Symantec IGA

 View Only
  • 1.  Auto correlate orphan account to new users

    Posted Sep 06, 2019 10:10 AM
    We configure a recurring explore/correlate task, one for each endpoint.
    For this reason, the global user named [default user] has a lot of orphaned accounts linked to it.

    We would like to automatically automatically retry to correlate those accounts with the global users during the reconciliation but because there are already correlated to the [default user] this does not happen.
    An idea, is to remove all the linked accounts from the [default user] before the next run of explore/correlate tasks but I do not know how to do.

    Can you suggest the best way and how to get it?

    KR,
    Gabriele


    ------------------------------
    Senior Consultant
    Moviri
    Italy
    ------------------------------


  • 2.  RE: Auto correlate orphan account to new users

    Broadcom Employee
    Posted Sep 09, 2019 11:22 AM
    In the provisioning manager you could remove the linked accounts.  You could also create an etautil script based on the logging information.


  • 3.  RE: Auto correlate orphan account to new users

    Broadcom Employee
    Posted Sep 09, 2019 11:25 AM
    .


  • 4.  RE: Auto correlate orphan account to new users

    Broadcom Employee
    Posted Sep 09, 2019 11:36 AM
    In the provisioning manager you could remove the linked accounts.  You could also create a etauil based on the logging information.


  • 5.  RE: Auto correlate orphan account to new users

    Broadcom Employee
    Posted Sep 09, 2019 11:36 AM
    Edited by Vincent Parziale Sep 09, 2019 11:50 AM


  • 6.  RE: Auto correlate orphan account to new users

    Broadcom Employee
    Posted Sep 09, 2019 01:06 PM
    Hi,

    If the need is to delete all the accounts linked to [Default User] whatever the endpoints, a straightforward solution could be to delete the Global User directly at Provisioning Server level (etautil, prov manager) before the E&C task e.g. via etautil:

    etautil -u etaadmin -p apassword delete 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser GlobalUserName='[Default User]'

    Doing this way, during the next correlation, use existing global users, the prov server is going to recreate the [Default User] if needed.

    If you need to delete the orphan accounts per Endpoint then do not do that, instead you could search for all the inclusion objects with [Default User] as superior entry & account dn containing the endpoint name as subordinate entry, and delete the corresponding entries.

    Thanks,
    Joffrey.


  • 7.  RE: Auto correlate orphan account to new users

    Broadcom Employee
    Posted Sep 09, 2019 03:02 PM
    Try the following and see if it works for you:

    etautil -u etaadmin -p <password>
    delete 'eTADSContainerName=Users,eTADSDirectoryName=infra17,eTNamespaceName=ActiveDirectory,dc=im' eTADSAccount eTADSAccountName='*' in
    'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im' eTGlobalUser eTGlobalUserName='[Default User]' eTRelationship=USERACCOUNT

    Instead of using the wildcard '*', I would use an account name first and observe the effect (make sure only the inclusion is deleted and not the account on the endpoint). If it works then use the wildcard to remove all the inclusions.

    If I had to do it, I would create a test account and explore that account only (AD E&C definition supports filtering), and let it link to the [Default User]. I would then use the above etautil command to delete the link for that test user account.



  • 8.  RE: Auto correlate orphan account to new users

    Posted Sep 17, 2019 06:35 AM
    I have not yet been able to complete the task.
    What I'm perform by Provisioning Manager is:
    1. list all accounts of [default user] global user

    2. select all accounts and execute action "Remove Account from User"
    There is a way to perform the same with etautil?

    In particular I tried the following command but base on your suggestions but:
    • it does not work (it hangs with no result)
    • it is limited on a single endpoint but I would remove all accounts of any enpoint from [default user].
    etautil -d im -u etaadmin -p ******** delete 'eTADSOrgUnitName=Interni,eTADSOrgUnitName=TestIAM,eTADSOrgUnitName=Users,eTADSOrgUnitName=Corporate,eTADSDirectoryName=ITDOMAIN,eTNamespaceName=ActiveDirectory' eTADSAccount eTADSAccountName='*' in 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser eTGlobalUserName='[default user]' eTRelationship=USERACCOUNT

    Can you help further? ​

    ------------------------------
    Senior Consultant
    Moviri
    Italy
    ------------------------------



  • 9.  RE: Auto correlate orphan account to new users
    Best Answer

    Broadcom Employee
    Posted Sep 17, 2019 07:02 AM

    If you need to remove all the accounts linked to [default user] whatever the endpoint/endpoint type, did you try as suggested earlier to delete the [Default User] entry using :

    etautil -u etaadmin -p apassword delete 'eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects' eTGlobalUser GlobalUserName='[Default User]'

    [Default User] will be recreated if/when needed by the prov server during the next correlation request.

    Regarding the command suggested by Iyes, yes, it's per endpoint but it's not supposed to hang. The one provided is just an example and needs to be adapted to your need. For instance, if this is for your SCIM EP TIBCO_SFDC then the 1st part of the command must be adapted to match with your SCIM EP instead of the AD EP provided as a sample. As per the etautil command you have put in your update, it's unclear if you have adapted it or not.