This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IG 3.7.3: IDM Entitlement Account Collector

I am trying to get the IDM Entitlement Account Collector working to collect and publish accounts from Acrive Directory.

The IDM AD driver is working, and it is configured with the Entitlement and IG Collection packeges.

When running the collection - or the test collection - I do see the IG injected queries in the driver trace, and instance data of all users in Active Directory are returned.

But IG is showing the following error in the UI:

DaaS connector returned error during collection: Command failure: Type: find+chunked: [Could not perform CodeMap-Refresh for Account Entitlement: 'CN=UserAccount,CN=Active Directory Driver,CN=IDMDriverSet,OU=system,O=maintainet']

So far I did not find any way to debug this deeper in the IG end - since there seams to be no error on the IDM side!

Even more strange is the fact, the IDM Entitlement Permission Collector configured for the same AD driver does return data during the collection test of IG!

I believe, there is something wrong with the mapped-attributes in the configuration, but I am not sure.

Did anybody succeed configuring those collectors for Active Directory Entitlements?

Kind regards

Thorsten

Parents
  • 0  

    Hello,

    1) Make sure you are configured with IDM 4 based entitlements. Pre-IDM 4 based entitlements will not work

    2) From this page: www.microfocus.com/.../requirements.html
    scroll down to section 8.3 "Supported Identity Manager Drivers and Packages"

    For your AD Driver:
    - Make sure it is at least version version 4.1.3
    - The following two (2) packages are installed on it:"NOVLADENTEX_2.5.7.20190610155012" and "Identity Governance Assignment collection: MFIGASGMTCOL_1.0.0.2022011010414"


    3) Was your Identity Collector created from one of the following templates: "Identity Manager Identity Collector" or "IDM Identity with changes Collector"

    4) When you created the Application source, did you utilize the Application Definition Sources approach? If you had, it should have created the Application Source. If you did not, please delete what you have and utilize the Application Definition Sources approach.


    5) In your Account Collector in the Application Source
    5.a) The Entitlement DN will need to be mapped to the Account Entitlement in the AD Driver.
    For Example: cn=UserAccount,cn=myad,cn=driverset,o=system

    5.b)Make sure the Account-User Mapping is set to:
    Incoming: GUID
    Match to: Object GUID

    6) In your Permission Collector in the Application Source
    6.a) The Entitlement DN will need to be mapped to the Group Entitlement in the AD Driver
    For Example: cn=Group,cn=myad,cn=driverset,o=system

    6.b) Make sure the Permission-Account or User Mapping is set to:
    Incoming: association
    Match to: Account ID from Source

    If after making the above changes, you are still not seeing this work for you, please open a Support Ticket so we can review your environment.

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Hello Steven,

    first of all thanks for your fast response!

    Meanwhile, I fond my AD driver configuration did not provide a value for the domain name GCV. I saw, there was an injected query regarding this value following the query returning all AD users.

    After providing this value, the IG collector test was working, but did not return any data! For each user fond, a record line was displayed, but no data at all - except for the login disabled field?!

    Can you provide an example, which are the mandatory Account Attributes to be collected, and how to map those?

    Kind regards

    Thorsten

Reply
  • 0 in reply to   

    Hello Steven,

    first of all thanks for your fast response!

    Meanwhile, I fond my AD driver configuration did not provide a value for the domain name GCV. I saw, there was an injected query regarding this value following the query returning all AD users.

    After providing this value, the IG collector test was working, but did not return any data! For each user fond, a record line was displayed, but no data at all - except for the login disabled field?!

    Can you provide an example, which are the mandatory Account Attributes to be collected, and how to map those?

    Kind regards

    Thorsten

Children
No Data