sjoerdk Super Contributor.
Super Contributor.

Multiple applications in one AD

Currently we have a situation in which we have multiple applications (100+) using the same Active Directory as permission source. Application A is using ou=A as permission root (groups) and application B is using ou=B in AD etc. Our identities are collected from IDM with DirXML-ADContext as one of the attributes. Every IDM account is automatically provisioned to AD using the IDM AD driver so every Identity will have the AD context attribute. IGA does not need to create accounts in AD.

Because we want to be able to offer users a comprehensive request catalog, we define the applications separately to have the applications available as separate tiles on the request page. So we have multiple Application data sources pointing to the same AD (with the different permission OU's as permission collectors). Point is: to be able to use the best practice 'Identity -> Account -> permission' way of working, we need to add the account collector to every AD Data source which is in fact, pointing to just one AD account per user. This causes the catalog to become kinda overloaded with 100+ 'accounts' linked to the identities.

We are therefore considering to configure IGA to only have the permission collectors in the different application data sources, linking the permissions directly to the User ID from source (hence the Identity) and not the Account ID from source. Point is: in this situation IGA does not know the actual account ID because we do not collect the accounts. Therefore IGA does not know how to provision the permission.

What we want to do is use the DirXML-ADContext from IDM on the Identity to add permissions via AD fullfillment, but I do not know:
- If this is supported at all. There is no option for this and adding a permission causes IGA to try and add a new user account to add the permission to
- If this is supported... how to configure it

Does someone know how to configure this ?
2 Replies
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: Multiple applications in one AD


I have also found this limitation to fulfill AD permission when AD is also used as the Identity Source. (no account for AD)

But in your case, as IDM (edir) is the identity source, I wonder why you don't use the Identity Manager Fulfillment with AD resources & entitlement ?


sjoerdk Super Contributor.
Super Contributor.

Re: Multiple applications in one AD

Thanks for your suggestion. This would indeed be a workaround to try. Problem is that the current IDM environment is not suited for this way of working due to legacy/history reasons.

I will however try this in a lab to see if this is feasible for a nearby future.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.