16.1 Understanding and Configuring Active Directory and eDirectory Templates

Identity Governance provides the following templates for Active Directory and eDirectory:

  • AD Identity

  • AD Identity with changes

  • eDirectory Identity

  • eDirectory Identity (w/o IDM) with changes

  • eDirectory Hybrid permission

  • AD Account

  • AD Permission

  • AD Hybrid permission

  • Active Directory LDAP Fulfillment

  • eDirectory LDAP Fulfillment

For additional information about configuring AD and eDirectory templates, see the following sections:

16.1.1 About AD and eDirectory Collectors

To ensure synchronization of data from eDirectory to the Identity Governance catalog, the users or groups in eDirectory must have the required minimum rights in the eDirectory repository. The following rights are required for data synchronization:

  • For full synchronization: Read permission on the users and their attributes that are collected

  • For fast synchronization: Read permission on the users and their attributes that are collected

  • For fulfillment: Read and write permission on the users and their attributes for whom the fulfillment request is raised

The Identity Governance collectors for eDirectory have two identity collector templates. The eDirectory Identity template is used when the connected system has both eDirectory and Identity Manager installed, whereas the eDirectory Identity > (w/o IDM) with changes template is used when the connected system has eDirectory installed with the change-log module. The change-log module enables the connector to recognize the changes that require publication from the connected system to the Identity Governance catalog.

For more information about collecting identities with changes and the change event collection, and for more information about applying changes see Section 7.3, Collecting from Identity Sources with Change Events and Section 8.9, Understanding Change Event Processing.

For Identity Governance to associate the accounts and permissions with the identities available in the catalog, while configuring the template, in the Collect Account view, use mail as the Account-User Mapping attribute and email as the Map to attribute. In the Collect Permission view, use member as the Permission-Account or User Mapping attribute and Account ID from Source as the Map to attribute.

Identity Governance also provides eDirectory and AD hybrid collectors for collecting permissions. For more information about hybrid collectors, see Section 8.4, Understanding Hybrid Permission Collectors.

16.1.2 About Active Directory and eDirectory LDAP Fulfillment

If a user is present in Identity Governance but is not present in either Active Directory or eDirectory, you can configure the fulfillment target to create an account through the respective fulfillment targets.

NOTE:Before you configure a fulfillment target with either an Active Directory LDAP fulfillment type or an eDirectory LDAP fulfillment type, you must ensure that Active Directory collects the attributes required for fulfillment. To verify Active Directory or eDirectory LDAP collection, log in to Identity Governance and then click Data Sources > Application Definition Sources.

To configure the fulfillment target, in Step 4.b, you must provide values for the first name, last name, title, and workforceID fields.

In addition, when you configure Fulfillment item configuration and mapping, click {...}, then edit the transform script for the Account name generation payload to connect to the correct Active Directory or eDirectory server for the user.