How to Manually Correlate Identities (IDs) between the IM Provisioning Server (CA Admin) and an explored Endpoint.
search cancel

How to Manually Correlate Identities (IDs) between the IM Provisioning Server (CA Admin) and an explored Endpoint.


Article ID: 53413


Updated On:


CA Directory CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting



The IM Provisioning Server has the ability to perform automatic correlation. Two default correlation algorithms exist in the IM solution. The first automatic correlation occurs when identities between a Global User (GU) and an Endpoint match exactly, e.g. bugsbunny = bugsbunny. The secondary automatic correlation occurs after the first correlation and when the GU's Fullname attribute match the endpoint field for fullname, e.g. Bugs Bunny = Bugs Bunny. These algorithms exist under the Provisioning Server's System Tab / Domain Configuration Button / Explore and Correlate List / Correlation Attribute. Additional correlation algorithms may be added in this list for global or specifically to an endpoint by the client or CA Services. If no known algorithm exists to automatically match Global User IDs and Endpoint IDs, then manual correlation is the only option left.


There are two (2) processes that may be used to perform manual correlation. One method is to use the CA Provisioning Server's Manager GUI. A drag and drop feature exist within the solution to allow an administrator to move endpoint identities from one Global User ID to another. This method is typically used when an endpoint ID does not quite match the default algorithms and ends up in the Global User ID = [default user]. This [default user] acts as a "bucket" to catch system accounts, non-standardized account, non-approved accounts that no longer have a Global User ID or never did. An administrator may use the Manager GUI to open two (2) user windows to allow for the process; to drag an associated endpoint account from the GU ID [default user] and drop on another GUI ID. The solution will automatically remove the old inclusions in the directory and assign new inclusions. After the "drag-n-drop" procedure is complete an administrator may perform the task "list all endpoint accounts associated with a GU ID". The new endpoint account will be properly assigned and displayed. The GU ID will not lose this account when additional Explore and Correlate processes have been performed. When the Global User ID is deleted, then all associated endpoint accounts will be deleted, if the option to delete endpoint accounts is selected.

When the number of manually correlations precludes the ability to complete the task in a reasonable amount of time, then a secondary method may be used. The secondary process leverage the CA Provisioning Manager command line utility, etautil, the transaction logs of CA Provisioning Manager, etatrans{date}.log or the JXplorer tool, and a spreadsheet.

The command line utility will perform similar steps as the "drag-n-drop" process, allowing directory inclusions to be rebuilt, with the ability to batch large number of manual correlations. The analysis for the manual correlation will be done in a spreadsheet. Full distinguished names (DN) of the GU ID and the Account ID are needed to perform the batch process. The full DN may be found using the Provisioning Server's log, etatrans{date}.log or using Jxplorer tool. Instructions and example on using the etautil command exist within the offline IM Bookshelf and online with the Provisioning Server help guide, specifically "Creating an Inclusion Object".

If this manual correlation process is part of a migration from a previous version of the Provisioning Manager (CA Admin), then a switch of the etautil command may be used to display the full DN of all endpoint point accounts associated to the Global User. Guidance may be found in the offline IM Bookshelf and online with the Provisioning Server help guide, specifically "Report Control Statement".


Component: ETRADM