Symantec IGA

  • Private Community

  • 1.  Multiple provisioning role for Connector Xpress account

    Posted Oct 30, 2015 04:01 AM

    Hi all,

    in order to manage a custom endpoint, in our IdM environment we implemented a generic connctor using Connector Xpress framework.

    Form the techincal poin of view, this endpoint is composed by a set of database tables; here their structure and relationships:

    • Table_1: contains users' accounts
    • Table_2: contains the first kind of privilege used by the custom application (we'll call them Privilege_1)
    • Table_2_M: contains the relationship between accounts and Privilege_1 (this is a membership table)
    • Table_3: contains the second kind of privilege used by the custom application (we'll call them Privilege_2)
    • Table_3_M: contains the relationship between accounts and Privilege_2 (this is a membership table)

     

    We successfully created the connector with Connector Xpress, deployed it in Provisioning Server, enabled/imported it in the IdM environment (using Management Console).

    After that we created the following IdM objects (using Idm User Web Interface):

    • Endpoint
    • Explore & Correlate Definition (and executed it)
    • Two Account Templates for testing purpose (we'll call them AC_1 and AC_2)
    • Two Provisioning Role for testing purpose (we'll call them PR_1 and PR_2)

     

    AC_1 contains the following privileges:

    • Privilege_1_A
    • Privilege_1_B
    • Privilege_2_A

     

    AC_2 contains the following privileges:

    • Privilege_1_C
    • Privilege_1_D
    • Privilege_2_C

     

    PR_1 contains AC_1 while PR_2 contains AC_2.

     

    # SCENARIO_1

    Assigning provisioing role PR_1 to an identity ID_1, CA IdM creates the account Account_1 on the target system with the relative privileges (Privilege_1_A, Privilege_1_B and Privilege_2_A).

     

    # SCENARIO_2

    Assigning provisioing role PR_2 to an identity ID_2, CA IdM creates the account on the target system with the relative privileges (Privilege_1_C, Privilege_1_D and Privilege_2_C).

    So far, so good, but....

     

    # SCENARIO_3

    When I assign PR_2 to ID_1 IdM does not add AC_2 privileges to the existing account Account_1.

     

    Please note that if I perform the same use-cases using an Active Directory endopint, the account privileges are correctly updated after SCENARIO_3.

    Any idea? What's wrong with what I am doing with Connector Xpress?

     

    Thanks in advance,

    Daniele



  • 2.  Re: Multiple provisioning role for Connector Xpress account

    Posted Nov 02, 2015 01:10 AM

    Hi Daniele,

    When u define/select a attribute in ConnectorXpress, by default is always "noncapability" attribute. U need to use the edit metadata and select capability attributes.

    Capability attribute are mainly used for group membership object. Where value of this attribute will increase/decrease by on adding/removing account templates.

    Noncapability attribute are used on Fullname, First Name, LastName, Department...

     

    Refer Chapter 4: Connector Xpress Utilities page. 109

    All capability attributes (for example, eTDYN-str-multi-ic-, eTDYN-str-ic-, eTDYN-str-c-, eTDYN-bool-c-, eTDYN-int-multi-c-, eTDYN-int-c-) are extended to 99, with the exception of the multivalued case-sensitive attributes (eTDYN-str-multi-c-), which are extended to 500.
    ¦ The noncapability multivalued case-sensitive or case-insensitive attributes (for example, eTDYN-str-multi-, eTDYN-str-multi-i-) are extended to 500.

     

     

    Another thing, u may consider to turn the "Strong Sync" in account templates. In situation like, user is assigned with PR_1 & PR_2 and when you remove PR_2, PR_2 associated privileges will not be removed. You need to turn on "Strong Sync" on account templates. When this is turn on, PR_2 role is removed, associated privileges(based on account template), will be removed.

     

    regards,

    William



  • 3.  Re: Multiple provisioning role for Connector Xpress account

    Posted Nov 02, 2015 04:57 AM

    Hi William,

    first of all thanks for your reply.

     

    About capability attribute metadata propertiy: should it be set on account virtual attribute that contains privileges (created during association configuration - image1) or on privilege class attribute (image2)?

    Should I change attribute name in metadata definition (from "eTDYN-str-multi-04" to "eTDYN-str-multi-c-01"- image3)?

     

    Thanks in advance,

    Daniele

     

    image1

    image1.png

     

    image2

    image2.png

     

    image3

    image3.png



  • 4.  Re: Multiple provisioning role for Connector Xpress account
    Best Answer

    Posted Nov 02, 2015 07:27 PM

    using image3. change it to eTDYN-str-multi-ic-01

    "i" mean ignore case. Then export the xml and import again.

    The attribute that u should change is the attribute that store user's privileges.



  • 5.  Re: Multiple provisioning role for Connector Xpress account

    Posted Nov 04, 2015 05:36 AM

    Hi William,

    Thank you very much for your info; it has worked perfectly.

     

    Regards,

    Daniele