fartyalvikram

Commodore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-04
14:25
1126 views
Sync Users from AD to eDir on basis of AD Group Assignment
I want that, User is sync from AD to eDir only if when AD User is Assigned into an particular AD Group.
For example, I have one user (tuser01) and one Group (idmgrp) inside AD.
I have configured Active Directory Driver and User sync from AD to eDir is working fine. Now I want, that user will be sync from AD to eDir only when user (tuser01) is Assigned into Group (idmgrp).
I am using Identity Manager 4.5.
For example, I have one user (tuser01) and one Group (idmgrp) inside AD.
I have configured Active Directory Driver and User sync from AD to eDir is working fine. Now I want, that user will be sync from AD to eDir only when user (tuser01) is Assigned into Group (idmgrp).
I am using Identity Manager 4.5.
12 Replies


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-04
16:29
On 5/4/2018 9:26 AM, fartyalvikram wrote:
>
> I want that, User is sync from AD to eDir only if when AD User is
> Assigned into an particular AD Group.
> For example, I have one user (tuser01) and one Group (idmgrp) inside
> AD.
> I have configured Active Directory Driver and User sync from AD to eDir
> is working fine. Now I want, that user will be sync from AD to eDir only
> when user (tuser01) is Assigned into Group (idmgrp).
>
> I am using Identity Manager 4.5.
If you are using Roles/Resources/Entitlements this is easy.
Define a Role for AD access. Assign it a Resource you define that has
an Entitlement assigned for AD UserAccount Entitlement.
Then assign that Role to the Group.
Now only members of that group will sync to oAD.
>
> I want that, User is sync from AD to eDir only if when AD User is
> Assigned into an particular AD Group.
> For example, I have one user (tuser01) and one Group (idmgrp) inside
> AD.
> I have configured Active Directory Driver and User sync from AD to eDir
> is working fine. Now I want, that user will be sync from AD to eDir only
> when user (tuser01) is Assigned into Group (idmgrp).
>
> I am using Identity Manager 4.5.
If you are using Roles/Resources/Entitlements this is easy.
Define a Role for AD access. Assign it a Resource you define that has
an Entitlement assigned for AD UserAccount Entitlement.
Then assign that Role to the Group.
Now only members of that group will sync to oAD.
fartyalvikram

Commodore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-04
18:57
No, I am not using "Roles/Resources/Entitlements" for this.
I just want to write one policy which can validate those User which are not the member of AD group (idmgrp), so I can veto those user at the time of sync from AD to eDir if and only if they have not assigned into AD group (idmgrp).
I just want to write one policy which can validate those User which are not the member of AD group (idmgrp), so I can veto those user at the time of sync from AD to eDir if and only if they have not assigned into AD group (idmgrp).


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-04
19:08
On 5/4/2018 2:04 PM, fartyalvikram wrote:
>
> No, I am not using "Roles/Resources/Entitlements" for this.
> I just want to write one policy which can validate those User which are
> not the member of AD group (idmgrp), so I can veto those user at the
> time of sync from AD to eDir if and only if they have not assigned into
> AD group (idmgrp).
If class=user
If source attribute Group Membership not equal to \TREE\o\ou\ou\cn then Veto
Note, the compare needs to include the leading slash and tree.
The step you are not likely aware of, is that Source Attribute, if you
compare a single value, and it returns a multi valued attribute then it
is true if ANY of the values match. And false if NONE of the values match.
But the way Designer's Simulator returns the value would be without the
tree, but the engine returns it with the tree.
>
> No, I am not using "Roles/Resources/Entitlements" for this.
> I just want to write one policy which can validate those User which are
> not the member of AD group (idmgrp), so I can veto those user at the
> time of sync from AD to eDir if and only if they have not assigned into
> AD group (idmgrp).
If class=user
If source attribute Group Membership not equal to \TREE\o\ou\ou\cn then Veto
Note, the compare needs to include the leading slash and tree.
The step you are not likely aware of, is that Source Attribute, if you
compare a single value, and it returns a multi valued attribute then it
is true if ANY of the values match. And false if NONE of the values match.
But the way Designer's Simulator returns the value would be without the
tree, but the engine returns it with the tree.
fartyalvikram

