We are having some issues with getting IBM identity manager to work efficiently with CA Top Secret. This product does automatic role provisioning and has an adapter that sends commands to Top Secret. Has anybody else used this product?
I have some experience with ITIM/ISIM. I can see there is an adapter for CA Top Secret available, I have no experience with this particular adapter. What is the problem?
The problem seems to be the performance of the adapter, or the “configuration” of Top Secret when using it. We have done some work with ISIM to provision or manage some users. When ISIM adds a profile to a user, it appears that it removes all existing profiles, adds them back on, and then adds on the new profile. It also appears to do this one at a time. Our log / audit / change files are not sized for this kind of activity. We are not using the LDAP interface. Maybe this would be a better solution?
You may need to ask IBM support for assistance. I experienced similar issues with AD adapter. Maybe this excerpt from IBM developerworks will help:
By default, in the AD Service Profile, the "erGroup" attribute is configured as REPLACE for Modify operation. This means when the Groups list of an existing AD Account is modified, it will send REPLACE command to agent and agent will replace the existing Groups of that account with the new list. This will cause exisitng groups added on resource side to be deleted from account. To avoid this from happening, you have to configure the "erGroup" attribute to send "ADD | DELETE" commands instead of REPLACE. To do this you have to remove the erGroup attribute from the AD Service Profile attribute "erOpMultiReplace" directly in LDAP under "ou=serviceProfile,erobjectprofilename=ADProfile". You may restart ITIM once for the ldap changes to take effect.
Retrieving data ...