Solved: Differ between users and groups in trigger script

ssaul · ‎May 16, 2014

Hi,

we have an Integrity Source server trigger script that gets a user- or groupname from a member attribute.

Actually, it identifies this string as user or as group by the command

Server.getUsersOfGroup(Server.getGroupBean("string"));

and if the size of the return value is 0 (string is username) or not (string is groupname).

This works pretty well, but we get many errors in the logfile like

2014-04-01 11:31:40,732 ERROR [mksis.IntegrityServer] * * * * ERROR * * * * (0): MKS125524: Group <string> could not be found in the realm.

So my question is:

Is there another way to determine if a given string is a valid user or a valid groupname?

Thanks,

Stephan

KaelLizak · ‎Jun 24, 2014

Hello Stephan,

From the Integrity Manager side, it is possible to get groups (LocalTriggerManager.ScriptServerBean has getGroups()), but that requires walking the Source operations to changes in IM.

Another possibility is to set up a scheduled trigger that dumps a list of users and groups to a file (perhaps once a day). Then, instead of checking directly against the application, you can check against the daily dump list. You will still get errors, but far fewer (just when the trigger script is run), rather than every time you check.

The drawback, of course, is that it's not quite real time, but you can mitigate that by manually running the trigger if something happens that requires users to be added/removed from the pool.

The most correct thing to do is list the users and groups cleanly, and then check against that list, but that functionality doesn't exist yet. If you could contact PTC Integrity Support to create an enhancement request for this functionality, and let us know what the enhancement RFC number is here, I would very much appreciate it.

Regards,

Kael

Kind Regards,
Kael Lizak

Senior Technical Support Engineer
PTC Integrity Lifecycle Manager

View solution in original post

KaelLizak · ‎May 27, 2014

Hello Stephan,

Is there an exception you can catch and try to handle that you currently are not? I am guessing that the mks.frame.triggers.TriggerException is likely getting thrown here, and already getting caught by your script and getting logged, or our code logs the error, then throws the exception. Both getUsersOfgroup(...) and getGroupBean(...) throw that exception.

I suppose you could run getUserBean("string") instead, but expect that would just result in a similar exception (and an error logged) if string didn't correspond to a valid user.

Regards,

Kael

Kind Regards,
Kael Lizak

Senior Technical Support Engineer
PTC Integrity Lifecycle Manager

KaelLizak · ‎Jun 23, 2014

Hello Stephan,

Did the information I provided answer your question, or at least get you moving in the right direction? If it helped, could you share with us where you are now? If it resolved the issue, could you mark the answer as correct, so that if someone else is looking into something similar, they find the answer on a forum search?

Thanks,

Kael

Kind Regards,
Kael Lizak

Senior Technical Support Engineer
PTC Integrity Lifecycle Manager

ssaul · ‎Jun 24, 2014

Hello Kael,

sorry for the delay.

We are already catching exceptions. This may be the cause for the logged error.

My problem still is that I cannot determine if any given string is a user or a group (or none of both because of misspelling) without error log entry.

Since the script is called quite often, this fills our errorlog.

Any ideas how to avoid this?

Best regards,

Stephan

KaelLizak · ‎Jun 24, 2014

Hello Stephan,

From the Integrity Manager side, it is possible to get groups (LocalTriggerManager.ScriptServerBean has getGroups()), but that requires walking the Source operations to changes in IM.

Another possibility is to set up a scheduled trigger that dumps a list of users and groups to a file (perhaps once a day). Then, instead of checking directly against the application, you can check against the daily dump list. You will still get errors, but far fewer (just when the trigger script is run), rather than every time you check.

The drawback, of course, is that it's not quite real time, but you can mitigate that by manually running the trigger if something happens that requires users to be added/removed from the pool.

The most correct thing to do is list the users and groups cleanly, and then check against that list, but that functionality doesn't exist yet. If you could contact PTC Integrity Support to create an enhancement request for this functionality, and let us know what the enhancement RFC number is here, I would very much appreciate it.

Regards,

Kael

Kind Regards,
Kael Lizak

Senior Technical Support Engineer
PTC Integrity Lifecycle Manager

ssaul · ‎Sep 09, 2014

Hi,

just as follow-up:

This is our Case C12051636 - "Differ between users and groups in trigger script, functionality missing"

We did not get an RFC number.

ssaul · ‎Oct 24, 2014

Hi Kael,

some more infos and questions:

- The function Server.getUsersOfGroup(groupname) does not lead to an exception if groupname is not in the system, but directly to an entry in server.log. So we can NOT avoid the entry via try...catch.

- Both functions Server.getGroupBean(groupname) and Server.getUserBean(groupname) result in a value != 0 for a valid username AND a valid groupname.

- How can we "walk the Source operations to changes in IM"?

How can we access the IM function Server.getGroups() in an si-script?

sb = bsf.lookupBean("imServerBean") results in null in the SI script.

Stephan