Highlighted
Respected Contributor.
Respected Contributor.
313 views

eDirectory fulfillment

I am trying to configure eDirectory fulfillment. I am not finding much documentation on this. I am not sure how to configure the fulfillment payload.  How should I map values in IG to the values in eDirectory? I will really appreciate it if somebody provides an example script to configure this and steps involved.

Thanks. 

0 Likes
10 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: eDirectory fulfillment

Greetings,
   If you are collecting Accounts from eDirectory within your eDirectory Application source (eDirectory Permission and Accounts both being collected) and the Permissions are Groups then the Fulfillment works without any modifications. There was a discussion about the AD Fulfillment here not too long ago and the same concepts apply here as they did there.
   What is your use case / configuration?
 
 
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: eDirectory fulfillment

Greetings,
         Note, if you are going to create/modify accounts then it is necessary to modify the input transformation script that is created by default.


Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: eDirectory fulfillment

Thanks for your response, Steve. Following is my use case.

I am collecting accounts and permissions from an application(not eDirectory) say APP-1. Our eDirectory has this permission as well which is set as a flag. Now I want to update permission in eDirectory according to collected permission for APP-1 for all users. 

Thanks.

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: eDirectory fulfillment

Greetings,
   Just to confirm
   
1) You are not collecting the eDirectory Account or Permission
 
2) You are collecting the "permission" from a different Application Source (for example JDBC or CSV)
 
3) The permission in #2 is represented in eDirectory "somehow"
 
4) You want to update Permission & Account in eDirectory based upon the change that happens within ID Gov
4.a) Add/Grant if using Business Roles or Access Request
4.b) Remove/Revoke if using Business Roles, Review, or Access Request
 
 
 
Questions:
 
A) Is the permission a "Group" in eDirectory or some other object OR is it just a property on the Account/User in eDirectory?
 
B) Do you collected within ID Gov the full DN of the Permission and Account as they would be in eDirectory?
 
 
 
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: eDirectory fulfillment

Please see my response in bold.
   
1) You are not collecting the eDirectory Account or Permission
      From the eDirectory, I am just collecting the identities not accounts and permissions.
 
2) You are collecting the "permission" from a different Application Source (for example JDBC or CSV)
Yes, I am collecting permissions from different application source(CSV)
 
3) The permission in #2 is represented in eDirectory "somehow"
The permission in #2 is represented in eDirectory as an attribute.
 
4) You want to update Permission & Account in eDirectory based upon the change that happens within ID Gov
Yes, I want to update the value of permission attribute in eDirectory  according to the value of collected permission from application for the collected accounts
 
4.a) Add/Grant if using Business Roles or Access Request
4.b) Remove/Revoke if using Business Roles, Review, or Access Request
 
 
 
Questions:
 
A) Is the permission a "Group" in eDirectory or some other object OR is it just a property on the Account/User in eDirectory?
 
Permission in eDirectory is defined as an attribute(user attribute)
 
B) Do you collected within ID Gov the full DN of the Permission and Account as they would be in eDirectory?
Yes , I collect full DN of account and permission .
 
Thanks.
 
 
Highlighted
Knowledge Partner
Knowledge Partner

Re: eDirectory fulfillment

I would rephrase this as a similar issue I have had.

It would be great to fullfill in eDir or AD, an attribute with a value, or remove a value.

While the collection may be from one source (CSV in the OP's example) the fullfillment might be an attribute value in eDir.

Right now it seems like the eDir Fullfiller is designed to manage group permissions and Accounst (possibly delete? / Unclear to me on thata one).  Be very useful to manage attribute data via the fullfiller.

Or another way of looking at it.  You can define IDG Roles based on attribute data (Identity only?  Or also account?) and if you add/remove the Role can a fullfiller modify that attribute?  (I do not think so).

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: eDirectory fulfillment

Greetings,

1) Please keep in mind that a change request (grant or revoke) will not be marked "verified" until the necessary change is seen (via a collect and publish) from the Application Source where the permission originated from. So, in what is being outlined here (to this point) where the permission is coming from source "X" but the fulfillment is to be done in AD (or eDir) there is still a disconnect related to the verification. There will not be a change request sent/made in source "X" from ID Gov with what is being outlined here. One will also need to manually make the necessary changes in source "X".


2) "I want to update the value of permission attribute in eDirectory according to the value of collected permission from application for the collected accounts"


That is not how ID Gov fulfillment works. We do not look at incoming/changing values that have been collected from a source and then push changes to another system.

Below, I will outline how three (3) different areas within ID Gov function as it relates to change requests/fulfillment in general terms:

a) In a Review, it is determined that Permission(s) should be removed from a user/account. The change request / fulfillment that will be generated will be for removal of the permission(s) from the account/user

b) In Access Request:
b.1) A user browses the permissions they can see and requests access to it. The change request / fulfillment that will be generated will be for grant of the permission from the account/user

b.1) A user browses the permissions that ID Gov is aware of that are assigned to them and requests a permission to be removed. The change request / fulfillment that will be generated will be for revoke of the permission from the account/user

c) A Business Role:
c.1) Based upon the membership criteria a new user is added to the BR and upon evaluation the permissions held by the User and the authorizations of the BR; a change request / fulfillment that will be generated will be for granting of the permission(s) from the account/user

c.2) Based upon the membership criteria a user is removed from the BR and upon evaluation the permissions held by the User and the authorizations of the BR; a change request / fulfillment that will be generated will be for revoking the permission(s) from the account/user


Where the fulfillment happens is fully based upon the mapping that one creates in Fulfillment -> Configuration -> Application set-up. It is possible with most of the fulfillment configurations (except for Manual, IDM Automatic, and IDM Workflow) to add transformation scripts.


However, ID Gov will not create a change request / fulfillment based upon the value of the permission. The change request / fulfillment are based upon patterns that I have outlined above.


Please understand that the functionality of ID Gov is different than that of the IDM Engine.

Does the above help to explain the current functionality? If not, I believe it would be best that you open a Service Request with Support so that you and I can have a discussion.

Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus

Highlighted
Knowledge Partner
Knowledge Partner

Re: eDirectory fulfillment

Steve, that is a very helpful description of how IDG works.

What I think the disconnect is specific to eDirectory or AD.  What if the permission is based on an attribute instead of based on Group membership? 

Or put another way, permissions in eDir can be:

Group (For identities)

Permission - eDir Group

Entitlements - IDM Collector for accounts

But would be useful to have attributes as permissions.  And then be able to fullfill values of that attribute. 

Highlighted
Micro Focus Expert
Micro Focus Expert

Re: eDirectory fulfillment

Greetings,
   At this time we have a requirement that a "permission" in terms of eDirectory or Active Directory can be queried. Generally, this is defined as an objectClass of "X"
      for example: (objectClass=group) or (objectClass=computer)
 
 
  For aspects like IDM Permissions (for example Roles and Resource) then it is best to utilize the IDM Permission collector as compared to the eDirectory Permission Collector.
 
  
  Again, it would be best to open a Service Request so that we can have a discussion on this.
  
    
 
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: eDirectory fulfillment

Thanks  for the explanation Steve. I will open a service request.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.