Symantec IGA

Expand all | Collapse all

CA IdM 12.6 - How to make filtered explore/correlations?

Jump to Best Answer
  • 1.  CA IdM 12.6 - How to make filtered explore/correlations?

    Posted 06-27-2017 02:56 PM

    Hi experts,

     

    I would like to know if there is some way to make a filtered explore. I have an AD connector which explores an OU, which in turn has a lot of users.

     

    I need to do some kind of filtered exploration, for example, looking for users who has sAMAccountName=js* or individual users like sAMAccountName=jsosa. This is because we have to explore and correlate some users and do now want to explore (for now) the rest of the users in that OU.

     

    Is there some configuration point to do that?



  • 2.  Re: CA IdM 12.6 - How to make filtered explore/correlations?

    Broadcom Employee
    Posted 06-28-2017 08:48 AM

    If customization is ok, following can be executed from Provisioning Server/Directory machine. This will explore all accounts starting with LoginID 'i'. Same can be updated for AD:

     

    ldapsearch -h <PROV_HOSTNAME> -p 20389 -D "eTGlobalUserName=etaadmin,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w <PASSWORD> -b "eTSQLDirectoryName=mssqlserver,eTNamespaceName=MS SQL Server,dc=im,dc=eta" -s sub "eTSQLLoginName=i*" eTExploreUpdateEtrust

     

    Regards,

    Sumeet

     



  • 3.  Re: CA IdM 12.6 - How to make filtered explore/correlations?

    Broadcom Employee
    Posted 06-28-2017 08:23 AM

    Partial explore using wildcard on account name is available only for AD endpoint starting from release 12.6.8 of Identity Manager.

    See our release notes:

    New Features - CA Identity Manager - 12.6.8 - CA Technologies Documentation 



  • 4.  Re: CA IdM 12.6 - How to make filtered explore/correlations?
    Best Answer

    Posted 06-28-2017 11:05 AM

    Another benefit of executing the explore/correlate/update via ldapsearch command instead of via IM is that if in an environment with multiple Provisioning Servers you can point the ldapsearch against the non-primary Provisioning Server while the IM Server is using the primary Provisioning Server for its workload. This will also keep the inbound notifications generated by the Explore/Correlate/Update on the secondary Provisioning Server.