7.3 ILM Fulfillment

The ILM fulfiller has default attribute mappings that help you fulfill different types of change requests. In addition to change request types supported by the SCIM fulfiller, the ILM fulfiller also supports the USER_PROFILE_MODIFICATION change request type. All required information for this change request is provided in the User profile modification payload field.

In addition to configuring the template and editing transformation scripts as needed, you must add attributes in the Fulfillment Context Attributes area to successfully fulfill change requests. For more information, see the following sections:

7.3.1 ILM Transformation Scripts and Payloads

The ILM fulfiller template allows you to edit the transformation scripts to build the required payload for the change requests for generic fulfillment, user profiles, permissions, and accounts. The ECMA script includes comments that guide you through the payload generation process. After you generate the payload, OpenText Identity Governance sends the payload for fulfillment. The ILM fulfiller template includes the following payloads for the specified change requests:

Payload

Change Requests

User generation payload

ADD APPLICATION USER

User profile modification payload

MODIFY USER PROFILE

Permission generation payload

  • ADD PERMISSION TO USER

  • REMOVE ACCOUNT PERMISSION

  • REMOVE USER PERMISSION

Account generation payload

REMOVE ACCOUNT

Click {...} next to the value of a parameter to define and edit data transformations scripts. Expand the Transformation Scripts view to see a list of included scripts. The following figure provides an example of the ILM transformation script.

Figure 7-1 ILM User_Modification_Payload Script Example

As the example shows, the ECMA script includes comments that guide you through the payload generation process and three input categories:

  • complexMultivalue: List containing all SCIM complex multi-valued attributes.

  • CanonicalValues: List of canonical values for the 'type' attribute of complex multi-valued attributes.

    Example:{ "emails" : [ { "value" : "johndoe@opentext.com", "type" : "work" }, { "value : "johndoe123@gmail.com", "type" : "home" },{ "value : "jdoe@gmail.com", "type" : "other" }]}

    In this example, canonical values are work, home, other.

  • Schema Map attribute: This attribute maps the OpenText Identity Governance attribute to the SCIM attribute namespace. By default, required attributes are added. You can extend the default schema and add custom attributes or remove attributes. For more information about extending the schema, see Extending the OpenText Identity Governance Schema in the OpenText Identity Governance as a Service User and Administration Guide.

When using custom attributes:

  • Enable Allow to be reviewed when adding the custom attribute.

  • Select Configuration > Fulfillment Context Attributes, then add the custom attribute.

  • Add the custom attribute to the user_modification_payload script by:

    • Adding the custom attribute to schemaMap

    • Mapping the custom attribute to the SCIM namespace

    • (Conditional) If the custom attribute is complex multi-valued, adding the custom attribute to the complexMultivalue list, and also adding its canonical values to the canonicalValues list

7.3.2 Mandatory Fulfillment Context Attributes

For the ILM fulfillment to process successfully, you must add certain mandatory attributes to the Fulfillment Context attribute area. The following table provides the list of required attributes.

Fulfillment Context Attributes

Attributes

User (Requester and Recipient)

  • Active

  • City

  • Department

  • Email

  • Employee Type

  • First Name

  • Last Name

  • Phone - Office

  • Preferred Locale

  • Title

  • User ID from Source

  • Workforce ID

Account

  • Account ID from Source

  • Account Name

Permission

  • Permission ID from Source

  • Permission Name