Symantec IGA

  • Private Community
 View Only

  • 1.  Correlation Attribute Offset/Length

    Posted Jun 25, 2020 02:38 PM
    I am trying to simplify the way we correlate a secondary AD Account.  After looking into the documentation around Offset and Length, per what I am seeing this is mainly from the perspective of "Start at this Index and only take X characters"

    My question is, is it possible to approach it from this way "Take all Characters from 0 to (Attribute Length - X), where X is a constant value but Attribute Length isn't".  So for example if I had the following:

    Global User Attribute = CustomField01 = Williams, Pete - Peter
    Active Directory Attribute = NT_AccountID = Williams, Pete - Peter ADM

    If I know the NT_AccountID will always be in this format "%UCU01% ADM", is it possible to say do the correlation match on:
    (Start of NT_AccountID) to ((Length of NT_AccountID) - 4) 
    or 
    Williams, Pete - Peter ADM


  • 2.  RE: Correlation Attribute Offset/Length

    Broadcom Employee
    Posted Jun 25, 2020 03:11 PM
    Peter, the problem I see here is that the front of the attribute is variable. The documentation states to use this if the beginning of the attribute is a known consistent length.

    in order to use:
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-manager/14-3/reference/advanced-configuration-options/domain-configuration/explore-and-correlate-parameters.html#concept.dita_4d6f0802fc1615a30dd380dfef61297f924b7e4b_CorrelationAttribute
    In this form, you name the global user attribute and a specified substring of an account attribute of a specific endpoint type. 
    Offset indicates the start of the substring, the value 1 indicating the start of the attribute value. 
    Length indicates the number of characters in the substring value. If the full account value is shorter than (Length + Offset - 1) characters, the substring value that is used will be shorter than Length characters.
    A parameter value in this form applies only to the indicated endpoint type. Use this form if you know that an account attribute value (for example, description) has a form where the first eight characters are known to contain a unique employee identifier that can be matched to a global user attribute value.


    Account templates have more flexibility in this:
    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-manager/14-3/administrating/managed-endpoints-and-provisioning/provisioning-roles/advanced-rule-expressions/built-in-rule-functions.html


    Maybe someone in the community has run into this before.

    Bill Patton

    ------------------------------
    And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.

    Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio
    ------------------------------

    Original Message