Block password sync on select user objects

Anonymous_User · ‎2015-01-26

Is there a way to allow password sync on an Active Directory driver but
block password sync for a few select accounts on this driver? We would
want to allow other attributes for the select accounts to flow across
the driver.

--
tltittle
------------------------------------------------------------------------
tltittle's Profile: https://forums.netiq.com/member.php?userid=2739
View this thread: https://forums.netiq.com/showthread.php?t=52662

lhaeger · ‎2015-01-26

tltittle wrote:

> Is there a way to allow password sync on an Active Directory driver but
> block password sync for a few select accounts on this driver? We would
> want to allow other attributes for the select accounts to flow across
> the driver.

Sure it is, depends on which direction (or both) you want to not sync
passwords. To block PW sync on the subscriber channel, add an output tranform
rule that vetoes modify-password operations for those users. To prevent
password publishing to the ID Vault strip the attribute nspmDistributionPassord
off the current operation in the very last publisher command transform (after
the NetIQ Password Handling policies).

______________________________________________
https://www.is4it.de/identity-access-management

Anonymous_User · ‎2015-01-26

can it be done blocked based on group membership or would each account
need to be specified or an OU?

--
tltittle
------------------------------------------------------------------------
tltittle's Profile: https://forums.netiq.com/member.php?userid=2739
View this thread: https://forums.netiq.com/showthread.php?t=52662

Anonymous_User · ‎2015-01-27

tltittle wrote:

> can it be done blocked based on group membership or would each account
> need to be specified or an OU?

Group membership in AD or IDVault?

If IDVault, I would use something else (an attribute, a role, or entitlement) in the IDVault rather than group membership.

If AD groups, of course you can query a user's direct membership in a specified group., but I would suggest you push for an IDV attribute/role/etc instead (cleaner design)

Anonymous_User · ‎2015-01-28

On Mon, 26 Jan 2015 22:24:01 +0000, tltittle wrote:

> can it be done blocked based on group membership or would each account
> need to be specified or an OU?

IDM doesn't have a simple "if member of..." token, but yes, you can do
this. Something like:


<rule>
<description>Password Sync Filter</description>
<conditions>
<or>
<if-operation mode="case" op="equal">modify-password</if-operation>
</or>
</conditions>
<actions>
<do-set-local-variable name="Groups" scope="policy">
<arg-node-set>
<token-src-attr name="Group Membership"/>
</arg-node-set>
</do-set-local-variable>
<do-if>
<arg-conditions>
<and>
<if-xpath op="true">$Groups[contains(.,'Path\To\Groups\No-Password-
Sync-Group')]</if-xpath>
</and>
</arg-conditions>
<arg-actions>
<do-trace-message>
<arg-string>
<token-text xml:space="preserve">Blocking password synchronization
for </token-text>
<token-src-name/>
<token-text xml:space="preserve"> due to Group Membership.</token-
text>
</arg-string>
</do-trace-message>
<do-strip-op-attr name="nspmDistributionPassword"/>
</arg-actions>
<arg-actions/>
</do-if>
</actions>
</rule>

would do the job. You'll need to test this, and probably modify it
slightly, but it should get you close.

--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.

Engine-Drivers