Symantec IGA

  • Private Community

  • 1.  How we can provision user in different ou in AD endpoint?

    Posted Aug 08, 2018 02:29 PM

    Hi Friends, 

     

    Can anyone help me to understand how to provision user in different OU. 

     

    We have an AD endpoint and at AD we have 7 to 8 container. Can we defined 5 provisioning role corresponding to each container using one Endpoint and one account template. 

     

    I am looking for detailed explanation or related document. 

     

    Thanks! Alok



  • 2.  Re: How we can provision user in different ou in AD endpoint?

    Broadcom Employee
    Posted Aug 08, 2018 03:05 PM

    Hi

     

    You have multiple options here:

     

    Option 1:

    Create separate provisioning roles and account templates. The account template will have the specific OU set. You can then create a logic in CAIM that will assign the right provisioning role to the user. The problem here is that this is not a scalable solution. You might have 7-8 OU now but how many of those you will have in the future?

     

    Option 2:

    Provision the AD account to a default location and then use a PX logic to move the account to the right location. This is a scalable solution as you can put create an external decision table and then use the PX to get the right location and then just move the AD account to the right location.

     

    It is very important to note that once you create an account using a birthright template, if you assign another template to the account which have a different OU in it, the account will not move to the other OU. Only PX type of "Move Account" or manual move operation in the console will work

     

    hope this helps

     

    Itamar



  • 3.  Re: How we can provision user in different ou in AD endpoint?

    Broadcom Employee
    Posted Aug 08, 2018 03:14 PM

    Can you send me a screenshot of what you Active Directory looks like with the multiple Containers, so I can see where you want the data to go and I can replicate on my side.

    Just to make sure we are talking about the same structure and I give you the best possible answer.



  • 4.  Re: How we can provision user in different ou in AD endpoint?

    Posted Aug 08, 2018 03:34 PM

    I ran corelate global users after selecting 5 container from AD endpoint settings.

     

    Now in account template's container I can see 5 ou. But I need one distinct one in each of 5 account template.

     

    Can we have a quick call.

     

    Get Outlook for Android<https://aka.ms/ghei36>



  • 5.  Re: How we can provision user in different ou in AD endpoint?
    Best Answer

    Broadcom Employee
    Posted Aug 08, 2018 07:31 PM

    You can achieve using 1 role and 1 template. All you need to do was add conditions in user name filed. 

     

    Example:

    Map the user store attribute which drives your business logic to one of provisioning store attribute. 

    In Account Template in container tab, in User Account Filter you can apply the conditions for each ou.

    Ex: eTCustomField14=WorkDay;eTADSOrgUnitName=Employees;eTCustomField14=Beeline;eTADSOrgUnitName=Contractors-TIPP;



  • 6.  Re: How we can provision user in different ou in AD endpoint?

    Posted Aug 09, 2018 01:26 AM

    Wow! Its so easy. So we just have to put the condition in filter and select the container available in right hand side. 

     

    Great, Its working super. 

     

    Thanks! Alok