Wikis - Page

Using Existing AD Users as Templates in IDM

0 Likes

Problem



A Forum reader asked this question:



"Currently we copy users created in AD, instead of adding a new user. The helpdesk copies a user to create a new user; the new user will automaticaly inherit all groups that the old user had, and the new user will have a new username, new password and new first/last name.



Now we want to create users using IDM 3, and the new user should be copied from an existing user instead of being added as a fresh new user. The new user should have the same groups that the user that it is being copied from had.



Is this possible?"



And here's the reply from Father Ramon ...



Solution



The only way to use an existing user in AD as a template would be to have policies that read the relavent attributes from the template user and add them to the user being created. This isn't particularly difficult to do in a policy, except for the group part (which unfortunately appears to be mostly what you are interested in). That's because it involves references and because group membership is actually manipulated on the group object in AD, rather than on the User object.



For most attributes I recommend something like the following in a subscriber creation policy:



<rule>
<description>Add template attribute</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-dest-attr class-name="User" name="someADAttribute">
<arg-dn>
<token-text xml:space="preserve"><dn of template object in
AD></token-text>
</arg-dn>
</token-dest-attr>
</arg-node-set>
<arg-actions>
<do-add-dest-attr-value name="someADAttribute">
<arg-value>
<token-local-variable name="current-node"/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
</do-for-each>
<!-- repeat for each attribute -->
</actions>
</rule>


For group membership I would do something more like this in the output transformation:



<rule>
<description>Add template groups</description>
<conditions>
<and>
<if-operation op="equal">add</if-operation>
<if-class-name mode="nocase" op="equal">User</if-class-name>
</and>
</conditions>
<actions>
<do-for-each>
<arg-node-set>
<token-dest-attr class-name="User" name="memberOf">
<arg-dn>
<token-text xml:space="preserve"><dn of template object in
AD></token-text>
</arg-dn>
</token-dest-attr>
</arg-node-set>
<arg-actions>
<do-add-dest-attr-value name="member" when="after">
<arg-dn>
<token-local-variable name="current-node"/>
</arg-dn>
<arg-value type="dn">
<token-dest-dn/>
</arg-value>
</do-add-dest-attr-value>
</arg-actions>
</do-for-each>
</actions>
</rule>

Labels:

How To-Best Practice
Comment List
Related
Recommended