|Applies To||RSA Product Set: RSA Identity Governance and Lifecycle |
RSA Version/Condition: 6.9 +
|Issue||This article discusses the impact of Domain Name changes on the RSA Identity Governance and Lifecycle product.|
|Tasks||For further information on domain name, please review the following documents;|
|Resolution||Rules and roles do not need to be changed, providing the recommended Entitlement Name format has been followed. The recommended Entitlement Name format is the resource:action pair name, for example:|
Entitlement Name = Account : Edit All
For the RSA Identity Governance and Lifecycle product, Domain Name changes should only impact Collector and Connector definitions, and Account Entitlements (typically collected from an LDAP source, like Microsoft's Active Directory). For all other objects, once the data is collected, the Domain Name is no longer used. Domain Names are typically used to identify Internet resources, such as computers, networks, and services, but not users, accounts, application names or Entitlements.
Further to the Customer Scenario above, an organizational unit (OU) is different from a Domain Name. An OU provides a way of classifying objects located in directories, or names in a digital certificate hierarchy. OUs are typically used either to differentiate between objects with the same name, or to organize object creation and management. However, an example where a change in the OU may be an issue is with an Account Entitlement.
Entitlement Name = CN=ACME_Users,OU=OU_Applications,OU=OU_AccessGroups,DC=acme,DC=com
In this case, if the users need to be imported into a different OU, then RSA Identity Governance and Lifecycle can only treat them as different to the OU data it already has stored. Therefore, the different OU data would need to be Collected as part of an Account Data Collection, rather than being modified within the RSA Identity Governance and Lifecycle product.