OpenText Identity Governance provides templates to simplify the collection of data. Collection templates or collectors are the default mappings of identity, account, or permission data from identity and application sources to the core OpenText Identity Governance schema. Your systems might use different terms for the same type of objects. Collectors enable you to map your system-specific objects from various sources to the OpenText Identity Governance objects in order to collect and publish them to the OpenText Identity Governance catalog.
Each collector has one or more views that allow you to:
Specify which data you will collect from your identity or application source
Describe how that data will be linked together in the catalog
The collector views describe the characteristics of the data source that you could collect. The views are different for identity and application sources. For example, the JDBC Identity (Oracle) collector template can collect data for users, groups, group-to-group associations, and group-to-user associations. Collectors for application sources gather either account or permission data.
For each collector, you can collect data from on-premises data centers by enabling Cloud Bridge connection.
OpenText Identity Governance provides a large set of collector templates that contain default data and configuration settings for many common enterprise and cloud data sources. Each template can be customized to connect to associated data sources.
NOTE:Customization of templates might require additional knowledge of connected systems, and all modifications are the responsibility of the customer. For further guidance, contact support or professional services.
Every collector has the following common elements:
Collector templates include predefined attribute mappings and value transformation policies for specific data source types. Select a template that best suits the data source. For example, select AD Identity to collect identities from Active Directory. Authorized administrators can also view list of available templates on the Configuration menu.
NOTE:You can have one ore more templates for each data source. Template names indicate that they are permissions or accounts collectors. Template names that end in with changes can be enabled for processing incremental change events. For a list of available collection and fulfillment target templates and information about configuring the provided templates, see OpenText Collectors and Fulfillers Configuration Guide.
These are the configurable parameters that allow the collector to connect and, if required, authenticate to the target data source. Depending on the connector, these service parameters can vary and might include, file locations, server host and port specifications, or service URLs.
HINT:If you change any service parameter, you must reenter password to establish successful connection to the data source.
After initial configuration, you must always update credentials and other service parameters in each template as needed. For example, when connecting to applications that use access tokens for authentication, such as SCIM-compatible applications, you must change the token when they expire and reconfigure the template to use the current access token.
This view also includes Cloud Bridge related parameters, authentication related parameters, and a Test connection button to verify the settings.
Cloud Bridge Connector The Use Cloud Bridge connector? option enables you to collect data from on-premises data centers when using OpenText Identity Governance as a Service. After enabling a Cloud Bridge connection, you must select the data source pertaining to your data center for credentials to be passed through automatically based on the data source unique ID.
NOTE:Once you enable a Cloud Bridge connection, typically you do not need to specify user name and password for the data host server as credentials will be passed through automatically based on your data source unique ID. However, for collectors such as the SCIM, Identity and Manager AE Permission collectors, you might need to specify ordinals for additional authentication methods. For more information about Cloud Bridge procedures for unique collectors, see OpenText Collectors and Fulfillers Configuration Guide. Always verify that you configure the service parameters correctly by testing the connection.
Each collector is comprised of one or more collector “views” that can be customized to match the characteristics of the data source being collected. These views enable you to map attributes and add transformation scripts. When collecting identities, they also enable you to select match rule when publishing and merging.
HINT:If you want to map attributes to static values, enclose the value within double quotes while configuring the collector templates. This applies the static value to each collected record.
For information about identity collect views, see Section 7.1, Understanding Collector Templates for Identity Sources and for information about application (account and permission) collect views, see Section 8.2, Understanding Collectors for Application Data Sources.
This view in the collector template allows you to view transformation script usage information. For information about using transformation scripts, see Section 6.9.2, Transforming Data During Collection and Section 6.9.3, Creating Transformation Scripts Using Generative AI.
This option allows you to preview data before running a full collection, preserve the configuration for a data source, or create an emulation package for a data source. You can use generated files to validate and troubleshoot collections, send results to support engineers, and to import data source configurations to a different environment.
For more information about test collections and troubleshooting, see Section 6.9.4, Testing Collections and Section 6.9.5, Creating Emulation Packages.
For more information about configuring data source collector templates, see:
Because each application might have its own format for the data that you plan to collect, you might need to transform the data during the data collection process. For example, the application might store dates as a string (20151202) that needs to be converted to the OpenText Identity Governance date format, which is the Java Date format in milliseconds. Also, an application might use field lengths that do not match the field length in OpenText Identity Governance. These variations in collected data affect your ability to use the data or merge it with data collected from other sources.
Transformation scripts may be added to any mapped data field in any data collector by clicking on the ‘{}’ icon next to the field mapping. This will expand the dialog to allow you to either upload a transformation file or paste in transformation text. If required, you can also delete a transformation script after removing all references to the script from the attribute mapping(s) that use it.
The transforms are done through Nashorn-compatible Javascript. Within the Javascript, you can access the collected value by creating a variable name inputValue. After manipulating the collected value, you can return the value to OpenText Identity Governance by assigning the value to a variable name outputValue.
