How to explore/correlate Endpoints in batch jobs, especially dynamic endpoints.

book

Article ID: 50746

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

Initially an issue was opened because Client did not succeed in performing an etautil command against a dynamic endpoint as following:

<Please see attached file for image>

Figure 1

etautil does not work when performing explore operations against dynamic endpoints.

This is due to some checks against the DYN parser table (see dumpptt -f -t dynparse -of dynparse.txt) where Namespace name in PTT (DYN) does not match with the custom namespace name (e.g. dynsql).

The solution to run an Explore/Correlate process in a batch mode is using the LDAPSEARCH command.

Solution:

With the sample below requesting eTExploreCorrelateUsers and eTExploreCreateUsers attributes means that accounts will be explored, correlated with global users and global users will be created when needed:

<Please see attached file for image>

Figure 2

In the previous sample you can only request eTExploreCreateUsers, it implicitly means that explore and correlate will be performed.

eTExploreUpdateEtrust retrieves all managed objects.

eTExploreCorrelateUsers correlates accounts with existing global users.

eTExploreCreateUsers creates global users as needed during the correlation.

eTExploreUpdateUsers sets/refreshes the global user attributes using account attribute values.

>> Combining explore, correlate and update actions into a single request is not supported.

To explore the endpoint and update the global users from accounts through the attribute mapping you must run the LDAPSEARCH with eTExploreUpdateUsers attribute only in a separate request. See below:

<Please see attached file for image>

Figure 3

With the following mapping (e.g.):

<Please see attached file for image>

Figure 4

Global user Company attribute values will be updated with Account Company attribute values.

E.g. See below:

<Please see attached file for image>

Figure 5

After LDAPSEARCH with eTExploreUpdateUsers:

<Please see attached file for image>

Figure 6

Environment

Release:
Component: IDMGR

Attachments

1558698461414000050746_sktwi1f5rjvs16oa1.gif get_app
1558698459595000050746_sktwi1f5rjvs16oa0.gif get_app
1558698457845000050746_sktwi1f5rjvs16o9z.gif get_app
1558698456197000050746_sktwi1f5rjvs16o9y.gif get_app
1558698454256000050746_sktwi1f5rjvs16o9x.gif get_app
1558698452278000050746_sktwi1f5rjvs16o9w.gif get_app