Identity Manager: mapping of endpoint attributes

book

Article ID: 191704

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

Mapping between Global User attributes and attributes of an account on an endpoint is described in CA Identity Management and Governance Connectors Guide, however questions are still been asked.
This article provides some explanation.

Environment

Release :

Component : IdentityMinder(Identity Manager)

Resolution

[Question] I can see are lot of gaps between a Global User details and an account on an endpoints details, from which a global user was created. How can I synchronize all the data on endpoint account and on a Global User?
[Answer] By default for most endpoints only a minimal subset of account attributes is mapped to global user attributes.
This is done to improve performance during endpoint exploration.
If you need to populate Global User attributes from account attributes, you need to define additional attribute mappings. Follow these steps to set up attribute mapping (using IM User console):
  1. Run modify endpoint task (Endpoints->Manage Endpoints->Modify Endpoint)
  2. Search and select the endpoint of interest
  3. On "Attribute Mapping" tab enable "Use Custom Settings"
    Please note that default mappings are ignored when custom settings are enabled
  4. Push Attribute Mapping: Add button
  5. Select global user attribute and corresponding Account attribute
  6. Repeat steps 4&5 as needed
Mapping can also be done using IM Provisioning Manager application.
Please note that exploration time is likely to increase, in some cases significantly, due to extra information retrieval from an endpoint.

[Q] While doing custom settings, do I need to add the whole mappings, i.e. default mappings as well?
[A] Yes, you need to provide all the mapping you need because default mappings are ignored when custom settings are enabled

[Q] After following mentioned 6 steps, do I need to create a exploration settings and execute it, so the data will be in sync or is there any other steps that I needs to take?
[A] Synchronization of a Global User data with endpoint account data is done during correlation.
You don't necessarily need to create a new explore/correlate definition, but you must ensure that existing explore/correlate definition has "Update user fields" option enabled.
Then you need to execute explore/correlate again in order to synchronize newly mapped endpoint attributes with Global User attributes.