IDM IG Integration

The scenario is this:

1. Creating and reading an application from Active Directory by a standard AD Collector, both groups and accounts

2. Configured the application for Identity Manager Synch under Fulfillment Information in Identity Governance and picked a custom made Resource Provisioning Workflow. This custom made workflow is designed to use the value of the resource that's going to be created in IDM by this same configuration, and submit it to another resource configured with the default group entitlement for the Active Directory Driver in IDM. 

Problem: The default group entitlement policys in the Active Directory Driver are constructed by using the ID and ID2 element where the ID is the association of the group and ID2 is the DN of the group in Active Directory. However, the values synched from Identity Governance to the resources in IDM only have the DN of the groups in Active Directory. I can go ahead and pick up the same entitlement information that is valid for the group entitlement in the Active Directory driver by different methods but I'm a bit curious on how this is supposed to work.

Are we supposed to deal with different type of (structural) entitlement information when integrating IG and IDM permissions? And how is the idea to utilize the Identity Manager Syncronization feature in Identity Governance implemented in Identity Manager? Or, how should it be implemented?

  • Greetings,

    1) The "Identity Manager Synchronization feature apart of Access Request Driver, in Identity Governance has been depreciated and one should not be using it anymore. This feature was added before we created Access Request. Therefore, since ID Gov 3.0.x no one should be utilizing the "Identity Manager Synchronization feature" (Access Review Driver) and instead be utilizing Access Request.

    2) If I understand correctly, you are trying to utilize an IDM Workflow fulfillment to grant someone a Resource in IDM based upon either (a) requesting the AD permission in Access Request or (b) because they become part of a Business Role that authorizes the AD permission (group)?

    Is that correct?


    Please keep in mind that unless you are also going to update back into AD the Request will not be marked verified, but rather failed verification. Which can cause issues down the road.

    Can you please explain your use case a bit more, because ID Gov is not a replacement for the AD Driver in IDM?  If it is rather complex, it might be easier to open a Service Request so we can have a discussion.


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus

  • Thanks

    OK, that was some new information. The "Identity Manager Synchronization feature" is however still possible to configure and we are running the IG 3.5.2 version. Should it not be there?

    We were looking for a scenario where a user could request the permission from IDM or IG regardless and still support direct synchronization (via driver) or automatic fulfillment (via IG fulfillment configuration). When doing a review in IG on that assignment a removal would be sent by the fulfillment configuration to Active Directory and when verified in IG it would update the resource in IDM, triggering the provisioning workflow to remove the assignment in IDM as well.

    I will have a look on the scenario once more and maybe go ahead with a SR to take it further. 

  • Greetings,

    1) The feature is still there in ID Gov 3.5.x however it is deprecated. Meaning that it will be removed in an upcoming release and one should be utilizing the replacement approach instead.

    2) The "Identity Manager Synchronization" feature did not utilize an IDM Workflow. All work was done directly via the Access Review Driver.

    3) The scenerio that you outlined is not how the "Identity Manager Synchronization" feature worked.


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus

  • 1. OK, understood.

    2. Well. The configuration of "Identity Manager Synchronization" requires an workflow to be assigned to the resources created via the Access Review Driver. Hence, a workflow that is triggered by assignment to the resources in IDM.

    3. That was my original question. How is this supposed to work? Is an assignment to a resource created by the the Access Review Driver just ment to trigger an approval to a resource object in IDM? And that's it?