Hi,
someone pls help me on how to skip entitlement creation while account aggregation from user profile
In IIQ we have Promote ManagedAttributes option to disable, do we have anything same like…?
Thanks
Prashanth
Hi @PrashRV
I don’t believe that what you are asking is possible from the GUI.
Perhaps via a API call but I couldn’t answer that bit
Phil
Can you explain more about what you are trying to do?
Hi @PrashRV , Avoid setting up your entitlement attributes in the account schema before running the aggregation for the source.
1 Like
Hi @PrashRV ,
I don’t think that’s feasible.
Account aggregation will automatically pull the entitlements linked to the accounts.
-Mehul
I think @amahlemohlokonya is on the right track here, if you adjust the account schema to remove the attributes that are being promoted as entitlements (or at least remove the isEntitlement flag from those attributes) that should prevent them from being aggregated.
Hi @PrashRV when aggregatig accounts, entitlements that are not being aggregated yet, will appear in the entitlement list. Unfortunately, only with information gathered from user’s attribute. For example in AD connector, groups that aren load with entitlement aggregation, are added as entitlements in account aggregation, but with DN as the descriptive name.
If AD is your case, if you know of certain user’s groups should not be added in the entitlement list of that user, you can filter it using
this will prevent aggregation to bring groups that will not be loaded on entitlment aggregtion. For example, you can use (!(cn=domain*)) so Domain Users, Domain Operators and Domain Admins groups are not being added as entitlements. Or you can specify a list like (&(!(cn=group1,ou=…))(!(cn=group2,ou=…))…(!(cn=groupN,ou=…)) ** you should have a group list with complete DN in this case.
Other connectors can filter results with a rule, as in the web service after operation rule.
Thanks everyone for all the replies, I am trying to skip the entitlements creation while account aggregation from user profile is for SCIM connector.
i have kept filter for Groups in SCIM 2.0 is null, but still see entitlements listed on catalog.
Thanks
Prashanth
Hi @PrashRV,
As we are speaking about SCIM connector, could you please ensure the following steps are performed to not promote entitlement creation while performing account aggregation:
Note: Before performing below steps either reset the source or create a new source and then execute the below steps
-
Configure required connection parameters in the source
-
In the account schema, ensure that no attribute type is mapped to entitlement type as shown below(your account schema might differ from the following screenshot) and no account schema attribute should be marked as entitlement:
-
Next, you can either delete entitlement types or you can delete entitlement attributes inside entitlement type or un-map the entitlement id and entitlement name inside entitlement type attributes. In the below screenshot, i have removed all the entitlement schema attributes inside entitlement types, after removing entitlement schema attributes you should be able to see empty with respect to all entitlement types as shown below:
-
Now trigger the account aggregation, this account aggregation should not create entitlements and only users should be pulled into IDN.
Keep us posted if you face any difficulties with the above steps.
Thanks,
Vijay
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.