Active Directory User Import per OU


I have a NetIQ identity manager instance ive inherited, and I'm wondering if someone could point me in the right direction for how to setup a job to import users from a specific OU into IDM? All I see is more general settings for synchronization of all users... which I dont need to do and would cause larger issues. 

Best, Tim

  • NetIQ IDM (IDM) is an event based system, meaning if something happens in any of the connected system, then somthing will take place (if it is configured to do so). This means that if you have an even in AD (create/modify/delete/move) then you will get an event which IDM does something with (configuration).

    If you have an existing system, then you need figure what the authoritative source is, meaning if the authoritative source is IDM then you should not import (nor create) users from AD, the AD driver will create users in AD. If it authoritative source is AD then the users when they are created in AD will also get created in IDM.

    Now, if AD is the authoritative source and you start creating users outside the configured scope (where users are accepted from) then nothing will happen, and you need to change the driver to also accept these users.

    Before you start importing users, or try to import users, you should look at the configuration.

  • That is a good answer. I started writing one myself, but realized this simple and seemingly straightforward question has so much baggage around it, there is no real simple answer.

  • Thanks, understood. Current config is IDM is the source of authority, so agreed I dont want to suddenly start mixing backwards all AD accounts, but would like to do so for a specific small subset in a specific OU. Is anything like that possible?

    Alternatively, are there any possibilities for API account generations within IDM? or otherwise direct insertions into the IDM DB? (yes out of band ish from the general scope of the product to integrate wholesale with a specific source authority.. )

  • Hi Tim,

    Could you clarify your goal?

    Do you want to "migrate" (initiate synchronization) users from AD to IDM vault or opposite route (from IDM to AD)?

    For me, both cases is absolutely doable.

    If you want to "migrate users" from AD to EDIR (Publisher channel) - you can create your own "filtering" policy in Input Transformation, that will allow process only objects with SRC-DN in specific OU

    <if-src-dn op="available"/>
    <if-src-dn op="in-subtree">OU=MyUsers,DC=ADDomain,DC=net</if-src-dn>

    If goal "migrate" (resync) users from IDM Vault to AD (Subscriber channel) - it even easy:

    1. You can use custom Job with "Subscriber channel trigger". and policy, that will initiate resync

    2. You can use any user/group or OU as scope for this job.

  • Thanks to clarify, i have an OU of users that gets populated from another system and I want to bring those into IDM along with the rest of the users so they can use the features. Even something like maybe setting up another import with a CSV i could populate might be easy too if theres no way to easily setup a recurring OU based import. 

  • and I'm very anxious to not screw that up and import the whole AD structure the wrong way... heh =)

  • Hi Tim,

    You don't need to "repeat" AD recurring OU structure. You can have an absolutely different structure in the IDM vault.

    Definitely, you can use CSV import method or any other method (I can recommend Skypro Directory Clone from IDM Toolbox package).

    The major question for me is - what is your Book of Records (BOR)? In most organizations, HR is BOR and IDM creates user objects based on HR data.

    Thanks to clarify, i have an OU of users that gets populated from another system and I want to bring those into IDM along with the rest of the users so they can use the features.

    In this case, make sense for me, to have a "one-time" migration from AD with "OU filtering" in Input Transformation.