Permission to Account Mapping

I created two collectors for one application. The first collects accounts, and the second permissions aka groups.

The collection of both is working, but the association of the groups to the accounts is not set as expected.

This is what I receive during the collection test of the permission collector. The filed "list_of_users" is a csv containing the "Account Names" collected by the account collector.

The attribute mapping of the permission collector seams to be correct as well:

But when running the collection I am receiving 12 Errors - this matches the number of groups, providing a value for list_of_users.

Fur sure I checked if the values from the csv could be matched to the values of "Account Name" ..... 

First I was trying to convert the csv to an array by a transformation script, but this was not working either!

Next I used the transformation script to wrap the csv in suare brackets:

ScriptEngine inputValue: LALAZZEH,AGYFTAKIS,SKOHL,SUPPORTREPLAY,P_PLW_TEMPLATE_USER,SUPPORT,DELIVERYMANAGER
[FINEST] 2024-04-17 13:08:01.868 [com.netiq.daas.daaservice.util.Transformation] [DAAS] ScriptEngine outputValue: [LALAZZEH,AGYFTAKIS,SKOHL,SUPPORTREPLAY,P_PLW_TEMPLATE_USER,SUPPORT,DELIVERYMANAGER]

After this change, I can see the assigned groups on the account in the IG catalog, but the permissions in the catalog do not show the assigned accounts!

This is quite strange, since the information regarding the assigned accounts is provided by list_of_users during the collection/publication of the permissions!

Is it possible to show the accounts assigned on a permission in catalog as well, or is it only possible to show the assigned users?

Kind regards

Thorsten

Parents
  • Verified Answer

    +1  

    Which version are you on?   

    It is possible in the catalog to see the relationship between a permission and an account as you've shown, but you _have_ to do it from the account object.  The permission object won't show you the holders of itself.  Note that the # Users column on permissions is referring to the count of identities that are either directly assigned to a permission or that are assigned through a account.  You can also use a governance insight query to show permission holders(account) as opposed to permission holders(user/idenitty).  That is a good method for seeing if your collection to pull in perms and link them to accounts worked, rather than relying on the catalog.

    The model you are trying to create is correct - accounts should map back to identities/users and permissions should map to the account.   In your CSV file it looks like multiple values are delimited by a comma.  This means the whole value for list_of_users must have a set of quotes around it, so the CSV collector parser knows that is to be treated as a set of multivalues.  You don't need to use brackets or convert to an array or anything.  If your delimeters and the quote character are set in the config to match what the CSV is doing you should be fine.  And since your accounts seem to link fine, I think that is all working.

    I *think* the issue you are having is the account objects aren't mapping to identities?  That's why the permissions appear to have 0 users/identities.

    I think you are pretty close to a working collector.   If you look at an identity that should have an account, is that shown in the catalog?  The AAB_Test account you show here doesn't have an identity tab, so he's not linked to anything.  That may be the problem.

    --Jim

Reply
  • Verified Answer

    +1  

    Which version are you on?   

    It is possible in the catalog to see the relationship between a permission and an account as you've shown, but you _have_ to do it from the account object.  The permission object won't show you the holders of itself.  Note that the # Users column on permissions is referring to the count of identities that are either directly assigned to a permission or that are assigned through a account.  You can also use a governance insight query to show permission holders(account) as opposed to permission holders(user/idenitty).  That is a good method for seeing if your collection to pull in perms and link them to accounts worked, rather than relying on the catalog.

    The model you are trying to create is correct - accounts should map back to identities/users and permissions should map to the account.   In your CSV file it looks like multiple values are delimited by a comma.  This means the whole value for list_of_users must have a set of quotes around it, so the CSV collector parser knows that is to be treated as a set of multivalues.  You don't need to use brackets or convert to an array or anything.  If your delimeters and the quote character are set in the config to match what the CSV is doing you should be fine.  And since your accounts seem to link fine, I think that is all working.

    I *think* the issue you are having is the account objects aren't mapping to identities?  That's why the permissions appear to have 0 users/identities.

    I think you are pretty close to a working collector.   If you look at an identity that should have an account, is that shown in the catalog?  The AAB_Test account you show here doesn't have an identity tab, so he's not linked to anything.  That may be the problem.

    --Jim

Children
  • 0 in reply to   

    Hi Jim!

    Thanks for the very detailed answer!

    I was aware the #users refers to the linked identities/users, and this is working in my setup as expected.

    I only was unsure, if IG would provide a permission to user mapping as well, but as you wrote, this is not the case.

    Finally, I am ending with a kind of top/down view showing all accounts and permissions linked to the user/identity!

    I believe you are right according to the detection of multiple values (in this case accounts), when working with a CSV collector. In my case, I am working with a modified REST collector, which receives a CSV from the REST API for the given field. If I take this value as it comes along, the accounts are not linked with the permissions, and there is an error for each entry providing a value for this field. No matter if it contains only one value or a list of values.

    Using the transformation script of the field, I simply wrap the value this way:

    outputValue = '[' + inputValue + ']'

    after defining this "script" the collection/publication is working as expected!

    I am now considering adding the transformation to the getRestRessurce() function.

    Kind regards

    Thorsten