where are the set_mgmtazn_role_feature NAMES ?

[rfransix]

Hi, this is the main.yml for set_mgmtazn_role_features --- where do we get the actual names and features names to build the task yml ?

isam-ansible-roles/set_mgmtazn_role_feature/tasks/main.yml

• name: Set Feature and Access into Mgmt Azn Role isam: appliance: "{{ inventory_hostname }}" username: "{{ username }}" password: "{{ password }}" lmi_port: "{{ lmi_port }}" log: "{{ log_level }}" force: "{{ force }}" action: ibmsecurity.isam.base.management_authorization.role_feature.set isamapi: name: "{{ item.name }}" feature_name: "{{ item.feature_name }}" access: "{{ item.access | default(None) }}" with_items: "{{ set_mgmtazn_role_features }}" when: set_mgmtazn_role_features is defined notify:
  • Commit Changes

[rfransix]

Alternatively, are wildcards allowed, the goal is to change all the features to Write (some are set to None by default).

[rfransix]

Solved using: curl -kv -u "admin":"password" -X GET -H "Accept: application/json" "https://CIAISAPD0029.sys.cigna.com/authorization/features/v1"

Then sed to put in a list: $ cat features.out | sed -e 's/,/\n/g'

Then put the list in the ansible play.

However, after trying the first feature_name Monitor:monitor, it fails with a 404 for some reason, any idea?

failed: [hostname.com] (item={u'access': u'w', u'feature_name': u'monitor', u'name': u'Monitor'}) => {"ansible_loop_var": "item", "changed": false, "item": {"access": "w", "feature_name": "monitor", "name": "Monitor"}, "log": "[2019-12-13 14:23:33,789] [PID:17853 TID:140503417423680] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():80] Text: {\"firmware_label\":\"isam_9.0.4.0_20171201-2325\",\"firmware_build\":\"20171201-2325\",\"firmware_version\":\"9.0.4.0\",\"product_description\":\"IBM Security Access Manager\",\"deployment_model\":\"Appliance\",\"product_name\":\"isam\"}\n[2019-12-13 14:23:33,935] [PID:17853 TID:140503417423680] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():80] Text: { \"configured\": true}\n[2019-12-13 14:23:34,107] [PID:17853 TID:140503417423680] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_process_response():80] Text: [{\"name\":\"ISAM Base Appliance\",\"description\":\"IBM Security Access Manager Base Appliance\",\"id\":\"wga\",\"enabled\":\"True\"}]\n", "msg": "('HTTP Return code: 404', u'')", "name": "ibmsecurity.isam.base.management_authorization.role_feature.set"}

[ram-ibm]

The ibmsecurity package provides get() function in addition to update() and set(). Might be cleaner to get a JSON output from get() and then iterate through it?

archive_logs - this role has tasks that use a combination of get() and delete(). report_junctions() uses multiple get() statements.