Problem with business role detections

Hi,

Running Identity Governance 3.7.3 on SLES 15.4.

I am collecting Identities from Idm using 'eDirectory Identity Collector' and collecting Accounts and Permissions from Active Directory using AD Account Collector / AD Permission Collector

I have a number of business roles that are used to Add and Remove permissions in AD using the auto-grant & auto-revoke. 

The problem i see with business roles detection is that it gets evaluated immediately after publishing Identities, without waiting for Application data to published. This results in fulfillment failures for all new users for whom identity is collected but account collection is still pending.

Is it possible to add a criteria in the business role membership so that it waits for the account before opening a fulfillment task.


We have a number of business roles with auto-grant and auto-revoke permissions so it's important for us to get this working. Any advice on how to troubleshoot this would be appreciated.

  • 0

    Hi Saifee

    We had a similar problem and solved it by running the application collection and publish just before the identity collection and publish using the schedule capability.

    Johan

  • 0 in reply to 

    I have tried this but the problem I see with this is that the mapping between Identity and Account will not get resolved. It gets resolved only when Application is published after Identity Publish. 

    This is the error I get when the Fulfillment fails for this case


    [SEVERE] 2024-01-22 14:16:55.779 [com.netiq.iac.persistence.dcs.prov.worker.AutoProvisioningWorkerThread] [IG-DTP] Unexpected error while provisioning changeItem id: 6084. Reason: Item 'ADD_PERMISSION_TO_USER' does not contain all required provisioning attributes (permProvAttr, permProvId, accountProvId).

  • Verified Answer

    +1 in reply to 

    I assume you are using the AD fulfillment. We use CSV fulfillment and I added the recipient data under " Configuration, Fulfillment context Attributes". If you add the recipient attributes here, you can use the fulfillment mapping to insert the recipient DN in accountProvID. It will require a script under "Fulfillment item configuration and mapping". I have not tested it, but it should work.

  • 0  

    Do I understand the problem correctly - you collect a new Identity record, and your business role is processed and immediately tries to create a fulfillment to grant an AD account as well as a permission, however, you have a separate process that already has created the AD account, but it hasn't been collected yet, so IG doens't know which account it is supposed to assign the permission to?

    To reiterate: are you creating the AD account outside of IG - and the problem seems that you want to collect the identity and the account first, then perform the business role evaluation?

    --Jim

  • 0 in reply to 

    Fixed the issue. Thank you Johan!

  • 0 in reply to   

    yes that is right, I am creating AD accounts outside of IG and using the business roles to only grant permissions to an already created account. 

    Issue: I want to collect the identity and the account first, then perform the business role evaluation, but I don't see a way that a business role evaluation can be delayed.

    I have fixed the issue using the solution provided by  

  • 0   in reply to 

    If you are using CSV fulfillment, its just writing the required changes out to a file, and then you need to manually fulfill them, right?   IF you could get this to work with the AD fulfiller, that woudl make those changes automatically for you - would that be better in your situation?

    -Jim