${resource:CF_GenericContent}test

If an answer to your question is correct, click on "Verify Answer" under the "More" button.  The answer will now appear with a checkmark.  Please be sure to always mark answers that resolve your issue as verified.  Your fellow Community members will appreciate it!  Learn more.

  • State Verified Answer
  • Replies replies
    7
  • Subscribers subscribers
    18
  • Views views
    491
  • Users 0 members are here
  • Locked Locked
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with business role detections

SaifeeK

Hi,

Running Identity Governance 3.7.3 on SLES 15.4.

I am collecting Identities from Idm using 'eDirectory Identity Collector' and collecting Accounts and Permissions from Active Directory using AD Account Collector / AD Permission Collector

I have a number of business roles that are used to Add and Remove permissions in AD using the auto-grant & auto-revoke. 

The problem i see with business roles detection is that it gets evaluated immediately after publishing Identities, without waiting for Application data to published. This results in fulfillment failures for all new users for whom identity is collected but account collection is still pending.

Is it possible to add a criteria in the business role membership so that it waits for the account before opening a fulfillment task.


We have a number of business roles with auto-grant and auto-revoke permissions so it's important for us to get this working. Any advice on how to troubleshoot this would be appreciated.

Parents
  • 0

    Hi Saifee

    We had a similar problem and solved it by running the application collection and publish just before the identity collection and publish using the schedule capability.

    Johan

Reply
  • 0

    Hi Saifee

    We had a similar problem and solved it by running the application collection and publish just before the identity collection and publish using the schedule capability.

    Johan

Children
  • 0 in reply to 

    I have tried this but the problem I see with this is that the mapping between Identity and Account will not get resolved. It gets resolved only when Application is published after Identity Publish. 

    This is the error I get when the Fulfillment fails for this case


    [SEVERE] 2024-01-22 14:16:55.779 [com.netiq.iac.persistence.dcs.prov.worker.AutoProvisioningWorkerThread] [IG-DTP] Unexpected error while provisioning changeItem id: 6084. Reason: Item 'ADD_PERMISSION_TO_USER' does not contain all required provisioning attributes (permProvAttr, permProvId, accountProvId).

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.