Commodore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-06
14:48
I have write the below policy inside Input Transformation of Publisher channel. Is that correct?
Here "ad-group-dn" is GCV which is configured inside that Driver and value of this GCV is AD Group 'idmgrp' DN "CN=idmgrp,CN=Groups,CN=IDM,DC=DEMO,DC=local".
<rule>
<description>Veto Users</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-op-attr mode="nocase" name="Group Membership" op="not-equal">~ad-group-dn~</if-op-attr>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>
Here "ad-group-dn" is GCV which is configured inside that Driver and value of this GCV is AD Group 'idmgrp' DN "CN=idmgrp,CN=Groups,CN=IDM,DC=DEMO,DC=local".
ScorpionSting

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-06
23:14
You're using Operation Attribute which is unlikely to be available during all operations. As per Geoff's suggestion, use Source Attribute. Don't forget, that being the Input Transform, the attribute and class names is that of the application (AD) and not eDirectory as the schema mapper has not been hit yet.
Visit my Website for links to Cool Solution articles.
Visit my Website for links to Cool Solution articles.


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-06
23:37
On 5/6/2018 6:16 PM, ScorpionSting wrote:
>
> You're using Operation Attribute which is unlikely to be available
> during all operations. As per Geoff's suggestion, use Source Attribute.
> Don't forget, that being the Input Transform, the attribute and class
> names is that of the application (AD) and not eDirectory as the schema
> mapper has not been hit yet.
Ya, do NOT do this in the Input Transform.
Are you using a group in AD? To control creating in the IDV? I remember
reading it the other way.
I would do it in the Match policy of the proper channel. This way only a
non-associated user (Else it won't get into the Match) that is either an
add, or a modify converted to a synthetic add will be vetoed.
Or do it in the Sub-ETP and check for <sync>, <move>, <add>, or <modify>
events as well as class=user to block.
>
> You're using Operation Attribute which is unlikely to be available
> during all operations. As per Geoff's suggestion, use Source Attribute.
> Don't forget, that being the Input Transform, the attribute and class
> names is that of the application (AD) and not eDirectory as the schema
> mapper has not been hit yet.
Ya, do NOT do this in the Input Transform.
Are you using a group in AD? To control creating in the IDV? I remember
reading it the other way.
I would do it in the Match policy of the proper channel. This way only a
non-associated user (Else it won't get into the Match) that is either an
add, or a modify converted to a synthetic add will be vetoed.
Or do it in the Sub-ETP and check for <sync>, <move>, <add>, or <modify>
events as well as class=user to block.
ScorpionSting

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-07
01:28
Wouldn't Creation be the appropriate? Mind you, depends on their naming standards and what already exists in the IDV....
Visit my Website for links to Cool Solution articles.
Visit my Website for links to Cool Solution articles.


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-07
01:35
On 5/6/2018 8:34 PM, ScorpionSting wrote:
>
> Wouldn't Creation be the appropriate? Mind you, depends on their naming
> standards and what already exists in the IDV....
You would think, right? Except if a match is found, you would associate
them, and you probably do NOT want to do that if they are not 'supposed'
to have an account. (But then of course, they do have an account, so
why not match it?).
I guess it epends on your perspective of what only members of the grooup
should have an account means as to which place to do it.
>
> Wouldn't Creation be the appropriate? Mind you, depends on their naming
> standards and what already exists in the IDV....
You would think, right? Except if a match is found, you would associate
them, and you probably do NOT want to do that if they are not 'supposed'
to have an account. (But then of course, they do have an account, so
why not match it?).
I guess it epends on your perspective of what only members of the grooup
should have an account means as to which place to do it.
ScorpionSting

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-07
01:37
Yeah, hence my condition on how they name their accounts and what already exists (i.e. created from HR then "matched" from AD, or not)
Visit my Website for links to Cool Solution articles.
Visit my Website for links to Cool Solution articles.
fartyalvikram

