0
Answered

Aurion Security User User_Name

Carol Wapshere 2 years ago in UNIFYBroker/Aurion • updated by anonymous 2 years ago 17

I'm having a problem with a number of Aurion Security Users getting a UserName (which is actually the Display Name) of only their Surname, instead of "Surname, FirstName". MIM Sync is queuing the correct value to be exported through IdB, but the value does not get changed in Aurion.

I have manually changed someone's UserName in Aurion (as the same account that IdB uses) but it gets reverted to Surname.

I have run a series of Full Import Syncs and Exports with the Verbose logging on. In on case I see this:

Add entities [Count:126] to connector Aurion Security User Connector failed with reason Aurion API error -1: System Status is currently set to Exclusive. Access Denied.. Duration: 00:00:01.0140260
Error details:
System.Exception: Aurion API error -1: System Status is currently set to Exclusive. Access Denied.
   at Unify.Communicators.AurionWSCommunicator.Logon(String userName, String password)
   at Unify.Communicators.AurionAgent.Open()
   at Unify.Connectors.AurionSecurityUserConnector.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)
   at Unify.Product.IdentityBroker.EventNotifierUpdatingConnectorDecorator.UpdateEntities(IEnumerable`1 entities, IEnumerable`1 originalEntities, ISaveEntityResults`2 results)",Normal

But elsewhere I see this, which looks like it should have worked:

Add entities [Count:126] to connector Aurion Security User Connector reported 126 entities saved. Duration: 00:00:10.4522680",Normal
Affected Versions:
Fixed by Version:

Answer

Answer

Hi Carol,

Please find attached Aurion Patches.zip which contains two potential patches for this issue. The DLL inside the Quote directory wraps quotes (") around values containing commas (,) and the DLL inside the Bullet directory replaces the delimiter with a bullet (•). Please test both and let us know how they go.

Edit: Carol has confirmed that the bullet works.

Under review

Hi Carol,

I note that the error occurs for updates but the success is for adds. Can you confirm whether this issue only affects updates to entities or whether new entities have the same problem?

Has this issue only recently started occurring, or has it never worked correctly? Does it work in any other environments with the same configuration?

The customer thinks it may have started happening since updating the Aurion connector. The only info I have is on the jira issue : https://unifysolutions.jira.com/browse/FINANCE-157


Something else on those "adds" - they should not have been new entities at all - that was the 126 existing accounts being re-sync'd so MIM would queue the correct UserName for export. So IdB should have been updating existing ESS accounts, not creating new ones. I have not heard any suggestion that duplicates are being created.

The customer has not been able to find a definitive pattern about the effected ESS accounts, however the number is climbing.

Identity Broker only performs the operation that it's told to do, if MIM exports an add that's what it'll do (the same goes for update). The connector also adheres to this (mapping the Identity Broker add and update calls to Aurion add and update calls respectively).

I believe the log entry is incorrectly listed as an add despite the fact that it is actually an update. Note that the original stack trace similarly mentions adds despite being an update. This is fixed from v5.1 and onward.

Updated Identity Broker for Aurion? We don't have access to Jira, could you please add the details here?

I think he means when we migrated to MIM and IdB 5 (from 3).

Hi Unify
We are having an issue with the auUserName syncing to Aurion Security User. For a number of users the name is truncated to just the surname.
MIM is trying to flow the full name.
Most times there is no export error.
But the change does not appear in ID Broker or Aurion.
Occasionally these users have an ‘Other’ error on Aurion Security User export.
Please assist us to resolve this issue.
Thanks
Steven Kuzmanoski | Assistant Director


I ensured MIM was setting the full display name on provisioning, and also confirmed the flow rule was ok. Then asked the customer to run a full import full sync with the IdB verbose logging enabled. MIM queued the correct value but it does not make it into Aurion, and Aurion does not seem to be returning an error message.

I also asked him to manually change a UserName in Aurion, but it was subsequently reverted back to Surname only. It is very hard to for to tell for sure if it was an IdB export that reverted it or something else. It would help if I could get a full log from IdB showing the exact values it is sending to Aurion. I do not have access to the server to do anything myself.

First confirm that the right field is in the schema: from the security user schema provider, not from the query.

It's a SOAP web service, so can traced using .NET network tracing:

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/how-to-configure-network-tracing

I compared the config to another site with a  comparable version of Aurion and the connector config lines relating to this field are the same in both.


          <field name="Name" key="false" readonly="false" required="false" validator="string" id="24648bf7-a198-4bb6-8cd6-62e7e6401a22">
            <Extended xmlns="" />
          </field>

            <attribute name="User_Name" target="Name" />

Via phone call with Carol, it appears that commas in the user names may be at cause here. Awaiting further update.

Answer

Hi Carol,

Please find attached Aurion Patches.zip which contains two potential patches for this issue. The DLL inside the Quote directory wraps quotes (") around values containing commas (,) and the DLL inside the Bullet directory replaces the delimiter with a bullet (•). Please test both and let us know how they go.

Edit: Carol has confirmed that the bullet works.

Apologies that the above attachment was for Identity Broker v5.1. Please try with Aurion v5.0 Patches.zip

Carol has confirmed that the bullet works.

And in addition the double-quoted string with comma still specified as delimiter does not - Aurion still treats the comma as a delimiter inside the quotes.

Via email, a sample trace.

<tns:CALLFUNCTION3>
<P_TOKEN xsi:type="xsd:string">:d$5Y=)>EM\p_/zD"xny1'nB"EPqW+Djq'`B\5v0hJjR9</P_TOKEN>
<P_FUNCTION xsi:type="xsd:string">SEC_USER_UPDATE</P_FUNCTION>
<P_DELIMITER xsi:type="xsd:string">,</P_DELIMITER>
<P_WRAPPER xsi:type="xsd:string" />
<P_PARAMETERS xsi:type="xsd:string">USER_MATCH_VALUE=Bruno Mars,OS_USER_ID=marbru,USER_NAME=Mars, Bruno,USER_STATUS=P,PASSWORD_EXPIRED=F,EMAIL_ADDRESS=bruno.mars@jupiter.network</P_PARAMETERS>
</tns:CALLFUNCTION3>