16.5 Understanding and Configuring Identity Manager Templates

Identity Governance provides the following templates for Identity Manager:

  • Identity Manager Identity

  • Identity Manager Account

  • Identity Manager AE Permission

  • Identity Manager Automated Fulfillment

  • Identity Manager Workflow

  • IDM Entitlement Account

  • IDM Entitlement Permission

  • IDM Entitlement Fulfillment

  • Identity Manager Dxcmd Fulfillment for Active Directory

For additional information about configuring Identity Manager templates, see the following sections:

16.5.1 Understanding Authentication Methods and Specifying Ordinals for IDM AE Permission Collectors and IDM Automated Fulfillment Targets

The Identity Manager AE Permission collector requires both LDAP and user application credentials. All objects including roles collected using this collector are represented as permissions in the Identity Governance catalog. Note that the Identity Manager Automated Fulfillment fulfiller also uses the same credentials.

Log in to the Cloud Bridge URL, then specify the ordinal when adding credentials.

Use the following table to understand the order and ordinal number that you need to specify for this collector.

Ordinal (Credential Position)

Authentication type

Credential Set



  • User Name used to connect to Identity Vault Server (cn=admin,ou=sa,o=system)

  • Password


User Application

  • User Name used to connect to User Application (cn=uaadmin,ou=sa,o=data)

  • Password

16.5.2 About Identity Manager AE Permission Collectors

The Identity Manager AE Permission collector is an Application Source collector that creates the base Identity Manager application in Identity Governance and automatically generates subordinate applications that represent IDM Drivers, such as the CloudAD Driver and SAP User Management Driver, that support Identity Manager entitlements.

IMPORTANT:No other application source permission collector provides automatic generation of subordinate applications or accounts. This collector uses both LDAP calls into eDirectory and SOAP calls to the user applications to collect data. Due to the complexity of the relationships managed by this collector, proceed with caution when changing the default values and mappings.

In SaaS environments, when using the Cloud Bridge to collect data from your on-premises data centers, you will need to specify ordinals for the respective authentication method in the Cloud Bridge user interface (http://localhost (CBA IP address or DNS name):8080).

Before collecting Identity Manager AE permissions, ensure that you have installed Identity Manager applications. Additionally, when using AD Driver with Identity Manager AE, ensure that the Remote Loader is running.

When configuring service parameters, ensure that you include the port number that you use to connect to your Identity Manager system in the User Application Base Provisioning Service URL field. Enter comma-separated values in the Additional permission attributes to collect field when you want to collect multiple attributes from Roles, Resources, Groups, and Container-type permissions in addition to the default attributes. When adding these additional permission attributes, you must also include the attributes in the collector views.

When the Identity Manager AE Permission collector collects any User record from the Identity Manager application that has an association with a subordinate application (through the DirXML Association attribute on the User), it receives an Account assignment for that subordinate application. The Identity Manager AE Permission collector also automatically maps the User record to the Identity Manager User.

If, after testing the connection and collecting data, you do not see the expected data in the Identity Governance Catalog, verify that your Account Collect LDAP Search Filter is configured correctly in the template, then use LDAP search from the command line or LDAP browser to confirm that the missing data is still available in your data source. You can also directly call the SOAP endpoint to get the refreshed values of the Identity Manager AE system attributes that are used for mapping.

16.5.3 About Identity Manager Automated Fulfillment

The Identity Manager Automated Fulfillment template enables automatic fulfillment of change requests related to Identity Manager AE permissions. Specify whether you want to use automated provisioning with manual fulfillment or a workflow as the fallback method, then specify the values associated with the fallback method. For more information, see Section 13.6.3, Automatically Fulfilling the Changeset.

NOTE:When an Identity Manager AE permission is requested in the Identity Governance Access Request, the idmDn attribute of the requesting user is utilized in the RBPM SOAP request as the <ser:requester>. If this value is not a valid user DN in the target Identity Manager system, the fulfillment request will fail.

16.5.4 About Identity Manager Entitlement Collectors

The Identity Manager Entitlement collectors are for users who want to use Identity Governance to provision or revoke accounts and permissions. The entitlement collectors collect accounts and permissions from Identity Manager using IDM drivers that support entitlements such as Azure, Workday, and SCIM drivers. Like the other Identity Governance collectors, the entitlement collectors map accounts and permissions to identities by association or other attributes. To successfully collect accounts and permissions:

  • You must have collected identities from Identity Manager, and

  • All supported drivers must be running

    NOTE:For the list of supported drivers, see Identity Governance Quick Start.

You can use the account collectors to collect accounts and the permission collectors to collect permissions and their assignments. For example, the permission collector can collect the building access permission (list of buildings) and assignments (who can access the building).

In addition to IDM credentials, the LDAP distinguished name of the entitlement in the IDM driver is also a mandatory field for the entitlement collectors.

Typically, attribute mappings are preconfigured and have built-in fallback options. For example, by default, the collector maps the account or permission name to the IDM display name. If the collection process does not find the display name, the collector automatically maps the account or permission name to other available attributes such as the description. However, you do need to change the default Account-User Mapping value GUID to Object GUID and the default Permission-Account or User Mapping value association to Account ID from source.

16.5.5 About IDM Entitlement Fulfillment

The IDM Entitlement fulfillment target supports only the following fulfillment change requests:






When a change request is sent to Identity Manager for fulfillment, the fulfiller modifies the User Attribute DirXML-EntitlementRef. The IDM engine then sends an event to the driver to ensure that the entitlement is fulfilled.

To successfully fulfill entitlement-related change requests:

  • Identities must have been collected from Identity Manager

  • Users must still be present in Identity Manager

  • All the fulfillment context attributes required for Recipient (User), Account, and Permission profiles must be specified