Commodore
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-07
10:11
When new user is created inside AD, I am getting the below event inside driver log.
I can able to do veto when new User has not the group membership (idmgrp) inside AD. But when I was adding the group (idmgrp) inside that User (Test User14), this user is not sync from AD to eDir.
When I was adding group (idmgrp) in user (Test User14) inside AD, the below event is getting inside driver log.
When I was removing the group (idmgrp) from user (Test User14) inside AD, the below event is getting inside driver log.
<nds dtdversion="2.2">
<source>
<product build="20170106_120000" instance="\IDM45\system\driverset1\Active Directory Driver" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<add class-name="user" event-id="Active Directory Driver##163391e0760##0" src-dn="CN=Test User14,CN=Users,CN=IDM,DC=DEMO,DC=local">
<association>f5fa402516649341913785835fb54d63</association>
<add-attr attr-name="accountExpires">
<value naming="false" type="string">9223372036854775807</value>
</add-attr>
<add-attr attr-name="dirxml-uACAccountDisable">
<value type="state">false</value>
</add-attr>
<add-attr attr-name="displayName">
<value naming="false" type="string">Test User14</value>
</add-attr>
<add-attr attr-name="givenName">
<value naming="false" type="string">Test</value>
</add-attr>
<add-attr attr-name="sAMAccountName">
<value naming="false" type="string">tuser14</value>
</add-attr>
<add-attr attr-name="sn">
<value naming="false" type="string">User14</value>
</add-attr>
<add-attr attr-name="userPrincipalName">
<value naming="false" type="string">tuser14@DEMO.local</value>
</add-attr>
</add>
</input>
</nds>
I can able to do veto when new User has not the group membership (idmgrp) inside AD. But when I was adding the group (idmgrp) inside that User (Test User14), this user is not sync from AD to eDir.
When I was adding group (idmgrp) in user (Test User14) inside AD, the below event is getting inside driver log.
<nds dtdversion="2.2">
<source>
<product build="20170106_120000" instance="\IDM45\system\driverset1\Active Directory Driver1" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="group" event-id="0" src-dn="CN=idmgrp,CN=Groups,CN=IDM,DC=DEMO,DC=local">
<association>f99bd9ed9d737e4dbe251c6b274aed23</association>
<modify-attr attr-name="member">
<remove-all-values/>
<add-value>
<value association-ref="3b6bb6db730c5a4db1f7df0a578caad4" naming="false" type="dn">CN=Test User14,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
<value association-ref="59ba771329a534488a60ce86ff19374c" naming="false" type="dn">CN=Test User10,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
<value association-ref="392d4c4ef046d84f8a993db5164f6e2b" naming="false" type="dn">CN=Test User07,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
<value association-ref="c037b315aaace14a86035161047d4cb8" naming="false" type="dn">CN=tmp1,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
When I was removing the group (idmgrp) from user (Test User14) inside AD, the below event is getting inside driver log.
<nds dtdversion="2.2">
<source>
<product build="20170106_120000" instance="\IDM45\system\driverset1\Active Directory Driver1" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="group" event-id="0" src-dn="CN=idmgrp,CN=Groups,CN=IDM,DC=DEMO,DC=local">
<association>f99bd9ed9d737e4dbe251c6b274aed23</association>
<modify-attr attr-name="member">
<remove-all-values/>
<add-value>
<value association-ref="59ba771329a534488a60ce86ff19374c" naming="false" type="dn">CN=Test User10,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
<value association-ref="392d4c4ef046d84f8a993db5164f6e2b" naming="false" type="dn">CN=Test User07,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
<value association-ref="c037b315aaace14a86035161047d4cb8" naming="false" type="dn">CN=tmp1,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
ScorpionSting

Absent Member.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-05-08
00:01
The "joys" of Active Directory.... When it comes to Group Membership, the link is only one way (i.e. the Group holds the link, not the user) unlike eDirectory that has referential DNs (i.e. both the Group and User reference each object).
So, you will need to work through checking Group Membership changes and taking appropriate action, or wait for another change to the user object itself (such as login time or password change) to trigger the user event after the Group modification...
Isn't AD fun?! 😉
Visit my Website for links to Cool Solution articles.
So, you will need to work through checking Group Membership changes and taking appropriate action, or wait for another change to the user object itself (such as login time or password change) to trigger the user event after the Group modification...
Isn't AD fun?! 😉
Visit my Website for links to Cool Solution articles.