000034221 - What is the impact of a domain migration in RSA Identity Governance and Lifecycle

Document created by RSA Customer Support Employee on Mar 29, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034221
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle 
RSA Version/Condition: 6.9 +
IssueThis article discusses the impact of Domain Name changes on the  RSA Identity Governance and Lifecycle product.

Customer Scenario

  • To prepare for a domain consolidation project, users have been imported from production domain into a sub-level OU in a test domain.
  • Now that migration has actually started,  the users need to be imported into a different OU at the primary level to match the production OU.
  • Do the rules and roles need to be updated to change from one OU to another?
TasksFor further information on domain name, please review the following documents;
ResolutionRules and roles do not need to be changed, providing the recommended Entitlement Name format has been followed. The recommended Entitlement Name format is the resource:action pair name, for example:

Entitlement Name = Account : Edit All

For the  RSA Identity Governance and Lifecycle product, Domain Name changes should only impact Collector and Connector definitions, and Account Entitlements (typically collected from an LDAP source, like Microsoft's Active Directory).  For all other objects, once the data is collected, the Domain Name is no longer used.  Domain Names are typically used to identify Internet resources, such as computers, networks, and services, but not users, accounts, application names or Entitlements.
Further to the Customer Scenario above, an organizational unit (OU) is different from a Domain Name.  An OU provides a way of classifying objects located in directories, or names in a digital certificate hierarchy. OUs are typically used either to differentiate between objects with the same name, or to organize object creation and management.  However, an example where a change in the OU may be an issue is with an Account Entitlement.
Entitlement Name = CN=ACME_Users,OU=OU_Applications,OU=OU_AccessGroups,DC=acme,DC=com

In this case, if the users need to be imported into a different OU, then RSA Identity Governance and Lifecycle can only treat them as different to the OU data it already has stored.  Therefore, the different OU data would need to be Collected as part of an Account Data Collection, rather than being modified within the RSA Identity Governance and Lifecycle product.