Layer7 Identity Management

Expand all | Collapse all

Create user identity from Endpoint explore&correlate

Jump to Best Answer
  • 1.  Create user identity from Endpoint explore&correlate

    Posted 07-26-2017 11:35 AM

    We would like to create an user identity from a run of the explore&correlate function on an Active Directory endpoint.

    We have tried to with the following configuration

    and the missing Global Users are created but, on Identity Manager side, I only get a "Create Global User from Account" task/event but no user identity has been created.

     

    Also, I do not know if/which Account Template (thas is attribute mappings) the system has used to create the missing Global User from the Endpoint Account; is it the Default Account Template configured into the Endpoint (in my case I left it empty, no default Account Template)



  • 2.  Re: Create user identity from Endpoint explore&correlate
    Best Answer

    Posted 07-26-2017 11:49 AM

    The Account Templates are used for pushing attribute values down from IM User to Provisioning User to Endpoint Account. They are not used for pulling information from the Endpoint Account to the Provisioning User to the IM User. What is used for that is the Endpoint Attribute Mappings defined on the acquired endpoint in conjunction with the Explore/Update where the Explore will retrieve the values and store them on the account object residing in the Provisioning Repository and then the Update will update the Provisioning User associated to that endpoint account which in turn generates an inbound notification to update the corresponding IM User. Note that a drawback of the Endpoint Attribute Mappings is that the data which is retrieved/stored on the account object residing in the Provisioning Repository will then be what gets retrieved instead of retrieving values from the endpoint itself so the data could be "stale/wrong". The values stored in the Provisioning Repository would be refreshed on the next Explore.

     

    As to the creation of the user, the Provisioning User will initially get created with just the eTGlobalUserName and eTUserID values during the Correlate/Create. Then during the Update the Provisioning User would be updated with additional values. The IM User not getting created is likely due to either the inbound notifications not being sent to the IM Server or being sent but then IM "auditing" the request since it cannot complete the request to create an IM User due to missing required values in which case you could either configure default values to use on the screen for the Provisioning Create User task or configure a PX Policy of type=UI on Submission of the Provisioning Create User task to set some default values as needed. Then when the Update is run and the Provisioning User is updated this would trigger a Provisioning Modify User task to update the corresponding IM User.



  • 3.  Re: Create user identity from Endpoint explore&correlate

    Posted 07-27-2017 04:24 AM

    Thanks a lot Kenny for the detailed explanation.