); var updatedPerson = new Person(oldPerson.dn); Entity.set(updatedPerson);
Extension Activity ID ENFORECPOLICYFORPERSON Join Type AND Split Type AND Extension Name enforcePolicyForPerson(Person person) Postscript WorkflowRuntimeContext.setProcessResult(WorkflowRuntimeCo ntext.getActivityResult()); WorkflowRuntimeContext.setProcessResultDetail(WorkflowRunti meContext.getActivityResultDetail());
End Activity ID END Join Type AND Split Type AND From To Feature Value Start STAR.
Extension RESTOREPERSO.
Custom Condition true Extension RESTOREPERSO.
Script UPDATEPERSONSCRIP.
Custom Condition activity.resultSummary != activity.FAILED Script UPDATEPERSONSCRIP.
Extension ENFORCEPOLICYFORPERSO.
Custom Condition true Extension ENFORCEPOLICYFORPERSO.
End EN.
Custom Condition true Extension RESTOREPERSO.
End EN.
Custom Condition activity.resultSummary == activity.FAILED
Parent topic: Troubleshooting ISIM Server problems