EPM Application Role Configuration

Document ID : KB000094102
Last Modified Date : 25/07/2018
Show Technical Document Details
Introduction:
- using EPM Application To Protect and Az users 
- Use case is to be able to Az the user based on user belonging to a group or by having a specific attribute value in Directory 
- The below was used but the users are not getting Authorized 

(AT("CN=Domain Users,OU=Groups,DC=guidehome,DC=com", SM_USERDN)) 
 
Environment:
12.51,12.52, 12.6, 12.7 and 12.8 
Instructions:
you can configure the role to match with 
1. Member Groups 
Defines groups that contain users that belong to the role. (this is the INGROUP Function) 

2. Member Organizations 
Defines organizations that contain users that belong to the role. (this is the AT function) 

if you want to match the user group for memberof attribute, you need to select the Member Groups. (INGROUP user expression will be used) 
If you want to match the full user dn, you need to use the Member Organizations. (AT user expression will be used) 

Below are Examples on how to use the AT and INGROUP  Functions 

INGROUP  Function 

Example 1
Expression = (INGROUP("CN=Group1,CN=Users,DC=smtestenv,DC=com") OR INGROUP("CN=Group2,CN=Users,DC=smtestenv,DC=com")) OR ((employeeType = "admin") AND (NUMBER(adminCount) > 8)) 

tested with 3 users as follows 
joe --> belongs to Group2 
joe1 --> belongs to Group1 
joe6 --> No Groups but has employeeType = "admin" and adminCount > 11 

1) joe had Success Az 
2) joe1 had success Az 
3) joe6 had success Az 


Example 2 
Expression = (INGROUP("CN=Group1,CN=Users,DC=smtestenv,DC=com") OR INGROUP("CN=Group2,CN=Users,DC=smtestenv,DC=com")) AND ((employeeType = "admin") AND (NUMBER(adminCount) > 8)) 

tested with 3 users as follows 
joe --> belongs to Group2 
joe1 --> belongs to Group1 
joe6 --> added to Group 1 and has employeeType = "admin" and adminCount > 11 

1) joe had Failed Az 
2) joe1 had Failed Az 
3) joe6 had success Az 

Then Modified user joe and upaded employeeType = "admin" and adminCount > 10 ( so now he belongs to Group2 and has the listed attributes) , tested again and had a success Az 
Then Modified user joe1 and upaded employeeType = "admin" and adminCount > 18 ( so now he belongs to Group1 and has the listed attributes) , tested again and had a success Az 
Then Modified user joe1 and upaded employeeType = "admin" and adminCount > 7 ( so now he belongs to Group1 and has the listed attributes) , tested again and had a Fail Az 

AT  Function 

AT(root_DN, user_DN) 
Where Root Dn is at Level L and User Dn is Level L+1 
Example 
Root Dn : ou=people,dc=joeuserstore,dc=com 
UserDn : cn=yawayli,ou=people,dc=joeuserstore,dc=com 

- The AT funtion should be used as follows 

** Usage 1 --> Authorize users belongs to ou=people as follows 
(AT("dc=joeuserstore,dc=com","ou=people,dc=joeuserstore,dc=com")) 

** Usage 2 --> use the Named Expression as Indicated in my Previous Note 
(AT("ou=people,dc=joeuserstore,dc=com",#Az_USERDN)) 

** Usage 3 --> use User Full DN per the guide 
(AT("ou=people,dc=joeuserstore,dc=com ","cn=yawayli,ou=people,dc=joeuserstore,dc=com")) 

NOTE --> The below will not work as root_DN used does not have the ou=people. The function will search one level up 
(AT("dc=joeuserstore,dc=com ","cn=yawayli,ou=people,dc=joeuserstore,dc=com")) 

NOTE --> the #Az_USERDN is a namedExpression that will be populated with the SM_USERDN User Attribute header generated upon successful Authentication.