BHOLD Attribute-based authorization(ABA) Rule RRS feed

  • Question

  • Hi All

    Need your reply on this.

    How to create a ABA rule in BHOLD?


     Thanks & Regards

    Sneha Kumari

    Monday, July 9, 2012 8:31 AM

All replies

  • Hi Sneha,

    I believe there is currently a bug in BHOLD that is preventing ABA rules being applied properly. Normally you would add a rule to the role that links it to a particular attribute (e.g. jobTitle) but I'm seeing object reference errors being thrown when I do this at present


    Dave Nesbitt | Architect | Oxford Computer Group

    Monday, July 9, 2012 3:33 PM
  • Hi Dave

    How to add a rule to a role as mentioned by you? Is this should be done at the time of role creation? If yes which attribute during role creation will specify this?

    As mentioned in following link,, I added the attribute(to be used for ABA)  as a value of  'BFSSManageAttributeRoles' in registry. But this serves no help.

    Please reply.

    Thanks & Regards

    Sneha Kumari

    Tuesday, July 10, 2012 7:12 AM
  • Ah, OK

    There are two ways of creating ABA (attribute-based) roles:

    1. Using BFSS and the registry setting you mention

    2. Using BHOLD Core and manually creating an ABA rule for a given role

    I haven't tried using the BFSS method with the Microsoft-released code. It used to work fine before the acquisition. Basically you specify an attribute (e.g. JobTitle) and BFSS should create a JT- role for each title it finds. So when you look at a user in BHOLD Core you would see their inherited MR-roles (e.g. MR-Accounts Payable, MR-Finance, MR-The Company etc), their PR-role (e.g. PR-Alka Strudel) and any JT- or other ABA roles (e.g. JT-Accounts Payable Clerk)

    If I get time today I will take a look in my lab and see if this is working. As I said before, I am aware of an issue in BHOLD Core that is preventing manual creation of ABA roles, it could be that this is also affecting BFSS

    Dave Nesbitt | Architect | Oxford Computer Group

    Tuesday, July 10, 2012 8:20 AM
  • Hi Dave

    The registry setting method is not working for dynamic role creation.

    I could not find anything in BHOLD Core portal which helps in achieving that. Please share as to how to create a ABA rule from BHOLD Core.

    Thanks & Regards

    Sneha Kumari

    Tuesday, July 10, 2012 2:40 PM
  • Hi All

    While going through the BFSS log logged in the temp folder, I came across the following:

    Cycle starting...
    7:25:08 PM : Starting BFSS Process
    7:25:08 PM : BFSS service started
    7:25:08 PM : Timer setting is '15', interval is 15000 msec.
    7:25:08 PM : BFSS Log Level is 'verbose'
    7:25:08 PM : BFSS Service Version 5.0.1312.0 initialising...
    7:25:08 PM : using registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node
    7:25:08 PM : Max changes is '50'
    7:25:08 PM : Manage Attribute Roles ''
    7:25:08 PM : Create Roles is 'No'
    7:25:08 PM : Link Roles is 'No'
    7:25:08 PM : Maintain OU SV Roles is 'No
    7:25:08 PM : FIMStatus implemented is False

    As per the log, the service is reading certain values from registry-Manage Attribute Roles,Create Roles,Link Roles, but these values are not present in registry at the specified location. Need to know from where is the service reading these values and if they are related to Attrbute-based role creation.

    Thanks & Regards

    Sneha Kumari

    Thursday, July 12, 2012 2:25 PM
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\bhold\b1Core\

    • "BFSSManageAttributeRoles" – A list of user Attributes that BFSS should use to manage attribute roles for. The list is in the format <Attribute Name>,<Prefix>;<Attribute name,<Prefix>;… , where the prefix and the Attribute value are used to create the Role name. E.g.: if a User has an Attribute “Jobtitle” set to the value “Bank Teller” and the prefix is set to “JT-“ then the Role name of the Role that is generated will be “JT-Bank Teller”
    • "BFSSCreateRoles" – Set to “Yes” if the BFSS service is allowed to create new roles
    • "BFSSLinkRoles – Set to “Yes” if BFSS is allowed to link roles to users

    You'll need all thee set to "Yes" for BFSS to create anything apart from MR- and PR- roles

    Dave Nesbitt | Architect | Oxford Computer Group

    Thursday, July 12, 2012 2:46 PM
  • Hi

    'BFSSManageAttributeRoles' value is set to 'ABARole1,ABA1-;' still the service is unable to read the value. Is it mandatory to set the value of 'BFSSManageAttributeRoles' before installation of BHOLD FIM Provisioning module, as mentioned in the following link,

    Thanks & Regards

    Sneha Kumari

    Friday, July 13, 2012 5:35 AM
  • I was running into the same problem, implementing the BFSSManageAttributeRoles was not working. I ended up adjusting the FIMEmployee table by adding JobTitle, EmployeeType and Department columns as nvarchar (255). The  BFSS ran and realized these attributes in the table, and propagated them to the BHOLD Core. I, then, used the Attribute types menu to adjust and/or provide proper English and Active Directory names. 


    Monday, July 23, 2012 1:42 PM
  • I had also the problem that the roles for the defined attributes weren't created. Now I added the two mentioned attributes to the registry and now everyting works fine. But I didn't find any information about this Keys in the documentation. I'm wondering in witch documentation are this informations? Is there anywhere a better a better source? Thanks Roger
    Thursday, July 26, 2012 2:00 PM