Explaining Provisioning Server Stored Object Associations (Inclusions)
search cancel

Explaining Provisioning Server Stored Object Associations (Inclusions)


Article ID: 36124


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


Explanation behind how the Provisioning Server stores associations between objects internally in its Provisioning Repository.


All versions of Identity Suite (Identity Manager)


Every object in the Provisioning Repository has a UUID stored in the eTID attribute. In some cases these eTID values are used as references to link objects together. As objects are deleted and re-created new UUID values are generated and stored in the eTID attributes. Moving data from one installation to another is problematic since the eTID values may not be correct.


Non-Inclusion Object Associations


In some cases relationships between objects are stored directly on the object (i.e. done without inclusion objects). The list of such associations are:


  • Global Users <-> Provisoining Roles via eTRoleDN attribute on Global User.


  • Endpoint <-> Default Account Template via eTDefaultPolicyDN attribute on Endpoint.


  • Account <-> Account Template via eTPolicyDN attribute on Account.


Inclusion Object Associations


But in other cases the relationship between objects are stored in a third object called an Inclusion object. In this case the Inclusion Object will link a SuperiorClass object to a SubordinateClass object. The Inclusion object will store the SuperiorClass object's eTID in an attribute called eTPID and will store the SubordinateClass object's eTID in an attribute called eTCID. The Inclusion Object will be named in a format of eTPID_Value@eTCID_Value and will have an eTID of its own. The list of such associations are: 


  • Account Templates <-> Endpoints


  • Global Groups <-> Global Groups


  • Global Groups <-> Global Users


  • Global Users <->Accounts


  • Provisioning Roles <-> Account Templates


  • Provisioning Roles <-> Provisioning Roles


In the Provisioning Repository the Inclusions container branch stores those inclusions in a DIT structure as shown below:


  • dc=etadb


  • dc=im


  • eTNamespaceName=CommonObjects


  • eTInclusionContainerName=Inclusions


  • eTSuperiorClass=eTADSPolicy


  • eTSubordinateClass=eTADSDirectory


  • eTInclusionID=eTPID_Value@eTCID_Value


  • eTSuperiorClass=eTGlobalGroup


  • eTSubordinateClass=eTGlobalGroup


  • eTInclusionID=eTPID_Value@eTCID_Value


  • eTSubordinateClass=eTGlobalUser


  • eTInclusionID=eTPID_Value@eTCID_Value


  • eTSuperiorClass=eTGlobalUser


  • eTSubordinateClass=eTADSAccount


  • eTInclusionID=eTPID_Value@eTCID_Value


  • eTSuperiorClass=eTRole


  • eTSubordinateClass=eTADSPolicy


  • eTInclusionID=eTPID_Value@eTCID_Value


  • eTSubordinateClass=eTRole


  • eTInclusionID=eTPID_Value@eTCID_Value

Additional Information

  1. Can I export data out of one system and import it into another?
    Not as simply as that. You need to take into account the eTID values. You may need to strip the eTID values off of objects before feeding them into the Provisioning Server so that it can create all new UUID values and then re-build all the various associations unless this is a complete data replacement.


  1. My endpoint was decommissioned, now what?
    The proper way of decommissioning an endpoint would have been to delete the acquired Endpoint object which would have handled the cleanup. Since that was not done you now have to manually delete the endpoint from the Provisioning Repository, remove any reference of the Endpoint from Templates, and remove any "Global Users <->Accounts" inclusions that point to that endpoint.


  1. When I right-click on my Provisioning Global User to List Accounts I see accounts that cannot be accessed, now what?
    If accounts cannot be accessed then perhaps they were moved/deleted on the native endpoint system. Try running an Explore/Correlate and hopefully that will clear up the data/inclusions.


  1. When I right-click on my Provisioning Global User to List Accounts I see duplicate accounts or I still have accounts listed that the Explore/Correlate did not clear up, now what?
    Sounds like there are "orphaned" inclusions where something has gone wrong and the inclusions reference invalid eTPID or eTCID values. This will require manual clean up to find and delete those inclusion objects.