Symantec IGA

  • Private Community
 View Only

  • 1.  CA IdM 12.6.5: Create AD Groups via User Interface

    Posted Sep 01, 2015 08:24 AM

    Hi all,

    in order to have an overview of new CA IdM functionalities, I'm executing some tests and at the moment I'm stucked with a simple problem with Active Directory connector.

    How I can manage (create, delete and modify) Active Directory groups via IdM User Interface? The Active Directory connector supports this operation and I was able to achive it via Provisioning Manager, but what about user interface?

     

    I found this document about, but I'm not able to replicate the scenarios described in my environment because I can't see the menu item "Manage Endpoint Groups". Probably I have to import a specific role definition to enable the relative admin task, but I don't know which one.

     

    Can anyone give me a hint please?

     

    Thanks in advance,

    Daniele



  • 2.  Re: CA IdM 12.6.5: Create AD Groups via User Interface

    Broadcom Employee
    Posted Sep 02, 2015 12:03 PM

    From the management console:

     

    The role deffs that I have imported are:

    Active Directory 

    ActiveDirectory-RoleDef.xml

     

    r12.6 v1.12

    r12.6 v1.12

     

    Then choose the correct upgrade file for you environment:

      Upgrade-12.5-to-12.6-RoleDefinitions 

    Upgrade-12.5-to-12.6-RoleDefinitions-NoOrganization.xml

     

    r12.6 v1.2

     

      Upgrade-12.5-to-12.6-RoleDefinitions 

    Upgrade-12.5-to-12.6-RoleDefinitions-Organization.xml

     

    r12.6 v1.2

     

      Upgrade-12.5-to-12.6-RoleDefinitions 

    Upgrade-12.5-to-12.6-RoleDefinitions-ProvisioningNoOrganization.xml

     

    r12.6 v1.2

     

      Upgrade-12.5-to-12.6-RoleDefinitions 

    Upgrade-12.5-to-12.6-RoleDefinitions-ProvisioningOrganization.xml

     

    r12.6 v1.2

     

     

    Then after this report back here.



  • 3.  Re: CA IdM 12.6.5: Create AD Groups via User Interface

    Posted Sep 02, 2015 12:10 PM

    The product currently does not allow for this from the IM User Console interface as it typically only directly manages account objects on templates. Engineering is aware of the popularity for AD Group Management and is looking into it. For now options are:

     

    Use Provisioning Manager and/or native ADS to create the groups first. If using native ADS they need to be explored in.

    Or have IM PX Policies execute Microsoft DSADD/DSMOD type commands that operate against the AD itself.

     

    Once the IM system is aware of those groups they can be added/removed to Account Templates which can be included in Provisioning Roles and then those Provisioning Roles can be added/removed to IM Users. Or again IM PX Policies that can add/remove groups to the AD Accounts.

     

    But again there is no IM User Console tasks for managing AD groups as there is for managing AD accounts. This is true for all endpoint types where only endpoint accounts are exposed/managed via the IM User Console at this time.

     

    - KennyV



  • 4.  Re: CA IdM 12.6.5: Create AD Groups via User Interface

    Posted Sep 03, 2015 10:59 AM

    You said: "If using native ADS they need to be explored in."

     

    I'm currently experimenting with DSADD/DSMOD scripts triggered by PXP.  These scripts also leverage ETAUTIL for manipulating IM objects.  Is there a method to "trigger" an explore, if necessary?  Thanks!