Share all details about your problem, including any error messages you may have received.
Trying to onboard a delimited type application
Below is a sample of the data we have received.
We have marked DelegatedEmail as account schema identity attribute and SharedMBXUPN has been marked as ‘entitlement’ and ‘managed’.
We want the user to be able to somehow select the AccessType when requesting access (from Request Access) to the entitlement which here is the ‘SharedMBXUPN’
Background:
We are currently aggregating SharedMailbox Accounts(onPrem AD accounts) using AD connector, while the provisioning is being managed using another app which acts as a interface between AD for which we created webservices connector app.
For the permissions of the shared Mailboxes(sendAs,FullAccess,SendonBehalf), we dont have the data of the existing users who have permissions to the shared mailboxes and what the permission is. Currently, we are not permitted to connect to exchange to get this data.
However, what we’ve been told, the exchange team will be able to provide a dump of these permission details for each shared mailbox.
What we plan to do is create an application and load this data so that we can have the record of what type of permission does the user holds on the sharedmailboxes.
And then when a user is granted access to a mailbox(entitlement) we want to update the same file with its record.
So are you planning to have 3 separate applications representing one app’s different type of data?
Is it possible to update the existing application/account link data using the file that you receive.(possibly using the rule).
Also, regarding the accessType field, do you want input from requestor and proceed the request further?
we have this feature implemented for the Entra ID Application / Exchange Online with the out-of-the-box solution that the connector offers. SharedMailbox is the entitlement attribute, that creates the managed attributes by using: <SMB identity (upr / alias)> : <SMB Permission>
The solution uses IdentityIQ Service with the needed powershell module.
If in your case using the custom solution is the only way to go forward, I would suggest that you create one more field (for example by using a customization rule). This field then would have to be the requestable item for users.
We don’t want to create separate application, we are trying to keep 1 app link under which all the sharedmailbox will show as an entitlement, the point we are stuck on is how to have that on the entitlement.
We want to either 3 entitlements which for each sharedmailbox which represents the 3 different AccessTypes.
eg.
Ent 1 - SharedMailbox 1 - FullAccess
Ent 2 - SharedMailbox 1 - SendAs
Ent 3 - SharedMailbox 1 - SendOnBehalf
And then this wouldn’t require a user input during Request Access process.
But not sure, how to achieve this based on the sample data I’ve posted in the main post.
Would the customization rule be used to achieve the below scenario?
we are trying to keep 1 app link under which all the sharedmailbox will show as an entitlement, the point we are stuck on is how to have that on the entitlement.
We want to either 3 entitlements which for each sharedmailbox which represents the 3 different AccessTypes.
eg.
Ent 1 - SharedMailbox 1 - FullAccess
Ent 2 - SharedMailbox 1 - SendAs
Ent 3 - SharedMailbox 1 - SendOnBehalf
And then this wouldn’t require a user input during Request Access process.
Also, eventually we’d need to update the file with any new users who are requesting access to any mailbox.
So is using delimited file connector a good choice or would moving this dump of data to a database table and then onboard as a JDBC app would be a better choice?
If yes, we still want to be able to achieve the above scenario.
But not sure, how to achieve this based on the sample data I’ve posted in the main post.
You have the required data is present in CSV file. You can try implementing merging based on the unique id to show all these 3 entitlements linked with the user account.
I’ve already tried implementing merging and that would create it as a single entitlement rather than 3 diff entitlements of the same shared mailbox with different AccessType.
i was a little too fast, when i wrote customization rule. Actually in this case what you need to use is a BuildMap rule, where you kinda manipulate the data before IIQ does its own processing.
It is correct, that customization would not work, here as IIQ would just create two different sets, and it does not make sense to add the additional column in this point.
If you need help with the build map rule, let me know.
We are using an “unstructured target” that we developed to aggregate and provision Exchange mailbox permissions. It makes use of two Powershell scripts invoked via the IQService.
That approach won’t work you if you can only get a csv extract, but perhaps you could push for better access.
We’ve already pushed for direct access to exchange, just read access would ideally go a long way. However, for some reason they’ve not agreed to provide the access yet. Really dont know why
