Symantec IGA

Expand all | Collapse all

Is there any utility which can be used to generate provisioning data out of CORP store data??

  • 1.  Is there any utility which can be used to generate provisioning data out of CORP store data??

    Posted Aug 06, 2018 03:13 AM

    Is there any utility which can be used to generate provisioning data out of CORP store data??

     

    We are looking for a way to  migrate 100 of thousands of users from existing identity system to new CA system with provisioning. 

     

    We have ISIM Identity Management System, using ODSEE as user store. Now requirement is to move the Identity System from IBM to CA Identity Manager. 

     

    Migrating ODSEE users to CA corp store of CA Identity Manager is quite easy and done without any issue. Now next challenge is to move those data into provisioning store as all of these data provisioned to Active Directory end point. 

     

    Is there any utility which can be used to generate provisioning data out of CORP store data??

     

    Your help will be highly appreciated. 

     

    Thanks! Alok



  • 2.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Broadcom Employee
    Posted Aug 06, 2018 09:29 AM

    Hi Alok,

     

    No specific utility to deal with this.

    However, if you configure some Identity policy or Policy Xpress to take care of it, you will be able to accomplish that.
    For both, you will need a new attribute that will hold a list of provision roles (Either multi value or single delimited).

    For Identity policy, you can create an Identity policy that will be triggered upon the new provision roles attribute change and will assign the provision roles based on that attribute.

    For Policy Xpress, you can create a PX that will take the value from that attribute and will assign the provisioning roles to that user.

    With those mechanisms IM outbound sessions will create associated global users into the provisioning store and related accounts on the endpoint(s) based on the role/template assignment(s).

     

    Regards,

    Philippe.



  • 3.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Posted Aug 06, 2018 01:36 PM

    Sorry I missed to mention, as I said we are migrating users from existing IDM system to new which is on CA. 

     

    endpoint account already exist, so we don't need global user reflection at endpoint. And the way it will be handled through PX will be little bulky. Rather I was looking for something which can directly convert CORP store data to provisioning syntax and same can be loaded through provisioning server.

     

    Thanks! Alok 



  • 4.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Broadcom Employee
    Posted Aug 07, 2018 04:19 AM

    Hi Alok,

    Assigning a Provisioning Role (PR) to an IM corporate user which had no PR until now, will cause a Global User creation on Provisioning side (outbound session).

    This PR can be a dummy one, I mean without any endpoint account template included.

    So you can create an Identity policy that will be triggered upon a custom attribute change for a set of users and will assign this dummy PR for those users.

    Regards,

    Philippe.

     



  • 5.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Broadcom Employee
    Posted Aug 07, 2018 05:02 PM

    You can use "etautil" to load data into the Provisioning Server. Make sure to turn off inbound sync during the initial load, or you will flood your IM task persistence database with lots of unnecessary task messages. This can be more efficient than making the changes on the front-end IM server and relying on PX to trigger something that results in a user created in the Provisioning Server.

     

    There is no tool to directly translate from the Corp Dir to the provisioning Dir. But once you have defined your attribute mapping between corp and prov dir, you could use some ETL tool to obtain the data from the Corp Dir via LDAP search and then format it into a set of etautil commands in a file (I have used Pentaho Data Integration in the past for this, but any tool or scripting language will do). etautil should then load the commands from file, as this is more efficient than calling each etautil script individually.

     

    Unfortunately there's not much documentation around about etautil. You may find some examples on this forum.



  • 6.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Posted Aug 08, 2018 02:12 PM

    Thanks a lot Kennedy, I will try the way you suggested over weekend and will update you. And for data transformation we can use even java program correct? let me know if that way is going to work..



  • 7.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Posted Aug 17, 2018 02:54 AM

    Hi Kennedy,

     

    I am trying to use etautil to import data, but it failing with some unexpected error.

