Custom Manager attribute in Active Directory Account Template

book

Article ID: 205913

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

Is possible to change the 'Manager' attribute in active directory account template with a custom field?

Can we use %MANAGER% well-known name to automatically update Manager field in AD account when we update a corporate user?

.

Environment

Release : 14.x

Component : CA IDENTITY MANAGER, CA IDENTITY SUITE (VIRTUAL APPLIANCE)

Resolution

When working with account templates we cannot use attributes names from the Identity Manager User like %MANAGER%.
We are limited to rule strings as per this document, which contains a full list of template rules:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/administrating/managed-endpoints-and-provisioning/provisioning-roles/attributes-and-rule-strings-in-account-templates.html
Please note that when the account template rules are evaluated, IM Provisioning Server uses the attributes of a Global User (i.e. provisioning user), and not an IM User (i.e. a corporate user stored in the IM User Store).

We recommend to use custom Global User fields to generate Manager attribute.
The following approach can be used for the Manager AD attribute, and in similar scenarios for any endpoint.

  1. Enable custom Global User attribute:
    1. Launch Provisioning Manager application
    2. System > Global Properties > Custom User Fields
    3. Select one of the custom fields, that haven't been configured yet, for instance 01, then push 'Edit name'
    4. Provide a value, for instance 'Manager ID' and apply the configuration
  2. Map a corporate user attribute to the above configured custom Global User attribute:
    1. Open IM management console
    2. Environments > select your environment > Advanced Settings > Provisioning > Attribute Mappings
    3. Select proper corporate user attribute in the 'User Attribute' drop-down box (in this example "%MANAGER%") and proper custom attribute in the 'Provisioning Attribute' drop-down box ("%CUSTOM_FIELD_01%")
    4. Push 'Add', then 'Save', and then restart the IM environment
  3. Modify AD account template. It's not possible to edit "Manager" field in IM user console, Provisioning Manager should be used:
    1. Launch Provisioning Manager
    2. Roles > select 'Active Directory Account Template in the 'Object type' drop-down box > Search
    3. Select account template > Properties > Organization
    4. Provide the proper rule in the Manager > DN
      AD account attribute under question (eTADSmanager) must contain a DN of a manager account.
      Proper rule string should be something like this:
      CN=%UCU01%,CN=Users,DC=MYCompany,DC=com
    5. Apply the change

 

Attachments

Powered by Wolken Software