${resource:CF_GenericContent}test

If an answer to your question is correct, click on "Verify Answer" under the "More" button.  The answer will now appear with a checkmark.  Please be sure to always mark answers that resolve your issue as verified.  Your fellow Community members will appreciate it!  Learn more.

  • State Verified Answer
  • Replies replies
    7
  • Subscribers subscribers
    18
  • Views views
    500
  • Users 0 members are here
  • Locked Locked
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with business role detections

SaifeeK

Hi,

Running Identity Governance 3.7.3 on SLES 15.4.

I am collecting Identities from Idm using 'eDirectory Identity Collector' and collecting Accounts and Permissions from Active Directory using AD Account Collector / AD Permission Collector

I have a number of business roles that are used to Add and Remove permissions in AD using the auto-grant & auto-revoke. 

The problem i see with business roles detection is that it gets evaluated immediately after publishing Identities, without waiting for Application data to published. This results in fulfillment failures for all new users for whom identity is collected but account collection is still pending.

Is it possible to add a criteria in the business role membership so that it waits for the account before opening a fulfillment task.


We have a number of business roles with auto-grant and auto-revoke permissions so it's important for us to get this working. Any advice on how to troubleshoot this would be appreciated.

Parents
  • 0  

    Do I understand the problem correctly - you collect a new Identity record, and your business role is processed and immediately tries to create a fulfillment to grant an AD account as well as a permission, however, you have a separate process that already has created the AD account, but it hasn't been collected yet, so IG doens't know which account it is supposed to assign the permission to?

    To reiterate: are you creating the AD account outside of IG - and the problem seems that you want to collect the identity and the account first, then perform the business role evaluation?

    --Jim

  • 0 in reply to   

    yes that is right, I am creating AD accounts outside of IG and using the business roles to only grant permissions to an already created account. 

    Issue: I want to collect the identity and the account first, then perform the business role evaluation, but I don't see a way that a business role evaluation can be delayed.

    I have fixed the issue using the solution provided by  

Reply
  • 0 in reply to   

    yes that is right, I am creating AD accounts outside of IG and using the business roles to only grant permissions to an already created account. 

    Issue: I want to collect the identity and the account first, then perform the business role evaluation, but I don't see a way that a business role evaluation can be delayed.

    I have fixed the issue using the solution provided by  

Children
No Data

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Cookies Preferences
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.