Symantec IGA

Hi,

Requirement -

1. User will have basic Provisioning role with access to basic AD Account and Basic Groups

2. User will be additionally given New Role that will provide access to advanced / more groups.

3. Users can be in any of the OU

Issues -

1. What works - When I try to add second Prov role, it will add Additional groups only if the OU container is same.

2. What Fails - When I try to add second Prov role, it will fail to add Additional groups if the OU container is different as it gives error that account already exists.

3. Also, we have same issue for Oracle Server DB. A developer might have only basic Oracle roles but after a period of time they might become DBA and requires additional role given through Provisioning role. But this fails as it says account already exists.

Work Around For AD groups- We create different roles based on Employment type but that is creating duplicates which client don't like.

Please help with suggestion

Thanks

Cinil.

You will have to do following configurations in your provisioning server using provisioning manager.It will make sure IM wont try to create account again if account already exists.

I am not a fan of the Sync User Existing as it can cause trouble if you want to have two different accounts on the same endpoint (i.e. normal account and admin account) and this change will impact all endpoints.

Instead I prefer to make use of the AD Template's Account Container filter rules. If all templates have the same filter rules then they will all resolve to the same container based on the global user field values.

yes, this was the solution we wanted. Thank you very much, it works like a charm. Earlier suggestion stopped us from creating multiple genuine accounts for same user.