Hi Lyes, for Option 2. i actually tried it but i hit a problem.
Assuming i have this feed CSV file.
action,userid,firstname,lastname
create, s1001, Test, User1
my bulk loader task able to create this in CA IM and AD account using the "Create User Task"
Then my PX is configured to run after Task Completed on "Create User Task".
In my PX, i have data element to retrieve AD account info, but what i found out is that we can not retrieve the AD account info(it always return blank).
Then i tried another approach, where in my feed now i have 2 lines
create,s1001,Test, User1
modify,s1001
Then my PX is modified to run after completed of "Modify user Task", with this approach I can retrieve AD account info.
Original Message:
Sent: 07-02-2019 07:53 AM
From: IYES DENDENI
Subject: CA Identity Suite/Identity Manager PX unable to call external command
Identity Manager is flexible in that it gives you different options to do things. For this use case, you could use any of the following options:
1. Since the number of companies is small and manageable, you could use account templates and provisioning roles:
a. First you need a user attribute to hold the company name.
b. For each company, create and account template and a corresponding provisioning role.
c. Use either PX or Identity Policy sets to assign the appropriate role to the use based on the company attribute value.
2. A second option is to create a single PX policy that would modify the memberOf attribute (ADD operation) based on the account value and company attribute value:
a. PX data elements: get Accounts for user (endpoint type AD) - get companyName
b. PX entry rule: AD Accounts is not empty
c. PX action rules: Modify Account Attribute Value by Account Identifier. The Account Identifier is the AD account name gathered in the data element, and the attribute is the memberOf attribute, the Operation is ADD, and the value is the groupName based on the value of the company attribute (you need between 10 and 20 conditional actions based on the number of companies you have).
Original Message:
Sent: 07-01-2019 11:46 PM
From: William Cheang
Subject: CA Identity Suite/Identity Manager PX unable to call external command
Dear Kevin & Lyes,
Firstly, I would like to find out can we still execute external command via PX in CA Suite Virtual Appliance ?
As i have found out there is permission issue, kindly refer screen shot.
Secondly, this is my usecase.
1. IDM will process new joiner, which a CSV(new joiner info) will be extracted from HR system.
2. IDM will create the new user in IDM & AD domain. (which we will use AD Account template to create AD account)
3. IDM will assign newly create AD account with AD group. But this group have condition as following
if user from Company1 then assign AD Group1.
If user from Company2 then assign AD Group2 & etc(there are about 10-20 company).
How can we handle the AD group assignment based on Company value (After create AD account) ?
Original Message:
Sent: 07-01-2019 10:32 AM
From: IYES DENDENI
Subject: CA Identity Suite/Identity Manager PX unable to call external command
If you can be more specific about the account type you're creating and the group you're trying to assign, it will be helpful to better frame the discussion.
If this is an endpoint account, how about using the PX action 'Modify Account Attribute by Account Identifier' and manipulate the attribute rhat holds the group association (i.e. memberOf attribute)?
Original Message:
Sent: 07-01-2019 04:49 AM
From: Kevin Kruse
Subject: CA Identity Suite/Identity Manager PX unable to call external command
Hi,
Two things.
- Verify that the service account running the IDM application actually has permissions to run the script - and in particular execute rights to the path of the etautil application.
- You could achive the same in a couple of different ways. Here is how I know it could be done:
1:
Do it as a TEWS action by exposing the the Admin task: Modify Group Members and then do a SOAP action in your PX policy.
2:
If you have not encrypted the Global User store, then do it as an LDAP action.
Original Message:
Sent: 07-01-2019 02:11 AM
From: William Cheang
Subject: CA Identity Suite/Identity Manager PX unable to call external command
Hi Team,
Am using CA Identity Suite 14.3 vapp with Identity Portal & Identity Manager.
I have configured with external code in PX to trigger a etautil command
But after submit the task, IM throw an error "Permission denied" .
Q. Does in CA IM 14.3 vapp, we still able to call external command ? or call a java program ?
Q. My purpose of call etautil command is to add a group to an account. After the account is successfully created by the admin task.
Any alternative way ?
regards,
William