i’m able to successfully provision a new AIX user with the correct attributes except for one. however, i feel as though i’m missing something obvious. i’m having trouble populating the primary group attribute during user creation. the pgrp attribute requirement is rather straightforward, set the “pgrp” attribute to the same value as the entitlement/group that is being requested. for example:
a user is being created on the AIX source based on a request for the “group1” entitlement/group on the connector. that “group1” should also be the value for the pgrp attribute. below is from the provisioning policy for the connector that adds the user to the group, but i’m not sure how to populate the pgrp attribute with that same value during creation. i appreciate any insight as this is not one of my strengths
Hey - if the “group1” object you’re referring to is an entitlement on the source, then there’s no need to add that to the create account tab (aka provisioning policy).
The provisioning policy is intended for generating Account attributes not inherently available within the provisioning plan (e.g generating a username, password etc). An entitlement would inherently be within the provisioning plan during an access request, as a user would have requested a specific entitlement.
The mapping of that would need to exist under your ‘Add Entitlement’ HTTP operation under the source configuration and you would pass that like you pass other attributes - ${{identifier}}.
For example, if your ‘Create account’ HTTP operation body looks like this:
Bear in mind that “role” in my example is the name of the attribute within the account schema that represents an entitlement. If the attribute name in your case is “pgrp”, then you would call it via $plan.pgrp$
Thanks for the replies, I should probably add some additional clarification. We are on IdentityNow so I’m not sure how Märten’s would work as I assume that is for IIQ. A little more information about the AIX user creation:
An AIX account creation request would be based on the entitlement from that same AIX source. So for example, a user requests “cds” for the AIX source as shown below.
When that user is created on the AIX source, it defaults the pgrp attribute to “staff” and assigns “cds” as the secondary group as listed in the groups attribute and entitlements on the user profile page. They want the pgrp to be the same as the requested group and that’s where I’m struggling. Hopefully that makes more sense.
My example was for IDN but I think I might’ve misunderstood the issue. My example was also configuration for a Web Services source type, not AIX as I thought AIX was the source name rather than type.
This bit -
it defaults the pgrp attribute to “staff”
Does that happen from AIX side? E.g there’s something in the service that will by default populate that attribute to ‘staff’ whenever an account is created?
The “cds” that’s under secondary group attribute, is that what the user requested?
So if I understand it correctly so far:
User requests an entitlement on the source
Create Account operation is triggered
The requested entitlement is provisioned under the ‘groups’ attribute
The ‘pgrp’ attribute will default to ‘staff’
What you want to happen is:
User requests an entitlement
Create Account operation is triggered
The requested entitlement is provisioned against both ‘groups’ and ‘pgrp’ attributes
Does this only apply to Create Account or also Add Entitlement?
