Using JIAM to retrieve attributes stored on a remote endpoint system

Document ID : KB000053999
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

For reasons of efficiency JIAM only retrieves attributes that are stored on the server when doing a wildcard search. Attributes that need to be fetched from the remote endpoint system are only retrieved when a single specific entity (e.g. Account or Group) is requested. This can lead to some confusing behaviour when an otherwise normal entity obtained from a JIAM search result is missing standard attributes. The solution is to use the wildcard search to find which entities you are interested in and then retrieve another copy of each specific entity when you know you want to access these attributes.

Solution

When iterating over a collection of JIAM entities that match a particular search criteria you will most likely have either handles for the objects, or incomplete objects that only contain attributes available on the server. Below are two examples showing SQL Logins (IAM Accounts) being retrieved, and attributes that are read from the remote agent being retrieved. The first is based on a collection of account handles retrieved from a search. The second shows retrieving accounts based on a collection of incomplete accounts.

Example 1: Using Account Handles

Use the getObject(handle) method on a JIAM session to retrieve the object.

    try { 
        FilterSearchIterator acctHandles = mssqlEndpoint.listAccountHandles("(name=*)", 500); 
for (IAMHandle accountHandle; acctHandles.hasNextSearchResult(); ) { accountHandle = (IAMHandle) acctHandles.nextSearchResult();
// Use the jiam session to load the account object based on it's handle IAMAccount account = (IAMAccount) jiamSession.getObject(accountHandle);
// Cast to SQLLogin and access the eTSQLServerRoleMember and eTSQLDatabaseMember attributes
SQLLogin login = (SQLLogin) account; Collection srm = login.getServerRoleMember(); Assert.assertTrue(srm.size() > 0); Collection dm = login.getDatabaseMember(); Assert.assertTrue(dm.size() > 0); } } catch (IAMException e) { Assert.fail(e.getMessage()); }


Example 2: Using Incomplete Account Objects

Use the getAccount(account) method on the particular endpoint to retrieve an account object. Notice in this case the accounts retrieved by the listAccounts search only have the "name" attribute, which is necessary as the name attribute used to find and load the complete account object.

    try { 
        // Get a big result set of accounts missing the desired eTSQLServerRoleMember and 


// eTSQLDatabaseMember attributes. ie in this case only account name FilterSearchIterator accounts = mssqlEndpoint.listAccounts("(name=*)", new String[] {"name"}, 500);
for (IAMAccount accountMissingAttributes; accounts.hasNextSearchResult(); ) { accountMissingAttributes = (IAMAccount) accounts.nextSearchResult();
// Using endpoint load a complete account with all attributes NOTE: could also have used // accountMissingAttributes.getHandle() and loaded using getObject() on session IAMAccount account = mssqlEndpoint.getAccount(accountMissingAttributes.getName());
// Cast to SQLLogin and access the eTSQLServerRoleMember and eTSQLDatabaseMember attributes SQLLogin login = (SQLLogin) account; Collection srm = login.getServerRoleMember(); Assert.assertTrue(srm.size() > 0); Collection dm = login.getDatabaseMember(); Assert.assertTrue(dm.size() > 0); } } catch (IAMException e) { Assert.fail(e.getMessage()); }