8.4 Understanding Hybrid Permission Collectors

Identity Governance includes two hybrid collectors: eDirectory and Active Directory (AD). Hybrid collectors are used to collect:

  • Permissions not related to application resources

  • Applications that use eDirectory or Active Directory for authorization but do not utilize groups to assign the application permissions

  • More details about the permissions that cannot be obtained from the simple assignment information maintained in eDirectory or Active Directory

    For example, Active Directory may represent access to an application by assigning attribute values to some custom attribute (for example, myAppAssignments) on the Active Directory account records. We collect those permission assignments using an LDAP collector (with a permission holder mapping to the custom attribute). However, the details of the permission objects (such as name and description) are not available as Active Directory objects; they are records in a CSV file. In that situation, we need to collect the Permission entities using a CSV collection method, and the Permission to Holder relationships using LDAP.

In a standard permission collector, the permissions and holder assignments must be collected using the same application connection method. The hybrid permission collectors allow the permission data to be collected from a CSV file, and the holder assignment data to be collected using LDAP. Note that for the CSV permission collections, just as with other CSV collections, data administrators need to generate the CSV and make it available to the Identity Governance service through a file share, http, or local file system.