AnsweredAssumed Answered

AD Attribute Compliance

Question asked by Steve Alexandre on Dec 13, 2019
Latest reply on Dec 18, 2019 by Frank Schubert

Like • Show 0 Likes0
Comment • 4

Hi everyone,

Just to confirm, they are no way to do a compliance on AD Attribute ?

To explain more the situation, we are migrating Microsoft FIM in RSA IGL. On FIM, where an attribute was changed on AD but does not equal the value on FIM, FIM push the correction. Like that, FIM is the authority source which depend on HR data by the way.

If I understand, RSA IGL do only push forward so for example if one attribute is modified on the identity, it's pushed to the target. It does not correct attribute on target if someone has changed it and it's not done on the RSA identity. right ?

Thanks.

Frank Schubert Dec 18, 2019 11:25 AM

Correct Answer

Hi,

if you want to use custom workflows, you could construct one that gives you a list of identities that have attributes differ in the target system. then loop through all of the identities and the corresponding attributes and pump that all into a provision node. That could loop tons of time and can really pump up the line count in WP_USER_DATA.

Or, slight variation from above, instead of calling a provisioning node, call the createChangeRequest REST webservice. There the advantage is you can pump in lots of change items and not just do a 1:1.

frank

See the reply in context

No one else had this question

Outcomes

Mostafa Helmy

Dec 13, 2019 11:52 AM

You are correct, our OOTB attribute sync is driven by changes in the source value and not the target value. If there is no change in the source data, we won't re-sync the value if the target value changed again.

I can't think of a way to have this continuous sync process now, but if I do I'll get back to this post.

1 person found this helpful

Actions

Jamie Pryer

@ Mostafa Helmy on Dec 16, 2019 4:01 AM

could we not do a report to look for the delta, to at least show where there is one?

Actions

Mostafa Helmy

@ Jamie Pryer on Dec 16, 2019 5:00 AM

The problem is unification will only populate 1 value for a specific attribute and ignore the others. So on the identity level we wouldn't even have the other value.

There may be ways to compare such attributes from the collection raw data views, but that means you would be a bit messy?

Actions

Frank Schubert Dec 18, 2019 11:25 AM

Hi,

frank

Actions

4 Replies

Mostafa Helmy Dec 13, 2019 11:52 AM
Mark Correct
Correct Answer
You are correct, our OOTB attribute sync is driven by changes in the source value and not the target value. If there is no change in the source data, we won't re-sync the value if the target value changed again.

I can't think of a way to have this continuous sync process now, but if I do I'll get back to this post.
1 person found this helpful
Like • Show 1 Like1
Actions
- Jamie Pryer @ Mostafa Helmy on Dec 16, 2019 4:01 AM
  Mark Correct
  Correct Answer
  could we not do a report to look for the delta, to at least show where there is one?
  Like • Show 0 Likes0
  Actions
  - Mostafa Helmy @ Jamie Pryer on Dec 16, 2019 5:00 AM
    Mark Correct
    Correct Answer
    The problem is unification will only populate 1 value for a specific attribute and ignore the others. So on the identity level we wouldn't even have the other value.
    
    There may be ways to compare such attributes from the collection raw data views, but that means you would be a bit messy?
    Like • Show 0 Likes0
    Actions
Frank Schubert Dec 18, 2019 11:25 AM
Unmark Correct
Correct Answer
Hi,
if you want to use custom workflows, you could construct one that gives you a list of identities that have attributes differ in the target system. then loop through all of the identities and the corresponding attributes and pump that all into a provision node. That could loop tons of time and can really pump up the line count in WP_USER_DATA.

Or, slight variation from above, instead of calling a provisioning node, call the createChangeRequest REST webservice. There the advantage is you can pump in lots of change items and not just do a 1:1.

frank
Like • Show 0 Likes0
Actions

AD Attribute Compliance

Outcomes

Related Content

Recommended Content