Add ADSAccount or ADSGroup to categories based on template

Hola,

Version: OIM 7.1

So I have successfully tested AD user account creation against account definitions, and have assigned these account definitions to categories that match specific groups, and everything functions as expected..

One thing that I find to be a bit of a challenge is that it does not appear simple to automate the assignment of categories to the account when it is being created as part of the resource entitlement.

When looking at the defined categories against the ADSDomain, I see that what is defined lives in an embedded XML document. And after manually adding the categories to the object, it is rendered in the individual ADSAccount/ADSSGroup records as a numerical bitmask.

Two questions:

 

  1. Is it possible to add the categories to the Account Definition so that the corresponding ADSAccount/ADSGroup being created can automatically inherit the categories?
  2. If not, what would be the best approach to explore an alternative to making this happen?

 I was looking at possible parsing the XML into a custom table that I could reference as an alternate mapping but I wanted to make sure that there was not a more simple way to accomplish this before attempting that approach.

Thanks!

  • The numerical bitmask can be set at the ADS user account during creation using IT Operating Data.

    The only thing you have to do, is to create a template at the column ADSAccount.MatchPatternForMembership that uses the script TSB_ITDataFromOrg as described here

    https://support.oneidentity.com/technical-documents/identity-manager/7.1/administration-guide-for-connecting-to-active-directory/7#TOPIC-560675

    and here

    https://support.oneidentity.com/technical-documents/identity-manager/7.1/target-system-base-module-administration-guide/3#TOPIC-563864

    After you have done that, you are able to select the column on the IT operating data mapping page.

  • In reply to Markus Weiss-Ehlers:

    Hey Markus,

    Thanks for the info.

    I was able to get the MatchPatternForMembership exposed in the TSBAccountDef and assigned as part of the IT Operating Data as follows:

    It works, but only if I add another conditional statement that sets the value when the manage level matches.

    The template is configured as followed:

     

    '$FK(UID_Person).UID_Department$
    '$FK(UID_Person).UID_Locality$
    '$FK(UID_Person).UID_ProfitCenter$
    
    #If ORG Then
    '$FK(UID_Person).UID_Org$
    
    #End If
    
    If CBool(Connection.Variables.Get("FULLSYNC")) = False Then
    Select Case ($FK(UID_TSBBehavior).ITDataUsage:Int$)
    	Case 0:'do not get data from employee
    	Case -1:'fill property initially from the ITData of the employee
    		If Not $[IsLoaded]:Bool$ Then
    			Value = VID_IsTrue(TSB_ITDataFromOrg($UID_Person$, $UID_TSBAccountDef$, Base.TableDef.Columns("MatchPatternForMembership")))
    		End If
    	Case 1:'update property depending on ITData of the employee
    		Value = VID_IsTrue(TSB_ITDataFromOrg($UID_Person$, $UID_TSBAccountDef$, Base.TableDef.Columns("MatchPatternForMembership")))
    End Select
    
    '=> Check for Account Definitions and set match pattern based on Account Definition Requirements.
    
    	select case $FK(UID_TSBBehavior).Ident_TSBBehavior$.ToUpper()
    	
    	'=> BXIILAB SO Account sAMAccountName
    		case "ELV FM SU ACCOUNT BXIILAB"
    		 Value = 4
    	
    	'=> BXIILAB SO Account sAMAccountName			
    		case "ELV FM SO ACCOUNT BXIILAB"
    		 Value = 8
    	
    	'=> BXIILAB SG Account sAMAccountName			
    		case "ELV FM SG ACCOUNT BXIILAB"
    		 Value = 16
    	
    	'=> BXIILAB DA Account sAMAccountName			
    		case "ELV FM DA ACCOUNT BXIILAB"
    		  Value = 32
    	
    	'=> BXIILAB Standard Consultant sAMAccountName			
    		 case "STD FM CONSULTANT BXIILAB"
    		  Value = 2
    	
    	'=> BXIILAB Standard Employee sAMAccountName			
    		case "STD FM EMPLOYEE BXIILAB"
    		 Value = 1
    	
    	'=> BXIILAB Standard Employee sAMAccountName			
    		case "STD FM USER BXIILAB"
    		 Value = 64
    		  Case Else
    	End Select
    
    End If

     

    If I remove lines 25-53, then the match pattern for membership does not work. While I am happy to have it working, I would prefer if this could just be a configurable parameter in Manager rather than having to come back to the template to re-work every-time we add an account definition.

    Thank you sir!

  • In reply to pacman_d:

    If this would be a configurable parameter how should this be designed to work?

    Looking at your code reveals that the mapping between account and categories is somewhat static in your case. But other use cases imply regular expressions or other means.

    But even so I am happy to take an SR for your request without promising anything.
  • In reply to Markus Weiss-Ehlers:

    Hey Markus,

    Much appreciated, but I want to make sure that I am not confusing things with the OIM nomenclature.

    When I say "Configurable Parameter" I do not mean in the configuration section of Designer.

    I guess what I am attempting to convey is that the IT Operating data for matchPatternForMembership option became available on the Business Role as you intimated initially, but when setting that alone in the Business Role configuration, the BitMask did not get set.

    What I am attempting to accomplish:

    We are setting up specific categories that match classes of elevated groups to their corresponding classes of elevated user accounts.

    As such, an a group that can only contain SO or SG accounts would have the bitmask specific to that class (essentially adding the two values of the SO and SG bitmasks) to the group, and the corresponding bitmask to the ADSAccount record.

    When it works, it is great. I figured that I was missing something as my VB.NET is not super strong. I am much more proficient in PowerShell.

    In any case, I will figure it out, just wanted to make sure that I am not completely off base in my line of thinking.

    Thanks!
  • In reply to pacman_d:

    Sorry for taking so long to provide an answer but here is my solution.

    It assumes, that you want to set the value of the MatchPatternForMembership based on the account definition (TSBAccountDef) and not based on the automation level (TSBBehavior) like your select case implies.

    With the following template on ADSAccount.MatchPatternForMembership, you are able to provide the value as IT Operating Data.

    In your original code you used the script call VID_IsTrue(...) around your call of the script TSB_ITDataFromOrg which was the reason that your code didn't work without the select...case block.

    HtH

    '$FK(UID_Person).UID_Department$
    '$FK(UID_Person).UID_Locality$
    '$FK(UID_Person).UID_ProfitCenter$
    
    #If ORG Then
    '$FK(UID_Person).UID_Org$
    
    #End If
    
    If CBool(Connection.Variables.Get("FULLSYNC")) = False Then
    	Select Case ($FK(UID_TSBBehavior).ITDataUsage:Int$)
    		Case 0:'do not get data from employee
    		Case -1:'fill property initially from the ITData of the employee
    			If Not $[IsLoaded]:Bool$ Then
    				Value = TSB_ITDataFromOrg($UID_Person$, $UID_TSBAccountDef$, Base.TableDef.Columns("MatchPatternForMembership"))
    			End If
    		Case 1:'update property depending on ITData of the employee
    			Value = TSB_ITDataFromOrg($UID_Person$, $UID_TSBAccountDef$, Base.TableDef.Columns("MatchPatternForMembership"))
    	End Select
    End If

  • In reply to Markus Weiss-Ehlers:

    Oh wow,

    I will give this a shot and report back with my results.

    Thanks!
  • In reply to Markus Weiss-Ehlers:

    Hey Markus,

    That worked perfectly, thanks a ton.

    Much appreciated!