This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IG 3.7.3: IDM Entitlement Account Collector

I am trying to get the IDM Entitlement Account Collector working to collect and publish accounts from Acrive Directory.

The IDM AD driver is working, and it is configured with the Entitlement and IG Collection packeges.

When running the collection - or the test collection - I do see the IG injected queries in the driver trace, and instance data of all users in Active Directory are returned.

But IG is showing the following error in the UI:

DaaS connector returned error during collection: Command failure: Type: find+chunked: [Could not perform CodeMap-Refresh for Account Entitlement: 'CN=UserAccount,CN=Active Directory Driver,CN=IDMDriverSet,OU=system,O=maintainet']

So far I did not find any way to debug this deeper in the IG end - since there seams to be no error on the IDM side!

Even more strange is the fact, the IDM Entitlement Permission Collector configured for the same AD driver does return data during the collection test of IG!

I believe, there is something wrong with the mapped-attributes in the configuration, but I am not sure.

Did anybody succeed configuring those collectors for Active Directory Entitlements?

Kind regards

Thorsten

Parents
  • 0  

    Hello,

    1) Make sure you are configured with IDM 4 based entitlements. Pre-IDM 4 based entitlements will not work

    2) From this page: www.microfocus.com/.../requirements.html
    scroll down to section 8.3 "Supported Identity Manager Drivers and Packages"

    For your AD Driver:
    - Make sure it is at least version version 4.1.3
    - The following two (2) packages are installed on it:"NOVLADENTEX_2.5.7.20190610155012" and "Identity Governance Assignment collection: MFIGASGMTCOL_1.0.0.2022011010414"


    3) Was your Identity Collector created from one of the following templates: "Identity Manager Identity Collector" or "IDM Identity with changes Collector"

    4) When you created the Application source, did you utilize the Application Definition Sources approach? If you had, it should have created the Application Source. If you did not, please delete what you have and utilize the Application Definition Sources approach.


    5) In your Account Collector in the Application Source
    5.a) The Entitlement DN will need to be mapped to the Account Entitlement in the AD Driver.
    For Example: cn=UserAccount,cn=myad,cn=driverset,o=system

    5.b)Make sure the Account-User Mapping is set to:
    Incoming: GUID
    Match to: Object GUID

    6) In your Permission Collector in the Application Source
    6.a) The Entitlement DN will need to be mapped to the Group Entitlement in the AD Driver
    For Example: cn=Group,cn=myad,cn=driverset,o=system

    6.b) Make sure the Permission-Account or User Mapping is set to:
    Incoming: association
    Match to: Account ID from Source

    If after making the above changes, you are still not seeing this work for you, please open a Support Ticket so we can review your environment.

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Hello Steven,

    I just configured a new IDM Entitlement Account Collector from the template, and now I am receiving some data running the collection test with IG.

    I believe, the "association" value is the GUID of the user in Active Directory, but I am curious according the displayName. Some account records are showing the DN of the AD User, some the displayName. In my configuration Account Name is mapped to displayNanme, and those users showing the DN do not have a displayName configured in Active Directory.

    All above users in AD have a description configured, but no IG record is showing those values.

    I added the Given Name and Surname attributes just for testing, and those are not collected as well.

    I believe the collector is doing some hard coded stuff behind the scenes, does it not? 

    Are there (some) limitations using this collector? For my understanding, this collector is utilizing an IDM driver by injecting queries to receive (any) data from the connected system - not the IDVault.

    Kind regards

    Thorsten

Reply
  • 0 in reply to   

    Hello Steven,

    I just configured a new IDM Entitlement Account Collector from the template, and now I am receiving some data running the collection test with IG.

    I believe, the "association" value is the GUID of the user in Active Directory, but I am curious according the displayName. Some account records are showing the DN of the AD User, some the displayName. In my configuration Account Name is mapped to displayNanme, and those users showing the DN do not have a displayName configured in Active Directory.

    All above users in AD have a description configured, but no IG record is showing those values.

    I added the Given Name and Surname attributes just for testing, and those are not collected as well.

    I believe the collector is doing some hard coded stuff behind the scenes, does it not? 

    Are there (some) limitations using this collector? For my understanding, this collector is utilizing an IDM driver by injecting queries to receive (any) data from the connected system - not the IDVault.

    Kind regards

    Thorsten

Children
No Data