Queries for IDM AD Driver

Hi Team,

We are facing below issues in AD driver

We have facing below issues in IDM . Request to Kindly help us to resolve the same.
 

Queries:-

1.       As in AD driver we can defined only one user container (OU/Group) , and we can only migrate the users and Groups that are in that OU. Our Query is that we want to sych all user and OU of AD outside the OU which specified in the Driver , so how can we achieve this . Should we have to define Main ou of AD???

For Ex: - We have AD which have 3 OU’s (SOC,NOC,Consultant) and they have their own users . In AD driver we have configured only Consultant OU, so we are able to Create\migrate\deletion the users from that OU only. To migrate and sych all OU’s and Users of AD, Then how can we achive this ?? What type of Configuration we have to do in AD Driver .

 

2.       As when we enable the entitlement to True after that when we migrate the users from AD to IDVault , it will not migrate it gives us below error

Veto out of the scope events

And when we false the entitlement user are migrated to ID vault . And Also when it false then user not moving to groups in AD. For user movement to AD Groups we need to set the entitlement to true.

We want to achieve that user are migrate into IDVault and Also user will move to AD groups

We also try with installation role based entitlement driver and also created entitlement user/Groups but we are facing the same issues still.

 

Thanks

Dipesh

  • 1. Check your scoping policies

    2. You'll have to understand how roles and entitlements work

    Good luck

     

  • Hi,

    1) Regarding the EDIR to ADIR synchro, yes, you must check the scoping policy in the subscriber channel that set which containers you allow to sync from EDIR to ADIR. Just add the additional container with logical OR or set the idv-data-user variable to an upper container that contain all your user's OU.

    The policy is NOVLADDCFG-sub-mp-scopping and the rule is :

    <description>Find matching object in Active Directory</description>
    <rule>
    <description>remember relative position in hierarchy</description>
    <comment xml:space="preserve">This rule marks events in the given containers for processing by adding the unmached-src-dn and attempt-to-match operation properties. You can add subtrees in the Identity Vault for inclusion by adding if-src-dn conditionals here. If you are using mirrored placement, the unmatched-src-dn is used later in the placement rule. The attempt-to-match property determines whether the matching policies following this initializing policy should try to match the object or whether its out of scope.</comment>
    <conditions>
    <and>
    <if-src-dn op="in-subtree">~idv.dit.data.users~</if-src-dn>
    <if-op-property mode="nocase" name="attempt-to-match" op="not-equal">false</if-op-property>
    </and>
    </conditions>
    <actions>
    <do-set-op-property name="unmatched-src-dn">
    <arg-string>
    <token-unmatched-src-dn convert="true"/>
    </arg-string>
    </do-set-op-property>
    <do-set-op-property name="attempt-to-match">
    <arg-string>
    <token-text xml:space="preserve">true</token-text>
    </arg-string>
    </do-set-op-property>
    </actions>
    </rule>
    </policy>

    2) Regarding the entitlement, when you enable the entitlement, this trigger different rules in different policies by default. And one of this rule disable the ADIR to EDIR user creation as it assume you want to manage AD from EDIR. To get this working you must disable this rule. 

    The involved policy is NOVLADDENTEX-pub-mp-entitlementimpl:

    <description>Find a matching unassociated object in the Identity Vault.</description>
     <rule>
      <description>UserAccount entitlement: Match existing accounts if UserAccount Onboarding enabled</description>
      <comment xml:space="preserve">If the UserAccount GCV is set to true, this policy prevents the onboarding of user accounts from AD unless the UserAccount AND UserAccount.onboard GCV is also set to true.</comment>
      <conditions>
       <and>
        <if-class-name mode="nocase" op="equal">User</if-class-name>
        <if-op-property mode="nocase" name="attempt-to-match" op="equal">true</if-op-property>
        <if-global-variable mode="nocase" name="drv.entitlement.UserAccount" op="equal">true</if-global-variable>
       </and>
      </conditions>
      <actions>
       <do-set-op-property name="attempt-to-match">
        <arg-string>
         <token-text xml:space="preserve">false</token-text>
        </arg-string>
       </do-set-op-property>
      </actions>
     </rule>

    The "attempt-to-match" = false will veto the user creation, so you can disable this rule.

    Hoe this will help.

    Sylvain

  • Welcome to IDM. It is fun and we have cookies.

    Anyway, you need to learn a bunch about IDM and how it works.

    The reason one container works is just how the default config ships. It works well as a simple example but you need to customize for more complex environments. 

    For the single OU, have you considered picking a high enough container to meet your needs?

    As for Entitlements, that is a really complex topic. Short answer:

    Drivers see Entitlements (Stored in DirXML-EntitlementRef on the user). (As in the engine/shim no user interface per se, watch via Trace files). Are you familiar with DirXML Script?  The XML language rendered as a GUI in Designer. (I wrote a book on the topic if you think that will help.

    https://www.lulu.com/shop/search.ep?keyWords=geoffrey carman&type=

    (Definitive Guide to IDM Tokens. The Validator Missing Manual book is for an automated testing tool that MF sells.  Not relevant to this question but buy one for you mom, it makes great reading, she will love it!)

    User App/ID Apps (Web interfaces for users/admins) use Roles. Which can have Resources, which can have an Entitlement (like AD Account, AD Group) with a value (So AD Group entitlement, needs a value to tell you WHICH group it references). 

    So to use entitlements you would need the USer App/ID Apps (What version are you using?) which would allow you to make a Resource with the AD account entitlement (which is misisng and causing the Veto).  Ten make a Role, link it to the Resource and assign to a user and see what happens.

    There is so much to say about this. I cannot even begin to answer until I know better what you already know.

    Consider browsing my collection of articles:

    https://wiki.microfocus.com/index.php/Geoffrey_Carmans_personal_collection

    Sorted by topics.  Lots on the AD driver. And general DIrXML Script stuff. And much much more.  You will feel drowned.  Suggest how much you understand and I can whittle down the list you should read to get help.

     

  • HI,

    In oder to allow user creation from AD to edir, with "Entitlement = Yes", you can disable this rule :

    UserAccount entitlement: Match existing accounts if UserAccount Onboarding enabled

    in the policy : NOVLADENTEX-pub-mp-entitlementsImpl.

    Hope this will help.

    Thanks.

    Sylvain