CA 12.5 SP6 Connector Express Group Membership via Virtual Attributes
The CA RCM documentation is not very clear about how Reverse Association works and provides no guidelines on how to work with Virtual attributes, how they are mapped or controlled in Provisioning Manager. Group membership provisioning from the account or user side can be accomplished in CA RCM Connector Express using Virtual attributes .
***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK. We do not guarantee this will work in your environment and make no warranties***
The CA RCM documentation is not very clear about how Reverse Association works and provides no guidelines on how to work with Virtual attributes, how they are mapped or controlled in Provisioning Manager. Group membership provisioning from the account or user side can be accomplished in CA RCM Connector Express using Virtual attributes . What this means is that if you have a user class (User Account) and group class (Groups) you can provision the group member attribute with account members:
In the above example, when the group membership is added to the user in the group membership attribute on the user, than the group member attribute is updated with the user account as well. This is accomplished doing the following steps:
1. Map the User class. The user class contains an attribute that contains the DN of the group, in this example this is Group Membership, the type is Flexi-DN and the attribute may or may not be multi-valued
2. Map the Group class. The group class contains a multi-valued attribute (Member) that contains the DN of the user(s).
3. Create the account to group direct association. The user account physical attribute Group Membership the attribute that stores the DN of the group. The Match attribute is the Groups naming attribute that is mapped as the required name for the group.
4. Create account to group reverse association. The groups class group attribute must be a virtual attribute which is given a new account attribute name that does not exist in the group class, in this case I made the virtual attribute ‘vMember’ so that it is easily understandable. The match user account attribute is the required Account ID attribute.
5. When you complete this, a brand new attribute will appear in the group attribute listing with the virtual attribute name. In figure 1 you can see the vMember attribute in the group class and this attribute was created by using the reverse association step above and not created manually.
6. Repeat the group to account direct association. Follow the same steps used for account to group with the values reversed and the groups member attribute and account Account ID attribute used.
7. Repeat the group to account reverse association. The virtual attribute to create will be virtual of the group member (Group Membership) attribute which will be created in the account class. the match groups attribute will be the name of group class.
The completed associations should look like figure 1. Two virtual attributes were created, the vMember created by the reverse association on the account class and vGroup Membership created by the reverse association on the group class. You do not need to modify the virtual attribute in any way except to verify that the attribute is multi-valued.
When you have completed the connector express configuration, created the new endpoint, and acquired the new endpoint you are ready to work with target in Provisioning Manager. After you have Explored and Correlated the endpoint and mapped the endpoint on the Endpoints tab you can work with account and group membership as follows (notice the vGroupMembership and Group Membership tabs):
- The Group Membership tab represents the users group membership in the users account (member) attribute.
- The vGroupMembership tab represents the users group membership in the groups member (Group Membership) attribute
By adding the same searched group in both these tabs you can provision the user account with a group membership and modify the group member attribute with the user account in the same operation.
Membership is the attribute that stores the DN of the group. The Match attribute is the Groups naming attribute that is mapped as the required name for the group.
As always, questions, comments or concerns? Feel free to reach out to us at IDMWorks.
Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.
Tags: Identity Manager