6.3 Creating Identity Sources

Identity sources provide the information to build a catalog of the people within your organization. The information that you collect from your data sources can add as much personally identifiable information as you need to create the unique identity for each person.

NOTE:When you create identity sources, keep the following in mind:

  • If you are using the Identity Manager Identity collector, it must always be first in the list of collectors. Otherwise user authorizations will fail. For more information, see Section 6.3.1, Assigning Identity Manager as the Primary Identity Source.

  • If you collect data from two or more identity sources that have duplicate information for the Primary Supervisor ID from Source attribute, Identity Governance cannot merge or publish the data. After collecting each identity source, you must define extended attributes, such as Source1_userID and Source2_userID, for the Primary Supervisor ID from Source attribute. Then, to merge the information, specify the extended attributes as the Join to attribute for Primary Supervisor ID from Source.

  • Identity Governance provides Custom Collector SDK to create collectors. Contact your SaaS operations administrator if you need to create new collectors.

To create a identity source and collect identities and groups:

  1. Log in to Identity Governance as a Customer, Global, or Data Administrator.

  2. Select Data Sources.

  3. (Conditional) To create an identity source collector, select Identities.

  4. Select + to create an identity source collector from a template.

    or

    Select Import an Identity Source to specify a JSON file to import.

    IMPORTANT:To import a data source, you must first export the data source from the current version of Identity Governance. Data source files exported from earlier versions of Identity Governance do not import correctly to the current version. Hence, the data source must be recreated in the current version of Identity Governance.

  5. (Conditional) To collect from a CSV file, specify the full path to the file.

    The CSV collector supports TSV files. To use a TSV file, enter the word tab, in uppercase, lowercase, or any combination in the Column Delimiter field.

  6. (Conditional) To configure an identity source with change events collector, select a template name ending in with changes and observe the conditions listed in Section 6.2.4, Collecting from Identity Sources with Change Events. For more information, see Understanding Change Event Collection Status and Supported Attribute Syntaxes for eDirectory and Identity Manager Change Events Collection.

    NOTE:A change to the collector configuration suspends change event processing, which does not resume until a full batch collection and publication completes.

    IMPORTANT:For large scale changes, disable event collection, and enable it only for incremental change events.

  7. Specify all the mandatory fields for the data source.

    For more information, see the following content:

  8. Configure publication behavior.

  9. (Conditional) If you select Publish and Merge as your publication behavior, enable or disable New User Creation.

  10. (Conditional) To merge the collected data from an identity source, specify which attributes to match by selecting Match rule check box.

    As each identity source collector configured for publish and merge can potentially create new Identities in the catalog, you should always ensure that the mandatory User ID from Source attribute mapping is configured to collect an acceptable unique identifier that is appropriate for the catalog.

    IMPORTANT:When collecting identities using the publish and merge setting, matching attributes are mandatory for Identity Governance to include the user when publishing. If a secondary identity source has users that do not have the matching attribute defined in the collector, they will be collected, but they will not be published. For information about setting merge rules before publishing identities, see Section 8.1.2, Setting the Merge Rules for Publication.

  11. Save your settings.

  12. Select Test Collection and Troubleshooting.

    1. To ensure your settings are correct run test collections. For more information, see Section 5.8.3, Testing Collections.

    2. (Optional) To preview data, create emulation package. For more information, see Section 5.8.4, Creating Emulation Packages.

  13. Select Collect now icon on the Identities page individually.

  14. (Optional) Schedule a collection. For more information, see Section 9.0, Creating and Monitoring Scheduled Collections.

The first time you set up Identity Governance, you must collect and publish data after creating your data sources so that your catalog contains the data. For information about publishing identities, see Section 8.1, Publishing Identity Sources.

6.3.1 Assigning Identity Manager as the Primary Identity Source

You must assign Identity Manager as your primary identity source. If Identity Manager is not assigned as the primary identity source, user authorizations will fail with the following error:

You are authenticated and logged in, but you do not have access to the Identity Governance application. This means you logged in as a user who was valid in your authentication source, but has never been collected in Identity Governance or does not have access to the Identity Governance application.

Identity Governance expects the Identity Manager Collector to be the first collector in the list of Identities Collectors.

You can use one of the following workarounds to resolve this issue:

Workaround 1

  1. Log in to Identity Governance as the Bootstrap Administrator.

  2. Select Data Sources > Identities.

  3. Expand the Merging Rule.

  4. In the LDAP Distinguish Name field, change the value from None to Identity Manager Collector.

  5. Click Save, and then publish the change.

Workaround 2

  1. Log in to Identity Governance as the Bootstrap Administrator.

  2. Select Data Sources > Identities.

  3. Drag and drop the Identity Manager Identities Collector to be first in the list.

  4. Click Save, and then publish the change.

6.3.2 Understanding Change Event Collection Status

The event collection displays the following status:

Change Event Collection Status

Description

DISABLED

Event processing is not enabled for this collector and identity source. If event processing is enabled from this state, the state becomes BLOCKED, and the identity source must be collected and published before it can become READY.

BLOCKED

Event processing is enabled, but cannot proceed because the preconditions for processing change events were not met. For more information, see Section 6.2.4, Collecting from Identity Sources with Change Events.

READY

Event processing is enabled and not blocked, but awaiting scheduling to proceed.

IN_PROGRESS

Events are being polled for and processed.

NOTE:Event processing will be in progress either until a polling request returns no events or until the configured maximum event processing time is reached.

6.3.3 Supported Attribute Syntaxes for eDirectory and Identity Manager Change Events Collection

Identity Governance supports the collection of the following attribute syntaxes during eDirectory and Identity Manager change events collection:

  • Boolean

  • Case Exact String

  • Case Ignore List

  • Case Ignore String

  • Class Name

  • Counter

  • Distinguished Name

  • Integer

  • Integer 64

  • Interval

  • Numeric String

  • Object ACL

  • Octet String

  • Path

  • Postal Address

  • Printable String

  • Telephone Number

  • Time

  • Typed Name

  • Unknown