Labels

Application security 245
Data Privacy and Protection 221
Identity & Access Mgmt 544
Other 2
Security 152
Security Events 32
Security Operations 164
UEBA 116

Popular Tags

  • Views 522 Views
  • Comments 1 Comment
Related Content
Cybersecurity Blog
2 minute read time

Using Mapping Tables in IDM to Set User Destinations

by in Cybersecurity

Problem



A Forum reader recently asked:



"I'm trying to use mapping tables in IDM to set a user's destination OU on creation, based on a user attribute. I think I can create a mapping table with two columns, one which contains the values of the user attribute that hold a site reference, code and the other the base OU for user placement.



However, it's not obvious how to make this work. Does the source column have to have the same name as the user attibute (NERCLocation)? Does it then look up the value of the NERCLocation attribute and put that value into the OU?



What I need to do is have a placement rule that can look at the value of the user attribute, NERCLocation, do a mapping table lookup to get an OU name and put this into the destination OU string e.g.

ou=active,ou=<looked up from table>, ou=users,o=jrc


Am I on the right lines?"



And here's the response from David Gersic ...



Solution



Here's a sample policy I came up with during the IDM 3.5 beta. This is from my PeopleSoft HR driver, and the point is to take the "departmentNumber" attribute and use it to look up a default value for the "telephoneNumber", via a Mapping Table.



<?xml version="1.0" encoding="UTF-8<policy>
 <rule>
  <description>Add Department Phone Number</description>
  <conditions>
   <and>
    <if-class-name mode="nocase" op="equal">User</if-class-name>
   </and>
  </conditions>
  <actions>
   <do-add-dest-attr-value name="Telephone Number">
    <arg-value>
     <token-map dest="Default Phone Number" src="Department Number"
table="\[root]\niu\IDM\Policy and Data Library\Department Data Mapping
Table">
      <token-op-attr name="departmentNumber"/>
     </token-map>
    </arg-value>
   </do-add-dest-attr-value>
  </actions>
 </rule>
</policy>


The table itself looks like this:



<?xml version="1.0" encoding="UTF-8"?><mapping-table>
<col-def name="Department Number" type="nocase"/>
<col-def name="MAD Win2K Placement" type="nocase"/>
<col-def name="MAD NIUNT Placement" type="nocase"/>
<col-def name="eDir NIU-Development Placement" type="nocase"/>
<col-def name="eDir NIU Placement" type="nocase"/>
<col-def name="Default Phone Number" type="nocase"/>
<row><col>BA00000</col>

<col>OU=Provost,OU=AcadDiv,OU=DK,DC=Win2K,DC=niu,DC=edu</col>

<col>OU=Provost,OU=AcadDiv,OU=DK,DC=NIUNT,DC=niu,DC=edu</col>
<col>O=NIU\OU=DK\OU=AcadDiv\OU=Provost</col>
<col>O=NIU\OU=DK\OU=AcadDiv\OU=Provost</col>
<col>815-753-8387</col>
</row>
<row><col>BB00000</col>

<col>OU=AsPrRsP,OU=AsstProv,OU=AcadDiv,OU=DK,DC=Win2K,DC=niu,DC=edu</col>

<col>OU=AsPrRsP,OU=AsstProv,OU=AcadDiv,OU=DK,DC=NIUNT,DC=niu,DC=edu</col>
<col>O=NIU\OU=DK\OU=AcadDiv\OU=AsstProv\OU=AsPrRsP</col>
<col>O=NIU\OU=DK\OU=AcadDiv\OU=AsstProv\OU=AsPrRsP</col>
<col>815-753-8387</col>
</row>
<row><col>BD00000</col>

<col>OU=FacDvlIn,OU=AcadDiv,OU=DK,DC=Win2K,DC=niu,DC=edu</col>

<col>OU=FacDvlIn,OU=AcadDiv,OU=DK,DC=NIUNT,DC=niu,DC=edu</col>
<col>O=NIU\OU=DK\OU=AcadDiv\OU=FacDvlIn</col>
<col>O=NIU\OU=DK\OU=AcadDiv\OU=FacDvlIn</col>
<col>815-753-0595</col>
</row>
<row><col>BF00000</col>
<col>OU=HE,DC=Win2K,DC=niu,DC=edu</col>
<col>OU=HE,DC=NIUNT,DC=niu,DC=edu</col>
<col>O=NIU\OU=HE</col>
<col>O=NIU\OU=HE</col>
<col>815-753-8850</col>
</row>
</mapping-table>


Just be sure that your OU format is correct for whichever driver you're putting this in.



The magic in the above policy is contained in these two lines:



     <token-map dest="Default Phone Number" src="Department Number"
table="\[root]\niu\IDM\Policy and Data Library\Department Data Mapping
Table">
      <token-op-attr name="departmentNumber"/>


Breaking it down, token-map has:



  • dest= The name of the column in the table that you want it to look up and return the value of (i.e., get me this from the table).

  • src= The name of the column in the table that you want to use as the index (i.e., look up this thing).

  • table= The slash format DN for the table object


Then, to specify the lookup data, use token-op-attr to pull data from the current document being processed. The result is to take the value of departmentNumber and use it as the lookup in to the table, to return the default phone number.



I'd probably put the full text value of the DN in the table, but I don't see why you couldn't do what you're saying here as well. Do the table lookup to get your <looked up from table> value, then reformat the operation attribute to build the rest of the string there.

Labels:

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.