Symantec Identity Management

Expand all | Collapse all

I need to connect to IDM system to existing AD (Active directory) system containing 10 K users

Jump to Best Answer
  • 1.  I need to connect to IDM system to existing AD (Active directory) system containing 10 K users

    Posted 01-17-2017 06:16 AM

    I need to connect to IDM system to existing AD system containing 10 K users, Account name at AD end is = Fristname.lastname format

     

    While account name at IDM end id User ID .

     

    When is explore and corelate , it created new GU evry time because my GU name is having value of User ID only.

     

    Please suggest steps or way out in this situation.



  • 2.  Re: I need to connect to IDM system to existing AD (Active directory) system containing 10 K users
    Best Answer

    Posted 01-17-2017 09:55 AM

    Hi.

     

    I'm not sure I understand what you meant. I understand the UID at the AD side is formatted FirstName.LastName. What attribute is that on the AD side?

    What is the format of the Global User ID?

     

    You said it created a new global user every time, what do you mean by every time, do you mean when you ran the same explore and correlate over and over again? or do you mean something else?

     

     

    I feel it may be worthwhile for you to consider opening a support case on this.

     

    Regards,

    Sagi



  • 3.  Re: I need to connect to IDM system to existing AD (Active directory) system containing 10 K users

     
    Posted 01-20-2017 03:29 AM

    Hi Rathee,

     

    You probably have already opened a support case and got this sorted. If not, in order for you to correlate any endpoint account with an IDM user you need to set up correlation rules and you need to make sure that it is possible to match the IDM user and the endpoint account on some attribute or offset of an attribute value. Search "correlation rules" in the Identity Manager documentation.

     

    In your case, I understand that IDM userID and Active Directory Account ID don't match. So the questions you need to answer are:

     

    - is there any attribute (or offset therefore) on the AD side that can be matched with the IDM userID value? If yes, then configure the correlation rule as follows: GlobalUserName=ActiveDirectory:YourMatchingADAttributeName (or offset)

     

    - is there any attribute on the IDM User profile that can be matched with the AD account ID firstname.lastname? If yes, then configure the correlation rule as follows: YourGlobalUserAttributeName=ActiveDirectory:AccountID. Make sure that you have the IDM user attribute mapped with the correct Provisioning User attribute in the IM environment provisioning mappings.

     

    - If the response to the above questions is no, then you may need to create an attribute on the IDM (create in user store and map to provisioning store attribute ex. eTCustomField20) that you calculate automatically once you create an IDM user. So in your case, I would use policy xpress that sets the value of your attribute (let's assume we use ADCorrelateAttribute in IDM that is mapped to eTCustomField20 in provisioning store for this) to IDM user's "firstname.lastname". This way when you explore and correlate AD accounts you can correlate AD accountID with IDM provisioning user's eTCustomField20.

     

    I hope this clarifies how correlation works.

    KR
    Russi