Symantec IGA

 View Only
  • 1.  Policy Xpress Question - Get User AD Account refresh info

    Posted Mar 25, 2020 11:55 AM

    Hi,

    I have one question. Right now I have one Px and it can get user AD account locked status.

    Since each user has multiple AD accounts in the provision side, in my Px, I have to do these steps

    1. get AD Account list from that user.

    2. use iterator to get list

    3. get AD endpoint name from account values by the account identifier.

    4. in action, check AD endpoint name. If AD endpoint name match, it will get AD account locked status.

    But with this solution, I noticed provision will try to get user's all AD accounts every time when PX get trigger.

    I just wondering in Px, is it possible to allow me directly access to one AD account instead of get all AD accounts.. 

    Thanks

    Mark



  • 2.  RE: Policy Xpress Question - Get User AD Account refresh info

    Broadcom Employee
    Posted Mar 25, 2020 11:38 PM
    Hi Mark,

    If you utilize
       Category : Account, Type : Account Values
    you can specify the AD endpoint name. As long as you get the Account Name (user's full name) then you should be able to get the locked status directly without iteration.


    Regards,
    Widjaja.


  • 3.  RE: Policy Xpress Question - Get User AD Account refresh info

    Posted Mar 26, 2020 09:55 AM
    Widjaja,

    Thanks your information. I made same change but noticed Account name is not user Full name.
    I use my existing Px to find out Account Name and found the Account Name is user AD account Name.
    In my case, my test user account name is testUser0122 and here is my screen shot from provision manager tool.
    If I hardcore testUser0122 into my new Px, I can get locked status.
    Now I have question, how can I get that information from IDM?  

     


  • 4.  RE: Policy Xpress Question - Get User AD Account refresh info

    Posted Mar 26, 2020 10:45 AM

    Widjaja,

    In my provision directory, I found my test user account name is in the eTAccountName field. 

    Do you how can I get that from Px?

    Thanks

    Mark




  • 5.  RE: Policy Xpress Question - Get User AD Account refresh info

    Broadcom Employee
    Posted Mar 26, 2020 10:39 PM
    Hi Mark,

    Unfortunately if somehow you cannot get the account name from IM User's attribute value then we will fall into the your very first approach (I believe this will be the optimum approach you have), i.e. to get the list of the accounts and iterate. In other words, to directly get the account locked status we need to know the account name before hand. In my lab, I can easily get the IM User's fullname attribute for account name, but I understand it is not straight forward in your environment. 

    Regards,
    Widjaja.


  • 6.  RE: Policy Xpress Question - Get User AD Account refresh info

    Posted Mar 26, 2020 11:47 PM
    Hi Widjaja,

    Thanks your information and I understood I cannot get that information from Px.
    Tonight I was tried another way.  In that task, I add new "User Account" tab. 
    From there, I want to display only AD accounts and only want to enable "unlock" function.

    I was able to display only "AD account" list but I cannot figure it out how can I disable that search endpoint type function.
    Since  Helpdesk is going to use this task, I need to make as simple as possible.

    Here is my task screen,


    Click HMS AD Account List tab


    By default, that tab will display user AD account locked status.
    I just wondering is it possible only display search result and disable search endpoint type?  If I cannot disable search endpoint type, in that dropdown, can I always only have ActiveDirectory? 

    Thanks

    Mark