UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
249 views

Identity Collector: reference to another object

Hello

Is there any way to collect an attribute that belongs to another object via the Identity Manager Identity Collector. I want to get information from another object that is related to my Identity.

For example, I want to map at the my Identity Collector the "Description" attribute the value "ABC" from my object reference in my user1 identity.

eDir User:
dn: cn=user1,ou=users,o=data
custObj: cn=obj1,ou=test,o=data
...

eDir Object:
dn: cn=obj1,ou=test,o=data
description= ABC
...

The solution that comes to my mind is that in the transformation script make a connection to the directory to obtain the information, but I don't think it is the best solution. Do you have any comments o recommendations?

I need to display this kind of information at some reviews

0 Likes
5 Replies
Commodore
Commodore

What if you implemented the IGIM driver, and then updated policy in the driver to add that attribute value to users as you synchronized them over to IG?

Alternatively, I'd look for a way to make that dn dereference and attr lookup happen entirely in the LDAP query, but that sounds like black magic to me.

--Jim

0 Likes
Micro Focus Expert
Micro Focus Expert

Greetings,
As I understand it, it is not supported to modify the IGIM driver. The filter for which the IGIM uses is set via REST by the one that is utilizing it. The filter and other aspects of the this driver should not be modified.

Please be aware that the IGIM driver does not synchronize aspects to ID Gov. The IGIM driver looks for changes based upon the filter that is set. This filter is set or updated when the IDM Identity w/Changes does a Full Collect. After that, the IGIM driver listens for changes to users/groups based upon the attributes outlined. If there are any changes then it (IGIM driver) stores those changes. The Collector within IG gets those specific changes via REST when it polls (based upon the setting which is every 60 minutes by default). Once the information is pulled the stored data in the IGIM driver is deleted.

Keep in mind there are two (2) limitations if one is going to utilize one (1) of the three (3) "with Changes" Identity Collectors

#1: You can not merge Identities. You must utilize "Publish without merging". If you need to merge your Identity Sources then these Collectors can not be utilized.

#2: There can only be one (1) of these collectors utilized. For example, you can utilize both the IDM with Changes and the AD with Changes Identity Collectors. Only one (1) can be utilized.

Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Thank you both for your comments

So the only way to have to supplement with additional information of my identity (in IdGov) of another object (for example a catalog of other objects of the same Identity Source) would be to configure the merge with another collector, although these objects are not technically considered as a identity?

0 Likes
Micro Focus Expert
Micro Focus Expert

Greetings,
      Overall, I still do not understand your use case on why you want/believe you need to add this other data from a different object onto your Identities.  Can you please explain?
 
 
 As I outlined above, if you are utilizing one (1) of three (3) "with Changes" Identity Collectors, then you can not merge. However, you can Curate.  If you want the attributes/data to apart of the Identity then you can either Manually Change (Manual Curate) or Bulk Change (Bulk Curate)  Here is the link for Bulk Update:  https://www.netiq.com/documentation/identity-governance-36/user-guide/data/b1i94lyt.html
 
With this approach,
-You would most likely create "X" number of custom attributes on the entity (user,account,permission) and mark that they can be changed
-Next, you would follow the steps to enable Bulk Update
-Then click on the Bulk update option in the correct Collector area, create the CSV template outlining the attribute(s) that will be changed and the attribute(s) that will be utilized to match on an existing entity (user,account,permission)
-This will generate a csv file in the out folder
-Make a copy and store it somewhere safe
-Update the csv file with the necessary changes and save it in the "in" folder
-You will then see the changes on the Identities in the Catalog
 
**NOTE: From the doc: "Any attribute that you edit will be persisted through subsequent collection and publication, even if the original value for the attribute changes."
 
This means that if you curate a value on a entity (User, Permission, Account) and later collect a value, the curated value will be what you see in the Catalog.  Until you tell ID Gov to reset to the collected value.  This is a key point and I wanted to highlight it.
 
 
Before you go down the road of either Merging Identity sources or utilizing Bulk Update, please explain your use case and what you are trying to accomplish.
 
 
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi Steven

First of all, thank you for your clarifications and comments.

The use case that I have tried to explain above is the following, I need that information related to my users can be displayed in the access reviews, the attributes reside in other objects that are referenced in the IdM users.

 

review-display-1.png

 

For example, users refer to another type of object through the custObjDn attribute.

dn: cn = tz057d, ou = users, o = data
sn: Owens
givenName: Elizabeth
custObjDn: cn = obj1, ou = test, o = data
...

Where cn = obj1, ou = test, o = data has:
dn: cn = obj1, ou = test, o = data
description1 = ABC
description2 = 123
...
These objects have the attributes (description1, description2) which are what I need to show in the reviews. Let's say these objects are some kind of catalog or something like that.

Obviously one of the possible solutions to this use case could be copying the attribute values ​​to my IdM users through a service driver (Null Service) and "naturally" doing the mapping in my collector. But I would like to see if there is any way to get such information in the collector configuration.

These values ​​are very dynamic, so this information could not be configured manually or in bulk through the process you mentioned above.

Currently my Identity Data Source is of type "Identity Manager Identity Collector".

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.