Symantec IGA

  • 1.  ModifyProvisioningActivityEvent

    Posted Jan 21, 2019 07:54 AM

    Please let me know, if any one already worked these type of use case.

     

    We are provisioning users on AD End point( Consider XYZ AD End point)  using CA IDM Provisioning. Now my organization has moved all the users from old AD XYZ endpoints to New Endpoint i.e ABC AD endpoint and also for some of the users they have changed the samaccount name.

     

    Now when I need to unlink users from XYZ end point and need to link with ABC AD endpoint.

     

    I have tried below steps . 

     

    1. Provisioning Manager   --> End Points --> Created New End Point  --> First Ran Explore End Point  then Correlate End Point using "Use Existing Global user".

     

     

     

     

     

    2. I can see all the user who are Migrated from XYZ to ABC.

     

     

     

    3. I  have searched user on ABC End Point --> Copy Objects --> Paste objects on the Global user.

     

     

    4. When I checked Lisrt accounts it showing account also.

     

     

    5. Assigned the Provisioning Role using CA Identity manager console and then I have searched user on and am able to see the details on Global user and able to List the account same like above.

     

    5. But, I  observed that Provisioning Manager is deleted the existing Account which is already available on ABC AD End point and then its created  new Account, but  here I need to Link with Existing account which is available on ABC End Points.

     

     

     

     

    Please let me know the steps How to achieve this use case.



  • 2.  Re: ModifyProvisioningActivityEvent
    Best Answer

    Posted Jan 23, 2019 11:44 AM

    If I understand correctly you have two AD endpoints (XYZ and ABC). You should be running an Explore on both of the endpoints. The Explore would see the account no longer exists on XYZ endpoint and so the account reference object and the inclusion object linking that account to the Provisioning user would also be removed. The Explore of the ABC endpoint would find the account and a Correlate of the ABC endpoint should link the account to the Provisioning user assuming the correlation criteria finds a single match.

     

    You would also need to review your AD account templates and the provisioning roles to be sure that the Provisioning users have roles/templates which point to the new ABC endpoint and not still point to the XYZ endpoint else the Provisioning Server will view the XYZ account as missing and try to recreate it and view the ABC account as extra and try to remove it.

     

    Lastly, if the samAccountName value/format is different on the ABC endpoint then the XYZ endpoint you will need to review what impact that would have on any AD Account templates and/or custom correlation rules and make adjustments as necessary.



  • 3.  Re: ModifyProvisioningActivityEvent

    Posted Jan 27, 2019 12:03 AM

    Dear KennyV,

     

    Thanks for providing comments. It worked. Now I am able to link all the users Using Explore / Correlate.