Symantec IGA

 View Only
  • 1.  Assign Provisioning Role to IDM Users in bulk

    Posted Sep 07, 2018 03:32 AM

    Hi All,


    I have Loaded the users in CA IDM using Bulk Load Client. Currently user has only dummy provisioning Role. IDM is integrated with Salesforce endpoint. I ran an explore and correlate on Salesforce endpoint and correlated with existing global users. I have created around 100 Provisionng Roles and 100 account templates for Salesforce.

    How can i assign those provisioning roles to the existing users in IDM and synchronize those accounts.


    Please advise.




  • 2.  Re: Assign Provisioning Role to IDM Users in bulk
    Best Answer

    Posted Sep 07, 2018 08:31 AM

    Hello Nishant, 


    The product does not have a direct way to bulk assign provisioning roles to users. One option is to load all of your users onto a bulk loader file, and set that bulk loader file to modify a user attribute that you don't care about such as description or fax #. Then set up PX Policies firing on modify user that assign the roles that the users should have.


    With this in place, when you run the bulk feed file modifying the attribute that you don't care about, it will trigger all of the PX Policies that will assign the provisioning roles. 


    Once you're done with the bulk users you can fix those PX Policies to assign roles on create user or however they will work in your real workflow. After that you can run a second bulk feed file correcting the attribute value on all of your users. 


    Thank you, 


  • 3.  Re: Assign Provisioning Role to IDM Users in bulk

    Posted Sep 10, 2018 02:23 AM

    Hi Jennifer,


    Thanks for your valuable response. It's really helpful.


    Above approach will require writing few px and building logic to process the records. In etautil we can do the same using a single command. Since, it will be one time activity, i would like to go with etautil utility approach. 




  • 4.  Re: Assign Provisioning Role to IDM Users in bulk

    Broadcom Employee
    Posted Sep 10, 2018 05:10 AM

    Just in case you don't have it, here's an example etautil command to add a provisioning role to a user and sync the user


    etautil -d im -u etaadmin -p <password> ^

    update 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' ^

    eTGlobalUser eTGlobalUserName=xyz123 to ^

    +eTRoleDN='eTRoleName=PR-AD-EMEA-Partners-Birthright,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im' ^

    eTSyncUsers='1' >> Log.txt


    Best to make sure that inbound sync is turned off during these operations so as not to flood IM and the TP database with messages.