This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IG 3.7.3: IDM Entitlement Account Collector

I am trying to get the IDM Entitlement Account Collector working to collect and publish accounts from Acrive Directory.

The IDM AD driver is working, and it is configured with the Entitlement and IG Collection packeges.

When running the collection - or the test collection - I do see the IG injected queries in the driver trace, and instance data of all users in Active Directory are returned.

But IG is showing the following error in the UI:

DaaS connector returned error during collection: Command failure: Type: find+chunked: [Could not perform CodeMap-Refresh for Account Entitlement: 'CN=UserAccount,CN=Active Directory Driver,CN=IDMDriverSet,OU=system,O=maintainet']

So far I did not find any way to debug this deeper in the IG end - since there seams to be no error on the IDM side!

Even more strange is the fact, the IDM Entitlement Permission Collector configured for the same AD driver does return data during the collection test of IG!

I believe, there is something wrong with the mapped-attributes in the configuration, but I am not sure.

Did anybody succeed configuring those collectors for Active Directory Entitlements?

Kind regards

Thorsten

  • 0  

    Hello,

    1) Make sure you are configured with IDM 4 based entitlements. Pre-IDM 4 based entitlements will not work

    2) From this page: www.microfocus.com/.../requirements.html
    scroll down to section 8.3 "Supported Identity Manager Drivers and Packages"

    For your AD Driver:
    - Make sure it is at least version version 4.1.3
    - The following two (2) packages are installed on it:"NOVLADENTEX_2.5.7.20190610155012" and "Identity Governance Assignment collection: MFIGASGMTCOL_1.0.0.2022011010414"


    3) Was your Identity Collector created from one of the following templates: "Identity Manager Identity Collector" or "IDM Identity with changes Collector"

    4) When you created the Application source, did you utilize the Application Definition Sources approach? If you had, it should have created the Application Source. If you did not, please delete what you have and utilize the Application Definition Sources approach.


    5) In your Account Collector in the Application Source
    5.a) The Entitlement DN will need to be mapped to the Account Entitlement in the AD Driver.
    For Example: cn=UserAccount,cn=myad,cn=driverset,o=system

    5.b)Make sure the Account-User Mapping is set to:
    Incoming: GUID
    Match to: Object GUID

    6) In your Permission Collector in the Application Source
    6.a) The Entitlement DN will need to be mapped to the Group Entitlement in the AD Driver
    For Example: cn=Group,cn=myad,cn=driverset,o=system

    6.b) Make sure the Permission-Account or User Mapping is set to:
    Incoming: association
    Match to: Account ID from Source

    If after making the above changes, you are still not seeing this work for you, please open a Support Ticket so we can review your environment.

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Hello Steven,

    first of all thanks for your fast response!

    Meanwhile, I fond my AD driver configuration did not provide a value for the domain name GCV. I saw, there was an injected query regarding this value following the query returning all AD users.

    After providing this value, the IG collector test was working, but did not return any data! For each user fond, a record line was displayed, but no data at all - except for the login disabled field?!

    Can you provide an example, which are the mandatory Account Attributes to be collected, and how to map those?

    Kind regards

    Thorsten

  • 0 in reply to   

    Hello Steven,

    I just configured a new IDM Entitlement Account Collector from the template, and now I am receiving some data running the collection test with IG.

    I believe, the "association" value is the GUID of the user in Active Directory, but I am curious according the displayName. Some account records are showing the DN of the AD User, some the displayName. In my configuration Account Name is mapped to displayNanme, and those users showing the DN do not have a displayName configured in Active Directory.

    All above users in AD have a description configured, but no IG record is showing those values.

    I added the Given Name and Surname attributes just for testing, and those are not collected as well.

    I believe the collector is doing some hard coded stuff behind the scenes, does it not? 

    Are there (some) limitations using this collector? For my understanding, this collector is utilizing an IDM driver by injecting queries to receive (any) data from the connected system - not the IDVault.

    Kind regards

    Thorsten

  • 0

    I did some more digging in the IDM drivers log, and found the following (injected) query after all user <instances>:#

    <nds dtdversion="2.0">
    <input>
    <query class-name="ADDomain" event-id="IG:query" scope="subtree" subscriber-type="service">
    <search-class class-name="ADDomain"/>
    <read-attr attr-name="ADDomainValue"/>
    <read-attr attr-name="ADDomainDisplayName"/>
    <read-attr attr-name="ADDomainDescription"/>
    <operation-data ig-collection-query="true"/>
    </query>
    </input>
    </nds>

    Due to a missing domain name value in the driver configuration,  this query ended with no returned domain-name - this was the root of the IG DaaS error.

    But now I am facing the problem, that the simulation of the collection receives all records, but with no data at all.

    Can someone provide the correct attrubute-mappings to be used for this collector.

  • 0 in reply to 

    I decided to start from scratch with the IDM Account Entitlement Collector, and finally I got it working with the default configuration, but there are still some questions left.

    First, I am wondering what data can be received by this collector from an IDM connected system like Active Directory?

    For my understanding, this collector utilizes an IDM Driver - determined by the Entitlement DN configured - to send injected queries to the IDM connected/manged system.

    I can see those queries and the resulting instances in the driver trace. What I cannot see, is what IG is really requesting. In the default configuration, the IG collector is using association, description, displayName, GUID, entitlementDN, loginDisabled, entryDN, id and llid as mapped attributes.

    I am guessing that entitlentDN, id and llid are synthetically generated by the collector code, since those attributes are not available in the IDVault nor in the managed system. The association value returned is matching the association value of the XDS Instance. I assume, that those  attributes are supposed to match the parameters of the entitlement - but in this case the collector is returning the wrong value (Domain name) for id, which is mapped to "IDM Account ID". This ends up with all accounts published to the IG catalog sowing the same IDM Account ID?!

    The value returned for displayName is ambiguous - meaning this is the displayName as long as it is available - in other cases the DN of the account/user in the managed system is returned. This seems to be hard coded in the collector as well.

    So bottom line is, I am missing some documentation, regarding the capabilities of this collector. What data can be retrieved, and what not?

    Furthermore, I am wondering if it is possible, to grant/revoke the Account Entitlement of a user in the IDVault by this collector?

  • 0   in reply to 

    Thank you for all the information you provided!

    "So bottom line is, I am missing some documentation, regarding the capabilities of this collector. What data can be retrieved, and what not?"

    - agreed, the documentation feels not really completed and some settings are not described at all or some examples would be nice

    "Furthermore, I am wondering if it is possible, to grant/revoke the Account Entitlement of a user in the IDVault by this collector?"

    From what I can tell, you would need to create a new fulfillment target and as a template it would be "IDM Entitlement Fulfillment". Under "Fulfillment configuration/Application setup" you then would need to assign the fulfillment target to the application.

    In general I think only the ''Identity Manager AE Permission' collector has also a fulfillment target configuration (called "Identity Manager automated (system). So,I think you cannot grant/revoke Account Entitlements by using this collector, you would need to configure a fulfillment target and assign this target to the application source (in which the collector is definied)

  • 0 in reply to   

    Anyway I would not, at least in a first place, try to grant/revoke entitlements in IDM, unless you are 100% sure these entitlements are not the results of RBPM Roles & Resources being granted in a first place.

    Imagine you use IG to revoke directly an entitlement granted through RBPM, you will mess up the IDM internal (hierarchical) RBAC model, which I guess is not the intention.

    About the documentation being "not so complete" I can only agree!

    Jacques Forster (IGA architect)