Multi-App collector and disabled/locked out status?
Currently I am using several account collector to retrieve several applications from one database. I'm currently trying to find out of the multi-app collector could take over this take to simplify the configuration and ease the scheduling of load on the database. So far everything seems to work fine, but I am missing the locked-out and disabled state which I can configure with the account collector.
Is there some way to load the disabled and locked state when using the multi-app collector?
We are using RSA Via L&G version 18.104.22.168958.
- Community Thread
- Forum Thread
- Identity G&L
- Identity Governance & Lifecycle
- multi-app disabled locked
- RSA Identity
- RSA Identity G&L
- RSA Identity Governance & Lifecycle
- RSA Identity Governance and Lifecycle
- RSA IGL
What type of Collector are you using? The OOTB disabled/locked state would imply you're using several AD collectors but you mention databases.
Unfortunately I think the account disabled attribute appears to be missing in the Multi-Application Collectors (I'm unsure why)
1.) For Databases you could extend the account attribute to hold an account disabled/locked state. You database collector would have to set this value (either writing directly the locked status or using a CASE to write a representative flag). For AFX connectors you'd have to implement the reverse logic (either writing a status code directly or deriving one in your update query).
2.) For Directories/LDAP you would have to extend the account to hold an attribute (such as userAccountControl). You could then map this value in your MAADC to collect this value and configure AFX to write to it for fulfilment.
1. I have defined myself the Is_Disabled status in the account collector sql script but it doesn't reflect within the accounts, under the application. Like it normally does within the application's account collected from a normal collector.
2. Not my inquiry for now. I have no application using AFX at present.
Yeah unfortunately as we're now setting a custom attribute this wouldn't be reflected in the application account view. As a work around we could set this in account collection post processor.
In the long term I would raise a support ticket so they officially added the account status in the multi-app collector. I can't this of a reason it's not there.
Yes, I have raised a ticket with them so they can add it as enhancement in a patch or the new version.
076 920 8549
011 205 4300 | email@example.com<mailto:firstname.lastname@example.org> | www.puleng.co.za<http://www.puleng.co.za>
Email Disclaimer<http://www.puleng.co.za/disclaimer> This e-mail and any files transmitted with it are confidential and intended for the use of the individual or entity to whom they are addressed. To read the disclaimer click on the link below.