Symantec IGA

Hi all

We are trying to use the function of moving AD accounts directly into AD and the IDM recognizes (Detect Account Move Across Containers).


However, when using this function after moving the account through AD, the IDM does not recognize the change, is there anything to be done besides activating the function?

We have already restarted the connector and it still doesn't work.

------------------------------
Marcos Paulo Ortolani
IT Security Coordinator
------------------------------

Can you please provide more details as to what you mean by IM does not recognize the change? What are you observing versus what are you expect to happen?

The documentation around this option is found at the below link:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-microsoft-exchange-and-microsoft-lync/acquire-an-active-directory-endpoint.html#concept.dita_369b7c0ffdd50f781e9d3bdf95f97ff955ba8c4f_AccountMovementacrossOrganizationalUnits
Original Message:
Sent: 03-18-2020 11:17 AM
From: Marcos Ortolani
Subject: Detect Account Move Across Containers

Hi all

We are trying to use the function of moving AD accounts directly into AD and the IDM recognizes (Detect Account Move Across Containers).

However, when using this function after moving the account through AD, the IDM does not recognize the change, is there anything to be done besides activating the function?

We have already restarted the connector and it still doesn't work.

------------------------------
Marcos Paulo Ortolani
IT Security Coordinator
------------------------------

Hello

When changing the OU user in AD, the IDM is losing its correlation with the user. In the document below, it states that after checking the option "Detect Account Move Across Containers", the IDM would no longer lose this correlation in case the user is changed from OU in AD.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-microsoft-exchange-and-microsoft-lync/acquire-an-active-directory-endpoint.html#concept.dita_369b7c0ffdd50f781e9d3bdf95f97ff955ba8c4f_AccountMovementacrossOrganizationalUnits

What I want is to move the user and OU directly into the AD and the IDM does not lose the correlation without needing to explore the endpoint again.
Original Message:
Sent: 03-18-2020 12:03 PM
From: Kenneth Verrastro
Subject: Detect Account Move Across Containers

Can you please provide more details as to what you mean by IM does not recognize the change? What are you observing versus what are you expect to happen?

The documentation around this option is found at the below link:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-microsoft-exchange-and-microsoft-lync/acquire-an-active-directory-endpoint.html#concept.dita_369b7c0ffdd50f781e9d3bdf95f97ff955ba8c4f_AccountMovementacrossOrganizationalUnits
Original Message:
Sent: 03-18-2020 11:17 AM
From: Marcos Ortolani
Subject: Detect Account Move Across Containers

Hi all

We are trying to use the function of moving AD accounts directly into AD and the IDM recognizes (Detect Account Move Across Containers).

However, when using this function after moving the account through AD, the IDM does not recognize the change, is there anything to be done besides activating the function?

We have already restarted the connector and it still doesn't work.

------------------------------
Marcos Paulo Ortolani
IT Security Coordinator
------------------------------

To detect the account's move from one OU to other, it requires you to perform the Explore and Correlate on the top-level organizational unit or the destination organizational unit. Without performing explore and correlate operation this cannot be detected.

If once the association of account template with account is lost then even after performing explore and correlate it cannot be automatically restored. It has to be added manually.
Original Message:
Sent: 03-18-2020 01:03 PM
From: Marcos Ortolani
Subject: Detect Account Move Across Containers

Hello

When changing the OU user in AD, the IDM is losing its correlation with the user. In the document below, it states that after checking the option "Detect Account Move Across Containers", the IDM would no longer lose this correlation in case the user is changed from OU in AD.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-microsoft-exchange-and-microsoft-lync/acquire-an-active-directory-endpoint.html#concept.dita_369b7c0ffdd50f781e9d3bdf95f97ff955ba8c4f_AccountMovementacrossOrganizationalUnits

What I want is to move the user and OU directly into the AD and the IDM does not lose the correlation without needing to explore the endpoint again.
Original Message:
Sent: 03-18-2020 12:03 PM
From: Kenneth Verrastro
Subject: Detect Account Move Across Containers

Can you please provide more details as to what you mean by IM does not recognize the change? What are you observing versus what are you expect to happen?

The documentation around this option is found at the below link:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-microsoft-exchange-and-microsoft-lync/acquire-an-active-directory-endpoint.html#concept.dita_369b7c0ffdd50f781e9d3bdf95f97ff955ba8c4f_AccountMovementacrossOrganizationalUnits
Original Message:
Sent: 03-18-2020 11:17 AM
From: Marcos Ortolani
Subject: Detect Account Move Across Containers

Hi all

We are trying to use the function of moving AD accounts directly into AD and the IDM recognizes (Detect Account Move Across Containers).

However, when using this function after moving the account through AD, the IDM does not recognize the change, is there anything to be done besides activating the function?

We have already restarted the connector and it still doesn't work.

------------------------------
Marcos Paulo Ortolani
IT Security Coordinator
------------------------------

Ishwar Walk, thanks for your answer but it is wrong.

This option is exactly to avoid having to explore, possibly the user search is no longer by DN but by login.

I did the simulation in a test environment and it worked, you can read the document and analyze it.

The problem is that it stopped working.

Tks
Original Message:
Sent: 03-19-2020 02:54 AM
From: Ishwar Ande
Subject: Detect Account Move Across Containers

To detect the account's move from one OU to other, it requires you to perform the Explore and Correlate on the top-level organizational unit or the destination organizational unit. Without performing explore and correlate operation this cannot be detected.

If once the association of account template with account is lost then even after performing explore and correlate it cannot be automatically restored. It has to be added manually.
Original Message:
Sent: 03-18-2020 01:03 PM
From: Marcos Ortolani
Subject: Detect Account Move Across Containers

Hello

When changing the OU user in AD, the IDM is losing its correlation with the user. In the document below, it states that after checking the option "Detect Account Move Across Containers", the IDM would no longer lose this correlation in case the user is changed from OU in AD.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-microsoft-exchange-and-microsoft-lync/acquire-an-active-directory-endpoint.html#concept.dita_369b7c0ffdd50f781e9d3bdf95f97ff955ba8c4f_AccountMovementacrossOrganizationalUnits

What I want is to move the user and OU directly into the AD and the IDM does not lose the correlation without needing to explore the endpoint again.
Original Message:
Sent: 03-18-2020 12:03 PM
From: Kenneth Verrastro
Subject: Detect Account Move Across Containers

Can you please provide more details as to what you mean by IM does not recognize the change? What are you observing versus what are you expect to happen?

The documentation around this option is found at the below link:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-microsoft-exchange-and-microsoft-lync/acquire-an-active-directory-endpoint.html#concept.dita_369b7c0ffdd50f781e9d3bdf95f97ff955ba8c4f_AccountMovementacrossOrganizationalUnits
Original Message:
Sent: 03-18-2020 11:17 AM
From: Marcos Ortolani
Subject: Detect Account Move Across Containers

Hi all

We are trying to use the function of moving AD accounts directly into AD and the IDM recognizes (Detect Account Move Across Containers).

However, when using this function after moving the account through AD, the IDM does not recognize the change, is there anything to be done besides activating the function?

We have already restarted the connector and it still doesn't work.

------------------------------
Marcos Paulo Ortolani
IT Security Coordinator
------------------------------