This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IG 3.7.3: IDM Entitlement Account Collector

I am trying to get the IDM Entitlement Account Collector working to collect and publish accounts from Acrive Directory.

The IDM AD driver is working, and it is configured with the Entitlement and IG Collection packeges.

When running the collection - or the test collection - I do see the IG injected queries in the driver trace, and instance data of all users in Active Directory are returned.

But IG is showing the following error in the UI:

DaaS connector returned error during collection: Command failure: Type: find+chunked: [Could not perform CodeMap-Refresh for Account Entitlement: 'CN=UserAccount,CN=Active Directory Driver,CN=IDMDriverSet,OU=system,O=maintainet']

So far I did not find any way to debug this deeper in the IG end - since there seams to be no error on the IDM side!

Even more strange is the fact, the IDM Entitlement Permission Collector configured for the same AD driver does return data during the collection test of IG!

I believe, there is something wrong with the mapped-attributes in the configuration, but I am not sure.

Did anybody succeed configuring those collectors for Active Directory Entitlements?

Kind regards

Thorsten

Parents
  • 0

    I did some more digging in the IDM drivers log, and found the following (injected) query after all user <instances>:#

    <nds dtdversion="2.0">
    <input>
    <query class-name="ADDomain" event-id="IG:query" scope="subtree" subscriber-type="service">
    <search-class class-name="ADDomain"/>
    <read-attr attr-name="ADDomainValue"/>
    <read-attr attr-name="ADDomainDisplayName"/>
    <read-attr attr-name="ADDomainDescription"/>
    <operation-data ig-collection-query="true"/>
    </query>
    </input>
    </nds>

    Due to a missing domain name value in the driver configuration,  this query ended with no returned domain-name - this was the root of the IG DaaS error.

    But now I am facing the problem, that the simulation of the collection receives all records, but with no data at all.

    Can someone provide the correct attrubute-mappings to be used for this collector.

  • 0 in reply to 

    I decided to start from scratch with the IDM Account Entitlement Collector, and finally I got it working with the default configuration, but there are still some questions left.

    First, I am wondering what data can be received by this collector from an IDM connected system like Active Directory?

    For my understanding, this collector utilizes an IDM Driver - determined by the Entitlement DN configured - to send injected queries to the IDM connected/manged system.

    I can see those queries and the resulting instances in the driver trace. What I cannot see, is what IG is really requesting. In the default configuration, the IG collector is using association, description, displayName, GUID, entitlementDN, loginDisabled, entryDN, id and llid as mapped attributes.

    I am guessing that entitlentDN, id and llid are synthetically generated by the collector code, since those attributes are not available in the IDVault nor in the managed system. The association value returned is matching the association value of the XDS Instance. I assume, that those  attributes are supposed to match the parameters of the entitlement - but in this case the collector is returning the wrong value (Domain name) for id, which is mapped to "IDM Account ID". This ends up with all accounts published to the IG catalog sowing the same IDM Account ID?!

    The value returned for displayName is ambiguous - meaning this is the displayName as long as it is available - in other cases the DN of the account/user in the managed system is returned. This seems to be hard coded in the collector as well.

    So bottom line is, I am missing some documentation, regarding the capabilities of this collector. What data can be retrieved, and what not?

    Furthermore, I am wondering if it is possible, to grant/revoke the Account Entitlement of a user in the IDVault by this collector?

  • 0   in reply to 

    Thank you for all the information you provided!

    "So bottom line is, I am missing some documentation, regarding the capabilities of this collector. What data can be retrieved, and what not?"

    - agreed, the documentation feels not really completed and some settings are not described at all or some examples would be nice

    "Furthermore, I am wondering if it is possible, to grant/revoke the Account Entitlement of a user in the IDVault by this collector?"

    From what I can tell, you would need to create a new fulfillment target and as a template it would be "IDM Entitlement Fulfillment". Under "Fulfillment configuration/Application setup" you then would need to assign the fulfillment target to the application.

    In general I think only the ''Identity Manager AE Permission' collector has also a fulfillment target configuration (called "Identity Manager automated (system). So,I think you cannot grant/revoke Account Entitlements by using this collector, you would need to configure a fulfillment target and assign this target to the application source (in which the collector is definied)

Reply
  • 0   in reply to 

    Thank you for all the information you provided!

    "So bottom line is, I am missing some documentation, regarding the capabilities of this collector. What data can be retrieved, and what not?"

    - agreed, the documentation feels not really completed and some settings are not described at all or some examples would be nice

    "Furthermore, I am wondering if it is possible, to grant/revoke the Account Entitlement of a user in the IDVault by this collector?"

    From what I can tell, you would need to create a new fulfillment target and as a template it would be "IDM Entitlement Fulfillment". Under "Fulfillment configuration/Application setup" you then would need to assign the fulfillment target to the application.

    In general I think only the ''Identity Manager AE Permission' collector has also a fulfillment target configuration (called "Identity Manager automated (system). So,I think you cannot grant/revoke Account Entitlements by using this collector, you would need to configure a fulfillment target and assign this target to the application source (in which the collector is definied)

Children
  • 0 in reply to   

    Anyway I would not, at least in a first place, try to grant/revoke entitlements in IDM, unless you are 100% sure these entitlements are not the results of RBPM Roles & Resources being granted in a first place.

    Imagine you use IG to revoke directly an entitlement granted through RBPM, you will mess up the IDM internal (hierarchical) RBAC model, which I guess is not the intention.

    About the documentation being "not so complete" I can only agree!

    Jacques Forster (IGA architect)