     

     

    etautil -d im -u etaadmin -p ****** add -f user.ldif

     


    Here is the user.ldif


    -----------------------------------


    dn: eTGlobalUserName=idmtest3,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta
    objectClass: eTGlobalUser
    objectClass: eTGlobalUserEx
    objectClass: top
    eTFirstName: idmtest3
    eTFullName: idmtest3
    eTGlobalUserName: idmtest3
    eTHidefromABEXC: 0
    eTIMEnabledState: 16777216
    eTLastName: idmtest3
    eTRoleDN: eTRoleName=AD_TEST_PROVISIONING_ROLE,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im
    eTUserid: idmtest3

     


    Error message:-


    End of file reached while expecting a keyword Fri Aug 17 05:54:23 2018

     


    Please suggest if something has been missed from my end.

     

     

    Thanks! Alok



  • 8.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Broadcom Employee
    Posted Aug 19, 2018 04:56 PM

    You'll find full etautil documentation in the old "CA Admin" documents, which are accessible from here. In particular, check out chapter 9 of the Administrator Guide.

     

    Pearse



  • 9.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Posted Aug 22, 2018 06:28 AM

    Thanks a lot Pearse, I tried all the options available but none worked. Do you have any example handy, would you please paste it here?

     

    Regards! Alok



  • 10.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Broadcom Employee
    Posted Aug 23, 2018 03:31 AM

    Hi Alok

     

    Here's an example I found in my notes from a previous project. I haven't tested it so not sure if it is exactly correct.

     

    etautil -d im -u etaadmin -p <password> ^
    add 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser ^
    eTGlobalUserName='xyz123'  ^
    eTFullName='Aldo Gomez'  ^
    eTCustomField04='Active'  ^
    eTFirstName='Aldo'  ^
    eTLastName='Gomez'  ^
    eTCustomField22='Gomez, Aldo (Contractor)'  ^
    eTCustomField10='Mexico City'  ^
    eTCountry='MX'  ^
    eTCustomField17='AMERICAS'  ^
    eTEmailAddress='Aldo.Gomez@company.com'  ^
    eTPassword='nmCz7nbne'

     

     

    As stated in my previous post, it's more efficient to use the -f option and have the actual command in a file. Something like:

    etautil -d im -u etaadmin -p <password> -f users-to-load.txt

    Again, please confirm the syntax, this is just from memory.

     

    And if you have non-ASCII characters in the names, please double-check the encoding you use when saving the file and from the command prompt. From my notes, the first thing we typed on the command prompt was "chcp 65001". I think this was sufficient for all western European characters.

     

    Pearse



  • 11.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Posted Aug 28, 2018 08:42 AM

    Thanks Pearse, it worked. Is there any way i can use same hashed password from corp store to provisioning store?



  • 12.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Broadcom Employee
    Posted Aug 29, 2018 05:09 AM

    No, no real way of using the passwords from the corp store. As you say, they are one-way hashed. Whereas the provisioning server needs an encrypted copy of the password, which it can decrypt if it needs to provision a new account to the endpoint.

    For existing users in a migration, it shouldn't matter, as they should already have all the accounts that they need. If and when the user changes their password on the IM front end, this change will then be propagated to the provisioning server.



  • 13.  Re: Is there any utility which can be used to generate provisioning data out of CORP store data??

    Posted Aug 29, 2018 07:16 AM

    Thanks for the help Pearse, we are able to achieve our goal. I am going to write a detailed document over it and submit it to CA community.

     

     

    With Regards!

    Alok Kumar

    ……………………………………………..

    Identity And Access Management

    US Direct Dial (O): 612.678.2989

    India (O): 91.124.412.3159

    Mobile: +91-973.802.7031

    Ameriprise Financial

    Plot No 14, Sector 18, Udyog Vihar

    Gurugram, Haryana – 122015

    India

     

     

    <http://www.ameriprise.com/>[Facebook]<http://www.facebook.com/ameriprise>[YouTube]<http://www.youtube.com/ameriprise>