Explore and correlate doesn't create groups in the user store
search cancel

Explore and correlate doesn't create groups in the user store

book

Article ID: 220352

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

Scenario:

An LDAP DYN connector has been created through CA Identity manager Connector Xpress, with defined user accounts and group classes with the required attributes to be synchronized.

After executing a full tree explore and correlate (E&C), the following behavior is observed:

  • User Account: Explored objects are added to provisioning and to the user store;
  • Group: Explored objects are added only to provisioning, but not to the user store;

 

Is there any configuration to be applied, that also creates the explored groups in the user store?

 

Environment

Release : 14.x

Component : CA Identity Manager

Resolution

There is no built-in logic to map endpoint groups to corp store groups. If you require such a solution you will need to either develop your own solution or submit an enhancement request (idea) via the Broadcom communities site (https://community.broadcom.com/ideation/allideas).
 

Additional Information

As a bespoke solution, you can try and add an OpBinding on the connector level (for doAdd() / doRemove()) to add and remove the group directly on the Corp Store level. Alternatively, you can run an external batch / scheduled to check groups on the endpoint vs the Corp Store and create/delete as needed.

While creating an endpoint group this might come as a notification - it will be a generic one and not group specific. (Example below)

20210722:103019:TID=000ca4:I: START: Notify Batch Processing 20210722:103019:TID=000ca4:I: Sending Notification: eTNotifyOpID=d3799d45-3374-4eaa-9676-fc3647468808 20210722:103019:TID=000ca4:I: Event: Add_Provisioning_Object (eTADSGroupName=newinbounttest) 20210722:103019:TID=000ca4:I: SeqNo: 0000000090 20210722:103019:TID=000ca4:I: Try sending payload to http://testhostname/iam/im/ETACALLBACK/?env=imsso 20210722:103021:TID=000ca4:I: SUCCESS: Payload sent successfully 20210722:103021:TID=000ca4:I: DONE: Notifications Processed: 1/1+

You would need to parse the notification through PX / if object class is right - action to create a new group.

The external batch option will offer the best performances as you might have 1000's of generic add_provisioning_object notifications and parsing them might have a big performance hit.

So every time you have E&C scheduled, about an hour later (or as long as it takes) you could schedule to run the batch externally
 
If you need help to develop this custom solution you can reach out to our services division for assistance (billable rates apply).

Powered by Wolken Software