Identity Governance provides the following templates for Active Directory and eDirectory:
AD Identity
AD Identity with changes
eDirectory Identity
eDirectory Identity (w/o IDM) with changes
eDirectory Hybrid permission
AD Account
AD Permission
AD Hybrid permission
Active Directory LDAP Fulfillment
eDirectory LDAP Fulfillment
For additional information about configuring AD and eDirectory templates, see the following sections:
To ensure synchronization of data from eDirectory to the Identity Governance catalog, the users or groups in eDirectory must have the required minimum rights in the eDirectory repository. The following rights are required for data synchronization:
For full synchronization: Read permission on the users and their attributes that are collected
For fast synchronization: Read permission on the users and their attributes that are collected
For fulfillment: Read and write permission on the users and their attributes for whom the fulfillment request is raised
The Identity Governance collectors for eDirectory have two identity collector templates. The eDirectory Identity template is used when the connected system has both eDirectory and Identity Manager installed, whereas the eDirectory Identity > (w/o IDM) with changes template is used when the connected system has eDirectory installed with the change-log module. The change-log module enables the connector to recognize the changes that require publication from the connected system to the Identity Governance catalog.
For more information about collecting identities with changes and the change event collection, and for more information about applying changes see Section 7.3, Collecting from Identity Sources with Change Events and Section 8.9, Understanding Change Event Processing.
For Identity Governance to associate the accounts and permissions with the identities available in the catalog, while configuring the template, in the Collect Account view, use mail as the Account-User Mapping attribute and email as the Map to attribute. In the Collect Permission view, use member as the Permission-Account or User Mapping attribute and Account ID from Source as the Map to attribute.
Identity Governance also provides eDirectory and AD hybrid collectors for collecting permissions. For more information about hybrid collectors, see Section 8.4, Understanding Hybrid Permission Collectors.
If a user is present in Identity Governance but is not present in either Active Directory or eDirectory, you can configure the fulfillment target to create an account through the respective fulfillment targets.
NOTE:Before you configure a fulfillment target with either an Active Directory LDAP fulfillment type or an eDirectory LDAP fulfillment type, you must ensure that Active Directory collects the attributes required for fulfillment. To verify Active Directory or eDirectory LDAP collection, log in to Identity Governance and then click Data Sources > Application Definition Sources.
To configure the fulfillment target, in Step 4.b, you must provide values for the first name, last name, title, and workforceID fields.
In addition, when you configure Fulfillment item configuration and mapping, click {...}, then edit the transform script for the Account name generation payload to connect to the correct Active Directory or eDirectory server for the user.