Unable to create user in AD after enable Entitlement package

Hi,

Today im testing out to use the AD entitlement package to enable Role based control for my IG, but after i enabled, deployed and restarted the AD driver, my ad unable to create user anymore. It keep getting vetoed due to "Veto account creation when entitlement not granted". is the "User-Account" entitlement needed to put in manually? or it should be auto provided by AD driver on user creation. Before enable the entitlement package everything is working fine and im able to create user into AD. 

Parents
  • 0  

    You have to grant the UserAccount entitlement to a user.  This is what controls access to AD Accounts.   And to your point, NO the AD driver does not automatically add the entitlement.  It is a gatekeeper so you have to assign it somehow.

    So everyone who should have AD accounts, should have the Entitlememt.  You can grant a role at the Container level.  (Not a fan).  You can start building Roles for locations or whercver that start with just the AD Account entitlement for now and start assigning those.  Then add additional entitlements when you are ready to start using them.

  • 0 in reply to   

    Hi Geoffrey,

    By granting u mean I need to write a rule to add the entitlement in the driver??

  • 0   in reply to 

    Generally, you do not add the Entitlement to a user in the driver that grants it.  You could but it is not a great idea.

    Instead, you should start thinking about how you plan to lay out your roles?

    One approach is a loopback driver that watches events and as attributes are added/removed reacts by using the do-add-role and do-remove-role tokens to change the roles the user gets.

    A second approach is to make a Dynamic LDAP group, with a filter that matches the attribute values above, and then assign each Group a Role.  RRSD will check every hour by default (I think) for dynamic group member changes.

    Or perhaps your HR system, when it creates a user, assigns a role to startwith, which would include a Resource for the AD USerAccount entitilement.

    Or you could be using IGA and let it do the role management.

Reply
  • 0   in reply to 

    Generally, you do not add the Entitlement to a user in the driver that grants it.  You could but it is not a great idea.

    Instead, you should start thinking about how you plan to lay out your roles?

    One approach is a loopback driver that watches events and as attributes are added/removed reacts by using the do-add-role and do-remove-role tokens to change the roles the user gets.

    A second approach is to make a Dynamic LDAP group, with a filter that matches the attribute values above, and then assign each Group a Role.  RRSD will check every hour by default (I think) for dynamic group member changes.

    Or perhaps your HR system, when it creates a user, assigns a role to startwith, which would include a Resource for the AD USerAccount entitilement.

    Or you could be using IGA and let it do the role management.

Children