This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to properly implement the proccess to make a Identity Manager automated (system) Fulfillment through Access Request

Hi, community.

The scenario I'm facing is, when a Access Request is made and the manager and owners approved, the access requested must be granted to the Initiator without manual intervention. 

I followed the course instructions from Identity Governance and Administration (IGA) Academy and configured the Fulfillment Target of the application to Identity Manager automated (system). However, nothing occurs after the collection + publish, neither the access is granted in the IDM side and neither is show on the Current Access of the user. Also, I could not find any logs towards these changes in the IDM side, not in the driver of this application and neither in catalina.out from UserApp logs.

The requested access keep showing in Fullfillment -> Requests of the Fullfillment Administration User after the collection + publish.

Is there another configuration necessary? Where can i see the logs of these?

Parents
  • 0  

    Did you use the "Identity Manager AE Permission" Collector as an application collector?

    Also you need to configure the following connection information for the provisioning under the "Configuration" tab

    As Diego mentioned, under "Fulfillment/Configuration/Application setup" all the applications need to have "Identity Manager automated (system)"

  • 0 in reply to   

    Hello.   . Yes, I did configure the Identity Manager AE Permission as the application source.




    IDM information in configuration tab is also filled correclty.



    Do we need any driver for this fulfilment? I did not install any new driver.

  • 0   in reply to 

      

    As Steven replied - maybe there is a conflict in the permission assignment/revoke which led to a fallback/manual fulfillment.

    When I set up fulfillment for the 1st time, I usually do the following:

    - I create a new role in the IDM (without special permissions) which is only for testing purposes
    - In the IG I do a Collect & Publish so that I have the role as permission in the IG catalog and if necessary I enter this permission in an Access Request Policy.
    - Afterwards I assign this role via "Access Request" to a test user to check the provisioning in the fulfillment status.

    With this procedure there should not be any conflicts which lead to the fulfillment being a "manual/fallback" one.

    No additional driver should be required. In the fulfillment target, are the following request types activated?

  • 0 in reply to   

      

    Yes, all targets are checked :( .

    I'll try to create a role in IDM and run a collection as you mentioned.

    I'll let you know once it's finished.

    Thank for the help. 

  • 0 in reply to 

       

    It did not work.

    The fullfilment did not happen and it came to the new role owner for manual fulfilment.

    Is there any log that I can see if there is a connectivity error during the soap calls?

  • 0   in reply to 

    Hmm, I'm not sure. You have a few logging options under "Configuration/Logging Levels" which are outputed to the catalina.<date>.log

    You can try to set every logging package in the "DaaS WAR" Module to 'TRACE' and maybe under the "Server WAR" the packages "com.netiq.iac", "com.novell.soa", "com.netiq.persist".

    I'm not sure if those are helping, but I usually turn those on and hope for the best

  • 0   in reply to   

    In addition: 

    If there is a connection error, then the fulfillment would also be an error - at least from what I could observe in the past.
    Under "Fulfillment configuration/application setup" you also have the option to edit the settings. If you click on edit, is this view the same as in the fulfillment configuration/setup?

  • 0 in reply to   

    There is no error on Application Setup. 

    I tried to add more logs as debug, but could not find any error as well :( 

  • 0   in reply to 

    I would suggest to open an SR. 
    In theory there isn't much to do for this setup to work and for further debugging I also would need to click through it myself.

Reply Children
No Data