16.5 Understanding and Configuring Identity Manager Templates

The Identity Manager AE Permission collector requires both LDAP and user application credentials. All objects including roles collected using this collector are represented as permissions in the Identity Governance catalog. Note that the Identity Manager Automated Fulfillment fulfiller also uses the same credentials.

Log in to the Cloud Bridge URL, then specify the ordinal when adding credentials.

Use the following table to understand the order and ordinal number that you need to specify for this collector.

The Identity Manager AE Permission collector is an Application Source collector that creates the base Identity Manager application in Identity Governance and automatically generates subordinate applications that represent IDM Drivers, such as the CloudAD Driver and SAP User Management Driver, that support Identity Manager entitlements.

In SaaS environments, when using the Cloud Bridge to collect data from your on-premises data centers, you will need to specify ordinals for the respective authentication method in the Cloud Bridge user interface (http://localhost (CBA IP address or DNS name):8080).

Before collecting Identity Manager AE permissions, ensure that you have installed Identity Manager applications. Additionally, when using AD Driver with Identity Manager AE, ensure that the Remote Loader is running.

When configuring service parameters, ensure that you include the port number that you use to connect to your Identity Manager system in the User Application Base Provisioning Service URL field. Enter comma-separated values in the Additional permission attributes to collect field when you want to collect multiple attributes from Roles, Resources, Groups, and Container-type permissions in addition to the default attributes. When adding these additional permission attributes, you must also include the attributes in the collector views.

When the Identity Manager AE Permission collector collects any User record from the Identity Manager application that has an association with a subordinate application (through the DirXML Association attribute on the User), it receives an Account assignment for that subordinate application. The Identity Manager AE Permission collector also automatically maps the User record to the Identity Manager User.

If, after testing the connection and collecting data, you do not see the expected data in the Identity Governance Catalog, verify that your Account Collect LDAP Search Filter is configured correctly in the template, then use LDAP search from the command line or LDAP browser to confirm that the missing data is still available in your data source. You can also directly call the SOAP endpoint to get the refreshed values of the Identity Manager AE system attributes that are used for mapping.

The Identity Manager Automated Fulfillment template enables automatic fulfillment of change requests related to Identity Manager AE permissions. Specify whether you want to use automated provisioning with manual fulfillment or a workflow as the fallback method, then specify the values associated with the fallback method. For more information, see Section 13.6.3, Automatically Fulfilling the Changeset.

The Identity Manager Entitlement collectors are for users who want to use Identity Governance to provision or revoke accounts and permissions. The entitlement collectors collect accounts and permissions from Identity Manager using IDM drivers that support entitlements such as Azure, Workday, and SCIM drivers. Like the other Identity Governance collectors, the entitlement collectors map accounts and permissions to identities by association or other attributes. To successfully collect accounts and permissions:

You can use the account collectors to collect accounts and the permission collectors to collect permissions and their assignments. For example, the permission collector can collect the building access permission (list of buildings) and assignments (who can access the building).

In addition to IDM credentials, the LDAP distinguished name of the entitlement in the IDM driver is also a mandatory field for the entitlement collectors.

Typically, attribute mappings are preconfigured and have built-in fallback options. For example, by default, the collector maps the account or permission name to the IDM display name. If the collection process does not find the display name, the collector automatically maps the account or permission name to other available attributes such as the description. However, you do need to change the default Account-User Mapping value GUID to Object GUID and the default Permission-Account or User Mapping value association to Account ID from source.

The IDM Entitlement fulfillment target supports only the following fulfillment change requests:

When a change request is sent to Identity Manager for fulfillment, the fulfiller modifies the User Attribute DirXML-EntitlementRef. The IDM engine then sends an event to the driver to ensure that the entitlement is fulfilled.

To successfully fulfill entitlement-related change requests: