How to properly implement the proccess to make a Identity Manager automated (system) Fulfillment through Access Request

Hi, community.

The scenario I'm facing is, when a Access Request is made and the manager and owners approved, the access requested must be granted to the Initiator without manual intervention. 

I followed the course instructions from Identity Governance and Administration (IGA) Academy and configured the Fulfillment Target of the application to Identity Manager automated (system). However, nothing occurs after the collection + publish, neither the access is granted in the IDM side and neither is show on the Current Access of the user. Also, I could not find any logs towards these changes in the IDM side, not in the driver of this application and neither in catalina.out from UserApp logs.

The requested access keep showing in Fullfillment -> Requests of the Fullfillment Administration User after the collection + publish.

Is there another configuration necessary? Where can i see the logs of these?

  • 0

    I am facing the same issue.

    I have made the configuration as this thread . 

    Fullfilment configuration is as below.

    The applications have this "Identity Manager Automated" selected.

    I can see the fullfilment pending in fullfilment status, but it's pending by the user that is selected as "Fullfiller" in above image.

    But once I collect and publish the IDM AE Permissions collection, nothing happens. The fullfiment still pending.

  • 0  

    Did you use the "Identity Manager AE Permission" Collector as an application collector?

    Also you need to configure the following connection information for the provisioning under the "Configuration" tab

    As Diego mentioned, under "Fulfillment/Configuration/Application setup" all the applications need to have "Identity Manager automated (system)"

  • 0   in reply to   

      That is incorrect.  The settings under Configuration -> Identity Manager Configuration  is only utilized for the "IDM Workflow" fulfillment.  The IDM Automated fulfillment utilizes the IDM AE Permission Collector (which means you can only have one (1) IDM AE application source per IG Install

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0   in reply to   

    I will not argue against it logically, but in a customer installation, automated fulfillment did not work until this setting was successfully configured.

    There were problems with the address entered there and when we changed it, the fulfillments also worked successfully. But these are now only observations of the one installation and could also have been more a coincidence.

  • 0   in reply to   

     It is hard to see from your screenshot (because you blocked part of the value), but if the fulfillment is pending a person then it means that while change (add / remove of permission) was evaluated, it was determined to not to be able o be fulfilled via the IDM Automated fulfilment

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity 

  • 0 in reply to   

    Hello.   . Yes, I did configure the Identity Manager AE Permission as the application source.




    IDM information in configuration tab is also filled correclty.



    Do we need any driver for this fulfilment? I did not install any new driver.

  • 0 in reply to   

    Hi,   . 

    Thanks for the answer.

    It's pending from the Fullfiller that I added as "fallback" in Fullfilment configuration. 

  • 0   in reply to 

      

    As Steven replied - maybe there is a conflict in the permission assignment/revoke which led to a fallback/manual fulfillment.

    When I set up fulfillment for the 1st time, I usually do the following:

    - I create a new role in the IDM (without special permissions) which is only for testing purposes
    - In the IG I do a Collect & Publish so that I have the role as permission in the IG catalog and if necessary I enter this permission in an Access Request Policy.
    - Afterwards I assign this role via "Access Request" to a test user to check the provisioning in the fulfillment status.

    With this procedure there should not be any conflicts which lead to the fulfillment being a "manual/fallback" one.

    No additional driver should be required. In the fulfillment target, are the following request types activated?

  • 0   in reply to   

    Hello Tobias,

        The IDM Automated Fulfillment only looks at the IDM AE Permission Collector for how to call back to IDM.   If you experienced something else, then a Service Request should be created for us to investigate.  

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0   in reply to   

     The IDM Automated Fulfillment performs SOAP calls to the ID Apps for the fulfillment.  Therefore, no additional IDM Driver is required.

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity