Share all details about your problem, including any error messages you may have received.
Hello, we are migrating from Microsoft Identity Manager (MIM) to IdentityIQ.
In MIM, we synchronize not only users/identities but also our organizational structure (OrganizationalUnit objects). We are struggling to find advice handling these organizational/OU objects within IdentityIQ, and we are currently debating between two main approaches:
Treat them as “Identities”: Should we import these OUs into IdentityIQ and model them using Identity Cubes, similar to how we manage users?
Treat them as Custom Objects: Should we look into creating a mechanism to store and manage them as custom objects/entities outside of the standard Identity Cube structure?
Or is there any other approach that would be more suitable ?
Modelling OU, as identities is not an ideal approach however it is possible.
It could lead to complexities queries, reporting. They will get displayed as identities in the UI. So many places you have to customise accordingly.
Custom objects in IdentityIQ are simple, extensible entities with attribute maps that can store hierarchical OU data like name, parent OU, description, and location.
also in your MIM what’s your authoritative source (eg workday/ success factor/ CSV) any of these ?
Need to understand from Pratik why they want to bring ou structure into IIQ
What I can think if is may be they have hierarchy of data that they want to bring to IIQ instead they can leverage custom objects or identity attributes.
Hard to picture what you are doing here. MIM is just a front end for Active Directory, so don’t you just want to turn it off and use the Active Directory connector to manage users and groups? You will have a challenge as IIQ doesn’t have UI elements like MIM does for creating new security groups and distribution groups. Does MIM allow creating OUs also? All of those functions will be a quicklink with a workflow behind it.
I created a workflow and quicklink for creating and managing AD groups several years ago for a client. It’s not a simple problem and MIM doesn’t cover all of the aspects of the function. For instance, if you want to transfer ownership of a group (managedBy value) from one user to another, you would normally want to gather approvals from the before and after user, their managers possibly, and the security team.
One good thing about IIQ is you can use the connector for the provisioning operations and not have to hack commands on the back end. You also can drive Powershell on the IQService server.
Any time you are trying to keep Lists and Maps of any data, a Custom object is your best choice. Be sure to lock the object when updating. I have a client with a system right now where I have developed about a dozen Custom objects tracking all sorts of details.
What we need is to be able to manage our organizational tree for Active Directory (ie organizational Units), an other LDAP catalogue representing our organization together with others in the same business sector (Health care organizations in sweden).
The source for our organization resides in an SQL database. So thats our master for which organizational units sould be created and deleted.
Then these organizational units should be synchronized to different applications. We also need to fetch attributes from across a few different catalogues, so its basically a multi master scenario from that perspective. The ticketing system uses a REST API service for interfacing. And then we also synchronize the org tree to a couple of SQL databases.
We are interested in creating new OU’s and synchronyzing attributes between these systems. We are not interested in creating/managing groups.
We’re migrating from Microsoft Identity Manager (synchronization service) not the mim portal and therefore may have an MIM mindset that may not be optimal for IIQ.
@thp015 If you are trying to manage OU attributes only, you might want to Model the OUs as Group objects in IIQ. If you are using SQL as your master data, then you can configure a JDBC application and aggregate them as Groups and later sync it to some other downstream apps using a rule runner.
To me this sounds like a fully custom work requirements. I did something similar to this. Storage is not the biggest problem. It’s the presentation layer that is funky.
What I implemented was a custom plugin showing the ou structure to users for entitlement creation. I needed to know where to create new AD group for user. So in essence not far from managing ous.
I stored the data in custom object using tree structure made from maps and lists.
I had a custom task that would read all ous to keep tract of them.
Finally I use some ootb Angular tree element to display it nicely for users.
It worked perfectly. But I did spend some time building it.
Our objective is to synchronize changes to our organizational structure in a similar manner as we synchronize identity data. We maintain an SQL database that serves as the authoritative source for our entire organizational structure (comprising over 1,500 departments). We also want to aggregate and add some extra data to our departments from another application which is an LDAP catalogue. Due to frequent restructuring, keeping this data consistent across our ecosystem is critical.
Currently, multiple applications rely on this data. For example, Active Directory uses it to manage OUs, and a separate LDAP catalog replicates the structure identically. These are just two examples of many.
This is presently managed via FIM Synchronization Service, using specific Management Agents for both the organizational structure and identities for each target application.
We want to know if using IIQ is a good way of doing this, and if it is what would be “best practice” to handle it.
Hi @thp015 Thank you for sharing details. One more question: Are there external data in IIQ Identity?
If not, you should create a new identity type based on your organization’s requirements as per the feed in IIQ, then, you can manage the identities and their syncing processes, provisioning into LDAP or AD, etc.