This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to properly implement the proccess to make a Identity Manager automated (system) Fulfillment through Access Request

Hi, community.

The scenario I'm facing is, when a Access Request is made and the manager and owners approved, the access requested must be granted to the Initiator without manual intervention. 

I followed the course instructions from Identity Governance and Administration (IGA) Academy and configured the Fulfillment Target of the application to Identity Manager automated (system). However, nothing occurs after the collection + publish, neither the access is granted in the IDM side and neither is show on the Current Access of the user. Also, I could not find any logs towards these changes in the IDM side, not in the driver of this application and neither in catalina.out from UserApp logs.

The requested access keep showing in Fullfillment -> Requests of the Fullfillment Administration User after the collection + publish.

Is there another configuration necessary? Where can i see the logs of these?

Parents
  • 0

    To actually see the document sent the logging level com.netiq.iac.server.dtp on the DTP.WAR should be set to DEBUG inside the app. This log level sends at lot of log posts to the catalina file but when searching for "remove-values" or "add-values" one should get to the actual document sent by the fulfillment process.

  • 0   in reply to 

    Hello,
      A support ticket has been open referencing this thread, which has been escalated to me. I am not sure if the person who opened the case is the same that started this thread. With that said, please keep in mind that your Identity Collector and the Permission matter. The system reviews the change request (add/remove) and evaluates the User/Account/Permission to make sure they meet the necessary criteria to utilize IDM Automated fulfillment. If they do not, that is when the "fallback" setting in the IDM Automated Fulfillment is utilize (as outlined before the fallback is not utilized if ID Gov can not connect to the ID App or if there is a failure on the ID Apps side, those all result in a Fulfillment Error).

    If one utilizes an Identity Collector other than one (1) of the two (2) IDM Identity Collectors:
    "Identity Manager Identity"
    or
    "IDM Identity with Changes"

    Then the collected users will not have certain attributes collected from IDM on them.

    If you are planning on collecting from the IDM AE Application source and fulfill via the IDM Automated Fulfillment then via Best Practice one needs to utilize one (1) of the two (2) IDM Identity Collectors. If you are using the eDirectory Identity Collector, it is possible to map in the missing attributes to be collected from the Vault.


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

Reply
  • 0   in reply to 

    Hello,
      A support ticket has been open referencing this thread, which has been escalated to me. I am not sure if the person who opened the case is the same that started this thread. With that said, please keep in mind that your Identity Collector and the Permission matter. The system reviews the change request (add/remove) and evaluates the User/Account/Permission to make sure they meet the necessary criteria to utilize IDM Automated fulfillment. If they do not, that is when the "fallback" setting in the IDM Automated Fulfillment is utilize (as outlined before the fallback is not utilized if ID Gov can not connect to the ID App or if there is a failure on the ID Apps side, those all result in a Fulfillment Error).

    If one utilizes an Identity Collector other than one (1) of the two (2) IDM Identity Collectors:
    "Identity Manager Identity"
    or
    "IDM Identity with Changes"

    Then the collected users will not have certain attributes collected from IDM on them.

    If you are planning on collecting from the IDM AE Application source and fulfill via the IDM Automated Fulfillment then via Best Practice one needs to utilize one (1) of the two (2) IDM Identity Collectors. If you are using the eDirectory Identity Collector, it is possible to map in the missing attributes to be collected from the Vault.


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

Children
No Data