Identity Manager automated fulfillment - always goes to manual fulfiller

Identity Manager AE Permission Collector is configured as application source to collect idm roles as permissions in IG catalog. Permissions are requested using Access Request or via Business Role.

For fulfillment Identity Manager automated fulfillment with manual fallback is selected. when requesting access through Access Request, the fulfillment stays in pending mode forever with status 'Sending for fulfillment via Identity Manager' and nothing occurs even after collection + publish. The requested access keep showing in Fullfillment -> Requests

When permission is requested by business role, it always ends up with manual fallback fulfiller instead of using automated fulfillment.

Is there another configuration necessary for the automated fulfillment that I have missed?


For collecting IGA identities i am using 'eDirectory Identity Collector', are there any additional attributes that should be collected from Idvault to make the automated fulfillment work?

The applications have "Identity Manager Automated" selected.

Fulfillment Status tab looks like this, First one is initiated by Business role, second by Access Request

  • 0  

    Hello,
       During the processing of the fulfillment request, data of the permission and the user are examined to confirm they can be fulfilled via the IDM Automated fulfillment.


    Before opening a Service Request to investigate:
    1) What specific identity Collectors are being utilized?
    2) What strategy is being utilized (Publish and Merger or Publish without Merging) for the Identity Collector
    3) Is the fulfillment for a Role or Resource?
    4) Is the fulfillment for a Permission (Role or Resource) that is associated to the IDM AE collector or one (1) IDM Drivers


    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    1) identity Collectors used: eDirectory Identity Collector - Template Version 3.6.2
    2) Publish without Merging
    3) fulfillment is for a Role 
    4) fulfillment is for Permission (Role) that is associated to the IDM AE collector

    IG version is 3.7.3

  • 0   in reply to 

    Hello,

    1) The eDirectory Identity Collector does not create an "IDM" user within Identity Governance by default. The Identity Manager Identity Collector or IDM Identity with changes Collector will create an "IDM" user which is one (1) of the requirements for being able to utilize the IDM Automated Fulfillment. Did you map addtional attributes in the Collector?

    2) In the Business Role -> Authorizations Tab, what is set for the permission in question:

    2.a) Mandatory or Optional

    2.b) Which of the following:
    No Auto-Grant or Auto Revoke
    Auto Grant
    Auto Revoke
    Auto-Grant and Auto Revoke

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    1) I have several custom attributes on the collector to collect different information on Identity but perhaps not the ones needed to tag the identity as "IDM" user. what additional attributes are needed for creating an "IDM" user?

    2) In the Business Role -> Authorizations Tab, this is set for the permission in question:

    2.a) Mandatory

    2.b) Auto Grant