Explaining Provisioning Server Stored Object Associations (Inclusions)

book

Article ID: 36124

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

 

Introduction/Summary: 

 

Explanation behind how the Provisioning Server stores associations between objects internally in its Provisioning Repository.

 

Background:  

 

Every object in the Provisioning Repository has a UUID stored in the eTID attribute. In some cases these eTID values are used as references to link objects together. As objects are deleted and re-created new UUID values are generated and stored in the eTID attributes. Moving data from one installation to another is problematic since the eTID values may not be correct.

 

Environment:  

 

All

 

Instructions: 

 

Non-Inclusion Object Associations

 

In some cases relationships between objects are stored directly on the object (i.e. done without inclusion objects). The list of such associations are:

 

·        Global Users <-> Provisoining Roles via eTRoleDN attribute on Global User.

 

·        Endpoint <-> Default Account Template via eTDefaultPolicyDN attribute on Endpoint.

 

·        Account <-> Account Template via eTPolicyDN attribute on Account.


 

Inclusion Object Associations

 

But in other cases the relationship between objects are stored in a third object called an Inclusion object. In this case the Inclusion Object will link a SuperiorClass object to a SubordinateClass object. The Inclusion object will store the SuperiorClass object's eTID in an attribute called eTPID and will store the SubordinateClass object's eTID in an attribute called eTCID. The Inclusion Object will be named in a format of [email protected]_Value and will have an eTID of its own. The list of such associations are: 

 

·        Account Templates <-> Endpoints

 

·        Global Groups <-> Global Groups

 

·        Global Groups <-> Global Users

 

·        Global Users <->Accounts

 

·        Provisioning Roles <-> Account Templates

 

·        Provisioning Roles <-> Provisioning Roles

 

In the Provisioning Repository the Inclusions container branch stores those inclusions in a DIT structure as shown below:

 

·        dc=etadb

 

·        dc=im

 

·        eTNamespaceName=CommonObjects

 

·        eTInclusionContainerName=Inclusions

 

·        eTSuperiorClass=eTADSPolicy

 

·        eTSubordinateClass=eTADSDirectory

 

·        [email protected]_Value

 

·        eTSuperiorClass=eTGlobalGroup

 

·        eTSubordinateClass=eTGlobalGroup

 

·        [email protected]_Value

 

·        eTSubordinateClass=eTGlobalUser

 

·        [email protected]_Value

 

·        eTSuperiorClass=eTGlobalUser

 

·        eTSubordinateClass=eTADSAccount

 

·        [email protected]_Value

 

·        eTSuperiorClass=eTRole

 

·        eTSubordinateClass=eTADSPolicy

 

·        [email protected]_Value

 

·        eTSubordinateClass=eTRole

 

·        [email protected]_Value

 

 

 

Additional Information:

 

1.   Can I export data out of one system and import it into another?
Not as simply as that. You need to take into account the eTID values. You may need to strip the eTID values off of objects before feeding them into the Provisioning Server so that it can create all new UUID values and then re-build all the various associations unless this is a complete data replacement.

 

2.   My endpoint was decommissioned, now what?
The proper way of decommissioning an endpoint would have been to delete the acquired Endpoint object which would have handled the cleanup. Since that was not done you now have to manually delete the endpoint from the Provisioning Repository, remove any reference of the Endpoint from Templates, and remove any "Global Users <->Accounts" inclusions that point to that endpoint.

 

3.   When I right-click on my Provisioning Global User to List Accounts I see accounts that cannot be accessed, now what?
If accounts cannot be accessed then perhaps they were moved/deleted on the native endpoint system. Try running an Explore/Correlate and hopefully that will clear up the data/inclusions.

 

4.   When I right-click on my Provisioning Global User to List Accounts I see duplicate accounts or I still have accounts listed that the Explore/Correlate did not clear up, now what?
Sounds like there are "orphaned" inclusions where something has gone wrong and the inclusions reference invalid eTPID or eTCID values. This will require manual clean up to find and delete those inclusion objects.

 

 

 

 

 

 

 

Environment

Release:
Component: IDMGR