07-17-2017 02:01 PM
Hello All,
I can't find any AXL cmdlet that adds a Role. Is it not available via AXL?
I used "addUserGroup" to add User Groups & "addAppUser" to add Application Users.
But I cannot find any command that creates Role (Roles can be linked with UserGroups).
Any clue how?
BR,
Moatassem
Solved! Go to Solution.
07-27-2017 02:26 AM
Hello dstaudt,
Thanks.
The problem with Role, is the BAT output file is not specifying tkapplication for each resource, so it is not conclusive to only mention the resource name. I have solved it programmatically.
For Listing objects, I have to add the SOAP Action header in the HTTP request.
All my issues are fixed now.
07-17-2017 02:13 PM
It looks like there is not a pre-defined AXL request for creating new roles.
You should be able to manipulate roles and associated user groups via <executeSqlUpdate> against the 'functionrole' and 'functionroledirgroupmap' tables.
07-18-2017 04:04 AM
Hello dstaudt,
Thanks for your feedback.
I have traced the different tables using DB Dictionary hosting the Role function, but it is not easy task to manage that on SQL level (INSERTing records on all interlinked tables to ensure data integrity including UUID generation).
That's why using AXL is the best way.
I will give it a try using SQL, however, is there an example somewhere? The SQL INSERT to add new non-standard Role and link it with some Application with the Access-level on each Application-Process?
Something like the below?
<
soapenv:Envelope
xmlns:soapenv
=
"http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ns
=
"http://www.cisco.com/AXL/API/8.5"
>
<
soapenv:Header
/>
<
soapenv:Body
>
<
ns:executeSQLQuery
sequence
=
"?"
>
<
sql
>INSERT INTO ....
</
sql
>
</
ns:executeSQLQuery
>
</
soapenv:Body
>
</
soapenv:Envelope
>
Thanks in advance.
Regards,
Moatassem
07-18-2017 12:18 PM
Indeed, you may need to do several manipulations to get where you want...perhaps something like:
Create a new role:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.cisco.com/AXL/API/10.5">
<soapenv:Header/>
<soapenv:Body>
<ns:executeSQLUpdate>
<sql>insert into functionrole (pkid,description,name) values (newid(),"New Role Description","New Role Name")</sql>
</ns:executeSQLUpdate>
</soapenv:Body>
</soapenv:Envelope>
Add a resource permission to the new role (you will need to somehow retrieve the UUID for the new role, i.e. by querying the functionrole table for the new row you just created:)
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.cisco.com/AXL/API/10.5">
<soapenv:Header/>
<soapenv:Body>
<ns:executeSQLUpdate sequence="?">
<sql>insert into functionroleresourcemap (pkid,fkfunctionrole,tkresource,permission) values (newid(),"[the new role UUID]",1,3)</sql>
</ns:executeSQLUpdate>
</soapenv:Body>
</soapenv:Envelope>
From there, you should be able to move back to <addUserGroup> etc., and proceed to actually define new user groups and put people into them.
07-19-2017 11:42 AM
Thank you so much!
I've made big progress because of you
But now I got stuck in something.
To add a new Role, you must select a certain Application, from which, you assign access permissions for the resources defined in this Application. So a Role can only be linked with one Application.
The BAT CSV export file from CUCM doesn't have any field indicating which Application the resources are in.
But there are duplicate Resources names in different Applications, how to know Application to get its tkapplication when inserting data into functionroleresourcemap table.
Example:
"Called Party Tracing" in both Applications:
- Cisco Call Manager Administration
- Called Party Tracing
This is causing ambiguity .. I don't know which Application to start looking into the resources and build the INSERT T-SQL to SOAP it out!
Any help on this please?
Format of Role CSV Export:
FUNCTION ROLE DESCRIPTION,FUNCTION ROLE NAME,IS STANDARD FUNCTION ROLE,RESOURCE NAME 1,PERMISSION 1,RESOURCE NAME 2,PERMISSION 2,RESOURCE NAME 3,PERMISSION 3,RESOURCE NAME 4,PERMISSION 4,RESOURCE NAME 5,PERMISSION 5...etc
07-21-2017 09:24 AM
Hello,
I have built a logic to smartly deduce the Application for each Role.
Whenever I apply the below SOAP request via POST HTTP method:
I get the UserGroup (1TassemUG) created but without the Role whose UUID = 14cf73f9-4444-4f97-a5c1-dd010e4d3f7e?
What is wrong with the below?
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.cisco.com/AXL/API/10.0">
<soapenv:Header />
<soapenv:Body>
<ns:addUserGroup sequence = ""?"">
<userGroup>
<name>1TassemUG</name>
<userRoles>
<userRole>
<roleName uuid="14cf73f9-4444-4f97-a5c1-dd010e4d3f7e">
</roleName>
</userRole>
</userRoles>
</userGroup>
</ns:addUserGroup>
</soapenv:Body>
</soapenv:Envelope>
Can you please tell me an example of ListUserGroup? I am struggling to get it working:
I keep getting this error (No method found for processing request)
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.cisco.com/AXL/API/10.5">
<soapenv:Header />
<soapenv:Body>
<ns:listUserGroup sequence = "?">
<searchCriteria><name>%</name></searchCriteria>
<returnedTags uuid = "?"><name /></returnedTags>
</ns:listUserGroup>
</soapenv:Body>
</soapenv:Envelope>
Regards,
Moatassem
07-24-2017 02:22 PM
It appears the <roleName> element accepts only an element name, not a UUID attribute:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.cisco.com/AXL/API/10.5">
<soapenv:Header/>
<soapenv:Body>
<ns:addUserGroup sequence="1">
<userGroup>
<userRoles>
<userRole>
<roleName>Standard EM Authentication Proxy Rights</roleName>
</userRole>
</userRoles>
<name>testUserGroup</name>
</userGroup>
</ns:addUserGroup>
</soapenv:Body>
</soapenv:Envelope>
07-24-2017 02:03 PM
It looks like in the table 'typeresource' there is a field 'tkapplication' which maps to the 'typeapplication' table. You should be able to map resource to application using this info:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns="http://www.cisco.com/AXL/API/10.5">
<soapenv:Header/>
<soapenv:Body>
<ns:addUserGroup sequence="1">
<userGroup>
<userRoles>
<userRole>
<roleName>Standard EM Authentication Proxy Rights</roleName>
</userRole>
</userRoles>
<name>testUserGroup</name>
</userGroup>
</ns:addUserGroup>
</soapenv:Body>
</soapenv:Envelope>
07-27-2017 02:26 AM
Hello dstaudt,
Thanks.
The problem with Role, is the BAT output file is not specifying tkapplication for each resource, so it is not conclusive to only mention the resource name. I have solved it programmatically.
For Listing objects, I have to add the SOAP Action header in the HTTP request.
All my issues are fixed now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide