msira Respected Contributor.
Respected Contributor.
794 views

Identity Collector: Merge Behaviour

Hi,

We want to merge identities created from two collectors. But only one of them should create identities. The other would only complement some attributes.

The use case is the following: We collect Identities from Payroll in Identity Collector A. Collector A collects information about Employees, actual human beings. Then we have Identity Collector B which collects from Active Directory. It is not possible with an LDAP filter to filter employees from service accounts, so Collector B would collect Employees, Terminated Employees (orphan accounts) and Service Accounts. We do not want this. What we want if from collector B to supplement information from collector A, namely the DN.

Is this possible?

I'm on IG 3.5.
0 Likes
9 Replies
Knowledge Partner
Knowledge Partner

Re: Identity Collector: Merge Behaviour

On 1/28/2019 8:24 AM, msira wrote:
>
> Hi,
>
> We want to merge identities created from two collectors. But only one of
> them should create identities. The other would only complement some
> attributes.
>
> The use case is the following: We collect Identities from Payroll in
> Identity Collector A. Collector A collects information about Employees,
> actual human beings. Then we have Identity Collector B which collects
> from Active Directory. It is not possible with an LDAP filter to filter
> employees from service accounts, so Collector B would collect Employees,
> Terminated Employees (orphan accounts) and Service Accounts. We do not
> want this. What we want if from collector B to supplement information
> from collector A, namely the DN.


Isn't thiis what the Merge criteria is for? You identify attributes
that would be in common to merge, and those that match, merge, those
that do not match, create another identity?

0 Likes
msira Respected Contributor.
Respected Contributor.

Re: Identity Collector: Merge Behaviour

You're right. Perhaps I wasn't clear enough or perhaps my broken English got in the way. I do not want to create another identity for those that do not match.

Let me exemplify. I get users from HR. I get the same users from AD but I also get service accounts and even terminated users from the same AD. Obviously I don't want a terminated user or a service account to be construed as an Identity, if anything it should be detected as an orphan account.

I could filter some of those accounts with an LDAP filter. But not all of them.

What I've seen in other Governance tools is a checkbox that reads 'This collector does not create Identities' or something to that effect. That's what I want. A collector that supplements missing information about an existing identity.
0 Likes
msira Respected Contributor.
Respected Contributor.

Re: Identity Collector: Merge Behaviour

Well, this is the solution I came up with. I don't like it, but as far as I can see, it's the only way to merge attributes without creating Identities.

1) Query the igops database with the following query.
SELECT USER_ID FROM SUSER_ALL_V WHERE effective=TRUE AND deleted=FALSE;
2) With the results of the previous sql query, query the AD and get the DN.
3) Export the returning DNs to a CSV File and consume it as an identity in IG.

A tad too convuluted for my taste but it might help someone in my situation.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Identity Collector: Merge Behaviour

msira <msira@no-mx.forums.microfocus.com> wrote:
>

Well, this is the solution I came up with. I don't like it, but as far
as I can see, it's the only way to merge attributes without creating
Identities.
>
> 1) Query the igops database with the following query.
> SELECT USER_ID FROM SUSER_ALL_V WHERE effective=TRUE AND

deleted=FALSE;
> 2) With the results of the previous sql query, query the AD and get the

DN.
> 3) Export the returning DNs to a CSV File and consume it as an identity

in IG.
>
> A tad too convuluted for my taste but it might help someone in my

situation.


--
msira
------------------------------------------------------------------------
msira's Profile: https://forums.novell.com/member.php?userid=169052
View this thread: https://forums.novell.com/showthread.php?t=511024

>


Hi!

Out of curiosity, what do you need the DN for? If it is for IG
authentication, then there are other ways to solve it, as I understand. Ie
using an attribute from HR to search for users in AD using a matching
attribute.

https://www.netiq.com/documentation/identity-governance-35/admin-guide/data/b1i9kbk2.html

Just a thought.

--
Best regards
Marcus
0 Likes
msira Respected Contributor.
Respected Contributor.

Re: Identity Collector: Merge Behaviour

Marcus;2494646 wrote:

Hi!

Out of curiosity, what do you need the DN for? If it is for IG
authentication, then there are other ways to solve it, as I understand. Ie
using an attribute from HR to search for users in AD using a matching
attribute.

https://www.netiq.com/documentation/identity-governance-35/admin-guide/data/b1i9kbk2.html

Just a thought.

--
Best regards
Marcus



Yes, we can authenticate without collecting any AD data. That's not the problem.

I want to collect the DN so I can better assign accounts to identities. We have in our AD some accounts that belong to contractors and contractors don't get an identity in HR, only employees do. But contractors have an AD account. And in said account they have a manager with a DN that points to an employee. We want to collect the DN so that we can link contractors account to an internal employee.

Once again


Accounts:
AD:: Contractor: manager --> AD::employee: DN

Identities:
HR:: employee ??? AD:: Employee: DN
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Identity Collector: Merge Behaviour

On 1/31/19 2:54 PM, msira wrote:
>
> Marcus;2494646 Wrote:
>>
>> Hi!
>>
>> Out of curiosity, what do you need the DN for? If it is for IG
>> authentication, then there are other ways to solve it, as I understand.
>> Ie
>> using an attribute from HR to search for users in AD using a matching
>> attribute.
>>
>> https://www.netiq.com/documentation/identity-governance-35/admin-guide/data/b1i9kbk2.html
>>
>> Just a thought.
>>
>> --
>> Best regards
>> Marcus

>
>
> Yes, we can authenticate without collecting any AD data. That's not the
> problem.
>
> I want to collect the DN so I can better assign accounts to identities.
> We have in our AD some accounts that belong to contractors and
> contractors don't get an identity in HR, only employees do. But
> contractors have an AD account. And in said account they have a manager
> with a DN that points to an employee. We want to collect the DN so that
> we can link contractors account to an internal employee.
>
> Once again
>
>
> Accounts:
> AD:: Contractor: manager --> AD::employee: DN
>
> Identities:
> HR:: employee ??? AD:: Employee: DN
>
>

Greetings,
Is there an attribute on the "identities" you do not want. If
there is, then you can utilize some input transformation code where you
can have us "throw away" the record and not save it. This is controlled
by utilizing “DELETE_OBJECT"

This functionality is outlined in the Technical Reference "Collected
Data Transformations" with a couple of examples.

**Note Technical References are fully supported unlike Cool Solutions**

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
msira Respected Contributor.
Respected Contributor.

Re: Identity Collector: Merge Behaviour

Greetings,
Is there an attribute on the "identities" you do not want. If
there is, then you can utilize some input transformation code where you
can have us "throw away" the record and not save it. This is controlled
by utilizing DELETE_OBJECT"

At first I though that if it were so easy I would have used an LDAP Filter. But then I realized that
handling filters in javascript was a lot more flexible than an LDAP Expression. But still, I couldn't
filter as many unwanted accounts as I wanted.

Then I thought of a hack, an ugly one at that. But one that would allow me to do without a powershell
script. I tried this:

1) Call the OAUTH server and get an authentication token.
2) With the token make a GET Request and get every users employeeID and put them into an array (employeeID is the attribute that I use to match an AD account).
3) If the collected AD.employeeID is in the array, let the operation pass. If not: outputVale = DELETE_OBJECT.

1) and 2) worked, after much testing, in the browser. But alas, when I tried to put the code
(here it is if anyone is curious https://gitlab.com/snippets/1809782 ) in a transformation script, it failed.

I then realized that the javascript engine of IG is probably nashorn or even rhino.

I'm pretty much giving up on this approach, but I though I'd share it in case anyone feels inclined to
go down the rabbit hole.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Identity Collector: Merge Behaviour

> At first I though that if it were so easy I would have used an LDAP
> Filter. But then I realized that
> handling filters in javascript was a lot more flexible than an LDAP
> Expression. But still, I couldn't
> filter as many unwanted accounts as I wanted.
>
> Then I thought of a hack, an ugly one at that. But one that would allow
> me to do without a powershell
> script. I tried this:
>
> 1) Call the OAUTH server and get an authentication token.
> 2) With the token make a GET Request and get every users employeeID and
> put them into an array (employeeID is the attribute that I use to match
> an AD account).
> 3) If the collected AD.employeeID is in the array, let the operation
> pass. If not: outputVale = DELETE_OBJECT.



The problem here beyond the obviouos stuff is that every single
row/entry is probably going to fire this code. So to import 10,000 users
you are going to call it 10,000 times. That seems like a bad plan and
likely to kill memory as you load and reload the user list every time.

> 1) and 2) worked, after much testing, in the browser. But alas, when I
> tried to put the code
> (here it is if anyone is curious https://gitlab.com/snippets/1809782 )
> in a transformation script, it failed.
>
> I then realized that the javascript engine of IG is probably nashorn or
> even rhino.
>
> I'm pretty much giving up on this approach, but I though I'd share it in
> case anyone feels inclined to
> go down the rabbit hole.
>
>


0 Likes
msira Respected Contributor.
Respected Contributor.

Re: Identity Collector: Merge Behaviour

I know it isn't optimal. But still, had it worked server-side I would have tried to optimize
the code. Perhaps filtering accounts beforehand and only resorting to the GET requests when
every other possibility had failed. And of course, running the collector with the script much
less often than other collectors.

But anyways, I'm back to the powershell script. It works, as far as I have tested it. Here is the
source in case anyone is interested: https://gitlab.com/snippets/1809902
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.