The following example translates the values true and false from the connected system to active and inactive in the OpenText Identity Governance catalog.
if (inputValue == 'true') { outputValue = 'active'; } else { outputValue = 'inactive'; }
To add or delete a transformation script:
Log in as a Customer or Data Administrator.
Select a configured data source, and then expand a collector view to view related attributes.
Click ‘{}’ icon next to the field mapping to add and edit a script manually or using OpenText Identity Governance Aviator.
or
Delete a script.
NOTE:You must remove all references to the script from the attribute mappings to delete a script.
Expand the Transformation scripts view of the data collector to see its usage.
Expand the collector view(s) mentioned in the usage information.
Click ‘{...}’ icon next to the field mapping and choose Select a script... to clear the script usage from the attribute mapping.
Repeat the above step to remove all usage of the script.
Expand the Transformation script view and select the delete icon to delete the script.
For more information about transformations, see the Collected Data Transformations reference.
Authorized administrators can use Generative AI (Artificial Intelligence) to create transformation scripts. Generative AI assists in generating JavaScript code based on natural language descriptions. OpenText Identity Governance provides general instruction regarding AI prompt format and it is included in every transformation script dialog box. Based on the field that you want to map, OpenText Identity Governance provides the input value which is not editable. However, you may choose to not use the default input value. When you enter your prompt in natural language regarding transforming the input value to an output value, OpenText Identity Governance Aviator coverts the natural language prompt to code.
Example: When you type: Input variable is a string containing a first name and last name. Output is an email address that is a concatenation of the first name and last name, in lower case. Output is a valid email string.
You will see the following response:
analysis To achieve the desired output of creating an email address by concatenating the first name and last name in lowercase from the given inputValue, we need to follow these steps: 1)Parse the inputValue string into separate first name and last name. 2)Prepare the email address by concatenating the first name and last name in lower case. 3)Assign the generated email address to outputValue. code var vals = {}; // Assume inputValue is a scalar containing full name var inputValue = "John Doe"; // Parse full name into first name and last name var names = inputValue.split(" "); var firstName = names[0].toLowerCase(); var lastName = names[1].toLowerCase(); // Generate email by concatenating first name and last name var email = firstName + "." + lastName + "@example.com"; vals.outputValue = email; summary In the provided code: . We first assumed the inputValue is a scalar containing the full name in the format "John Doe". . Then we split the inputValue into an array using the space character as the delimiter, assigning these values to firstName and lastName. . Next, we convert both the first name and last name to lowercase using the toLowerCase() method. . After that, we concatenate the firstName, ".", lastName, and the domain name to form the email address (e.g., "john.doe@example.com"). . Lastly, we assign the generated email address to the object with the key outputValue in the vals object, which can be used further as needed.
Legal Disclaimer: While efforts are made to ensure the accuracy and relevance of the content produced, the nature of generative AI means that errors, omissions, or incomplete content may occur. Users are strongly advised to independently verify the generated content before relying on it. The use of generated content is at the user's own risk. OpenText disclaims any responsibility or liability for any actions taken based on the content generated by the AI. By using this software, users acknowledge and accept these terms.
To create a transformation script using Generative AI:
Prerequisites: Generative AI such as OpenAI ChatGPT or Google Gemini account and respective API key. For a list of supported generative AI provider and models, see the OpenText Identity Governance as a Service Quick Start.
Log in as a Customer or Data Administrator.
Select Configuration > Generative AI Settings.
Select the provider.
Select the model.
Type your API key.
(Optional) Edit the default system instructions as needed.
Save the settings.
NOTE:These settings provide instructions to the Generative AI model to analyze, then process natural language as code and provide explanation of the output.
On the menu bar, select Data Sources or Fulfillment and navigate to respective data source or fulfillment target.
On the collector or fulfillment target configuration page, click ‘{}’ icon next to the field mapping.
Create a new script.
Select Identity Governance Aviator.
Enter script name and description.
Follow the instructions and type your prompt in natural language (See the above example).
Click OK.
(Optional) Select a script and edit as needed.
(Optional) Delete the script if not needed.
When creating, updating, or troubleshooting data collectors, you can test all or part of the collections without publishing the results to the catalog. When you test a collection, you either ensure that the collector is correctly configured, or you have the ability to change the collector configuration and quickly test again to check the results.
HINT:If you change any service parameter, you must reenter password to establish successful connection to the data source.
You can view the collected data as soon as the test collection completes, or you can download the results to view later. Results of test collections remain available in the OpenText Identity Governance database until you delete them or they expire.
When you run a test collection, you have some options for the test data:
All records
Some records
When you select a subset of records to collect, you cannot control which records to collect. You could use this option if you want to quickly spot check a collector configuration rather than waiting for all the data to be collected.
Raw data
Raw data contains attribute names from the native application. These attributes have not yet been transformed based on the mappings in the collector. Testing the raw data collection lets you verify that you are collecting the data you intend to collect before OpenText Identity Governance transforms it.
