Symantec IGA

Expand all | Collapse all

Can we assign a Provisioning Role to a user based on User AD Account's Group

  • 1.  Can we assign a Provisioning Role to a user based on User AD Account's Group

    Posted Feb 06, 2018 10:41 PM

    Dear Experts,

     

    Can we assign a Provisioning Role "P1" to a IDM User if that User's AD Account has access to AD Group "G1" after executing explore and correlation on AD Endpoint ?

     

    Note: AD is our Trusted Source and all the IDM users will be created by executing the explore and correlation task on AD Endpoint.

     

    Please advise.

     

    Thanks,
    Narendra



  • 2.  Re: Can we assign a Provisioning Role to a user based on User AD Account's Group
    Best Answer

    Posted Feb 07, 2018 04:39 PM

    Just an Explore/Correlate would not result in a notification for which you could trigger a PX Policy on. If running an Update as part of the Explore/Correlate then that may result in a modify of the Provisioning Global User (depending on if there were any Endpoint Attribute Mappings involved.

     

    If there was such a modify of the Provisioning Global User then there would be a Modify_Global_User inbound notification which would get sent to the IM Server and would trigger a Provisioning Modify User task. You could then have PX Policy configured to run on that task where that PX Policy could try looking up the associated AD Account data and then take an action based on that.

     

    Now with all the above said, I am not sure if this is really the best approach as it may not be the most efficient. You may be better off with an out of band process that dumps data locally on the domain controller side and scrapes the data to determine what changes to apply and then submit those changes.