Knowledge Partner
Knowledge Partner
144 views

Fullflillment Change Request Types...

So looking in the AD Fullfillment target I see 16 target actions:

Remove Permission Assignment
Add permission to user
Remove permission from account
Give User Access to Application
Add technical role to user
Assign User to Account
Certification Policy Violation
Account Data Policy Violation
Permission Data Policy Violation
User Data Policy Violation
Modify Account
Modify Account Assignment
Modify Permission Assignment
Remove account
Remove user from account
Remove User Access to Application

In the docs, I see that there are only 12 mentioned and as usual, not
defined:

REMOVE_ACCOUNT_PERMISSION
ADD_USER_TO_ACCOUNT
REMOVE_PERMISSION_ASSIGNMENT
REMOVE_ACCOUNT_ASSIGNMENT
REMOVE_ACCOUNT
ADD_PERMISSION_TO_USER
ADD_APPLICATION_TO_USER
ADD_TECH_ROLE_TO_USER
MODIFY_PERMISSION_ASSIGNMENT
MODIFY_ACCOUNT_ASSIGNMENT
MODIFY_ACCOUNT
REMOVE_APPLICATION_FROM_USER

The 4 missing seem to be:
Certification Policy Violation
Account Data Policy Violation
Permission Data Policy Violation
User Data Policy Violation

How does one 'fullfill' a violation?


Further what is the difference between the various 'Remove' options:

Remove account
Remove user from account
Remove Permission Assignment
Remove permission from account
Remove User Access to Application

Remove account I read as, delete the account entry? But what does that
look like in the target system? Delete User object?

Remove user from account reads like unlink the Identity->Account
mapping. (How would you enact that, generically, since I link by CN so
breaking that linkage seems like renaming?)

Remove Permission Assignment, Remove Permission from Account, how do
these differ?
Is this sort of the the Group example? Remove Permission Assignment
means remove Member from Group. Remove Permission from Account is
remove MemberOf from the user?


Remove User Access to Application? What does this imply?

Now on to the modify case:

Modify Account
Modify Account Assignment
Modify Permission Assignment

I guess Modify Account would allow changing attribute data, which makes
sense.

Modify Account Assignment, would be great to link accounts, but is this
a DB side action, or is this a change in the data that links the
Identity to the Account?

Modify Permission Assignment how does this differ from Add Permission to
User?

I get the overall tenor of the approach without getting the subtleties
of how it works.

Worse, how do I know which actions I need in my fullfiller, without
understanding what the actions 'do'? The theory of fullfillment needs
to meet the real world with some action it takes.

Seems like we would need each Fullfiller to define what they do in each
case, else it seems hard to use it...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.