If you have upgraded from a previous version of Identity Governance or if you want to migrate an existing identity collector to one that accepts change events, use the Identity Source Migration utility to update your Active Directory, eDirectory, or Identity Manager data collector to accept change events. The identity collector you are migrating must publish using the Publish without merging or the Do not publish setting.
NOTE:Identity Governance 3.0.1 and later support change event identity collectors.
Upgrade to Identity Governance 3.6 and make sure that Identity Governance is up and running.
Verify that the idgov/bin/rtc-migration.sh (Linux) or c:\netiq\idm\apps\idgov\bin\rtc-migration.bat (Windows) file references the jar file idgov/lib/ig-migration.jar (Linux) or c:\netiq\idm\apps\idgov\lib\ig-migration.jar (Windows).
Run the command-line utility from the server where Identity Governance is installed.
Linux: Default location of /opt/netiq/idm/apps/idgov/bin/rtc-migration.sh, then enter ./rtc-migration.sh
Windows: Default location of c:\netiq\idm\apps\idgov\bin\rtc-migration.bat, then enter rtc-migration.bat from a command line.
Provide the information needed to connect and authenticate to Identity Governance and the authentication server. When the utility successfully connects, it displays a numbered list of discovered identity sources.
Enter the number displayed next to the identity source to migrate.
After the utility runs checks to determine migration suitability, either confirm to proceed with the migration, if the checks succeeded, or review messages for failed checks and either address the problem areas, select a different source, or quit the utility.
(Conditional) If you confirm to proceed with migration, enter a local file name for the utility to back up the current collector configuration.
After the utility applies updates and exits with a success message, review the following updates to the collector configuration when viewed in Identity Governance:
The template (just under the name of the collector) has been changed to the with changes template corresponding to the one prior to the update.
After the Collector name is a new Enable Change Event Collection option, which is unchecked. To enable event processing, select this option, and then collect and publish the identity source.
The Service Parameters remain unchanged.
Under Collect Identity (the user view):
The Base Dn parameter is no longer required, but the value has not been changed. Omitting a value here will cause the entire LDAP tree to be collected.
(Conditional) For Active Directory identity change event source, a new parameter, LDAP Search Filter for Identity Object Changes, has been added, with the value (objectClass=user). This parameter identifies events in Active Directory DirSync or AD Connect that should be delivered in this view to Identity Governance. Only modify this parameter if you have other object classes in the local AD that correspond to users and only by adding other objectClass terms to an LDAP expression.
(Conditional) For Active Directory identity change event source, a new parameter, AD Object Categories for Changes, has been added with the value user. You can modify this value if needed by adding other object category names in a comma-separated list.
User ID from Source has been set to OBJ_ID. Do not change.
The Object GUID parameter is now required. Its value is set to objectGUID. Do not change.
LDAP Distinguished Name has been set to OBJ_ID. You can remove this value if you do not need to collect the dn separately from the userId. Do not assign any other value.
Under Collect Group (the group view):
The Base Dn parameter is no longer required, but the value has not been changed. Omitting a value here will cause the entire LDAP tree to be collected.
A new parameter, LDAP Search Filter for Identity Object Changes, has been added with the value (objectClass=group). This parameter identifies events in Active Directory DirSync or AD Connect that should be delivered in this view to Identity Governance. Modify this value only if you have other object classes in the local AD that correspond to groups and only by adding other objectClass terms to an LDAP expression.
A new parameter AD Object Categories for Changes has been added with the value group. You can modify if needed by adding other object category names in a comma-separated list.
Group ID from Source has been set to OBJ_ID. Do not change.
A new parameter, Object GUID, has been added with value objectGUID. Do not change.