Question on Linking Resources
I've just started working with Identity Manager, and I've been playing with the workflows and reading the documentation that comes with the Sun IDM software and will be going to training next month on this, but I have a few questions. What is the preffered way to create accounts on resources. Currently, what I am trying to do, is reconcile a user from our LDAP resource, then it creates it in the IDM suite just fine, but I then want any accounts on that LDAP source to be created in our AD Resource as well(Both resources should match each other in our environment). I've tried getting this to work with the default workflows, but I haven't found any that do this, and I've tried creating my own but nothing to my dismay. How would you typically go about this?
[775 byte] By [
UNO-AD-HMa] at [2007-11-27 10:25:16]
# 1
Very briefly:
1. Assume your LDAP is the authoritative source.
2. Run Recon and pull users into IM
3. Run recon with AD and push them into AD
4. Setup LDAP for ActiveSync / Synchronization
5. Configure workflows for create, update, delete user
6. Run ActiveSync as often as desired
7. Try and live happily ever after ;)
Ankush
# 2
How do you accomplish step 3 with the IM? I haven't been able to create any accounts on the ldap or ad sources with IM at all unless I manually create them within IM. I also have not been able to find in the documentation anywhere how to do this as well. If I have 2 accounts on both systems that are the same, it knows to link them, but other than that...
What I have been trying to do, is on the Create/update workflows, have them set the resources on the users to the two LDAP/AD resources, but so far I have not figured out the combination to do this. Not sure if I'm modifying the wrong field, or combination of fields, or if I'm just generally going about it the wrong way to begin with. I guess I'd like to know, if you are going to link an account to another resource, what do you need to modify in the workflows?
Thanks for the assistance.
# 3
in step 2, you ask IM to create a user account (in IM) if the user exists in LDAP, and not in IM.
in step 3, you ask IM to create a RESOURCE account in AD, if the user exists in IM, and not in AD.
All of this is done in the reconciliation actions (drop downs, which by default as set to - do nothing).
Ankush
# 4
On your step 3, I have nothing that does this for options, I see a set of 6 options in the "Situation" section, and this is what I have set for those(these have been set this way the entire time of testing).
Deleted: Do Nothing
Found: Link Resource Account to User
Missing: Create Resource Account for User
Unassigned: Link Resource Account to User
Unmatched: Create new User Based on Resource User
Disputed: Do Nothing
I'll play around with the settings, but I'm assuming this is the section you are talking about? I'm using IM 7.1 in case that makes a difference.