Transformed data
Transformed data contains attribute names that you have mapped from the native application to the attribute names you are using within OpenText Identity Governance. Testing the transformed data collection lets you verify that your mappings within the data collector meet your expectations.
To test a sample collection from a data source:
Log in as a Customer or Data Administrator.
Select a data source.
NOTE:Test connection is not supported when the CSV collector is accessed via an HTTP or HTTPS connection.
Click Test Collection and Troubleshooting.
On the Test Collection tab, select the collectors, then:
Click Run Test Collection.
Select the specific entities to collect.
(Conditional) To collect a subset of records, type the number of records to collect.
(Conditional) To collect all records, make no changes to the default All value.
Start raw data or transformed data collection.
To view the test collection results, select Actions > View.
To download the test collection results to your local computer:
Click Actions > Test collection results.
Enter a meaningful description.
Click Download.
Click the download icon on the OpenText Identity Governance title bar to download test collection results to your local computer.
(Optional) Delete the test collection results from the download area in OpenText Identity Governance.
If you do not manually delete the test collection results from the download area, OpenText Identity Governance will automatically delete the data from the database based on your default download retention day settings. For information about customizing download settings, see Section 4.9, Customizing Download Settings.
(Optional) On the Test Collection tab, click Actions > Delete to delete the test collection.
OpenText Identity Governance will automatically delete the test collection based on your default download retention day settings.
You can more easily troubleshoot collection configuration outside your production environment by creating emulation packages for data source collectors. An emulation package contains CSV files with the raw collected data from the data source and a CSV file containing data source configuration details. Emulation packages remain available in the OpenText Identity Governance database until you delete them or they expire.
To create an emulation package:
Select a data source.
Select Test Collection and Troubleshooting.
Under Download and Emulation, select Create emulation package.
Click Test Collection and Troubleshooting.
On the Download and Emulation tab, click Create emulation package.
To view the emulation records, select Actions > View.
To download the emulation package to your local computer:
Click Actions > Download emulation package (data source and raw collected data).
Enter a meaningful description.
Click Download.
Click the download icon on the OpenText Identity Governance title bar to download the emulation package to your local computer.
(Optional) Delete the emulation package from the download area in OpenText Identity Governance.
If you do not manually delete the emulation package, OpenText Identity Governance will automatically delete the data from the database based on your default download retention day settings. For information about customizing download settings, see Section 4.9, Customizing Download Settings.
(Optional) On the Download and Emulation tab, click Actions > Delete to delete the emulation.
OpenText Identity Governance will automatically delete the emulation based on your default download retention day settings.
The ability to download and import collectors helps you manage your environment in several ways.
Back up a working collector
Replicate an environment
Update collector details in a text editor
Troubleshoot collections
Configuring collectors can take time, and you might go through several iterations of trial and error. When you have configured a collector that achieves the results you want, you should download it and save it with your other backup files. You can also use downloaded collectors to replicate an environment, either in a test environment or to use in another office location.
You could decide that you need to change the predefined attribute mappings and value transformation policies of a template to meet your specific environment. If you find that you need to customize a collector template, rather than only editing the values in a collector, you can download and import collector templates under Configuration in OpenText Identity Governance. For more information about exporting and importing procedures and recommended order of import, see Section 30.0, Exporting and Importing.
NOTE:To correctly import data, you must download data sources from the current version of OpenText Identity Governance.
When you download a data source, the zipped file has the name of the data source. For example, AD_Identities.zip. The files within the zipped file are generically named in English and can include the following files:
Identity_Source.json or Application_Source.json file (depending on type of data source) which contains the configuration of the data source and all of its collectors.
DataCenter_datacentername.json and DataSourceConnection_datasourceconnectionname.json files when the collector uses Cloud Bridge connection.
Attribute files containing the schema elements used by the collectors within the data source. For example, USER_Attributes.json, PERMISSION_Attributes.json, and APPLICATION_attributes.json.
Template files containing the collector template name and version used to create the collectors in the data source. For example, Template_AD-Account_4.0.0.json.
Categories.json file when categories are applied to the source.
To download data source and associated files:
Select a data source, then select Test Collection and Troubleshooting.
Select Download and Emulation.
Click Download Data Source Configuration.
Type a meaningful description such as the collector name.
(Optional) Download included templates, assigned categories, and associated attribute definitions.
Select the download icon on the top title bar to access the saved file and download the file.
HINT:We recommend creating a folder for each data source zipped file and extracting the contents into that folder. This ensures that the similarly named files from different sources are not mixed together or overwrite those from other sources.
To import associated files and data source:
(Conditional) If your data source has custom schema or categories associated with it, import the previously downloaded schema files or category files before importing the data source. To import attributes definitions, navigate to the respective attribute page under Data Administration and import respective attribute file. To import categories and templates, select respective options under Configuration.
Under Data Sources, select Identities or Applications.
Select Import an identity source or Import an application source.
Based on the type of data source, select the Identity_Source.json or the Application_Source.json file.