Problem with business role detections

Hi,

Running Identity Governance 3.7.3 on SLES 15.4.

I am collecting Identities from Idm using 'eDirectory Identity Collector' and collecting Accounts and Permissions from Active Directory using AD Account Collector / AD Permission Collector

I have a number of business roles that are used to Add and Remove permissions in AD using the auto-grant & auto-revoke. 

The problem i see with business roles detection is that it gets evaluated immediately after publishing Identities, without waiting for Application data to published. This results in fulfillment failures for all new users for whom identity is collected but account collection is still pending.

Is it possible to add a criteria in the business role membership so that it waits for the account before opening a fulfillment task.


We have a number of business roles with auto-grant and auto-revoke permissions so it's important for us to get this working. Any advice on how to troubleshoot this would be appreciated.

Parents
  • 0

    Hi Saifee

    We had a similar problem and solved it by running the application collection and publish just before the identity collection and publish using the schedule capability.

    Johan

  • 0 in reply to 

    I have tried this but the problem I see with this is that the mapping between Identity and Account will not get resolved. It gets resolved only when Application is published after Identity Publish. 

    This is the error I get when the Fulfillment fails for this case


    [SEVERE] 2024-01-22 14:16:55.779 [com.netiq.iac.persistence.dcs.prov.worker.AutoProvisioningWorkerThread] [IG-DTP] Unexpected error while provisioning changeItem id: 6084. Reason: Item 'ADD_PERMISSION_TO_USER' does not contain all required provisioning attributes (permProvAttr, permProvId, accountProvId).

  • Verified Answer

    +1 in reply to 

    I assume you are using the AD fulfillment. We use CSV fulfillment and I added the recipient data under " Configuration, Fulfillment context Attributes". If you add the recipient attributes here, you can use the fulfillment mapping to insert the recipient DN in accountProvID. It will require a script under "Fulfillment item configuration and mapping". I have not tested it, but it should work.

  • 0 in reply to 

    Fixed the issue. Thank you Johan!

  • 0   in reply to 

    If you are using CSV fulfillment, its just writing the required changes out to a file, and then you need to manually fulfill them, right?   IF you could get this to work with the AD fulfiller, that woudl make those changes automatically for you - would that be better in your situation?

    -Jim

Reply
  • 0   in reply to 

    If you are using CSV fulfillment, its just writing the required changes out to a file, and then you need to manually fulfill them, right?   IF you could get this to work with the AD fulfiller, that woudl make those changes automatically for you - would that be better in your situation?

    -Jim

Children
No Data