7.3 Collecting from Identity Sources with Change Events

NOTE:We do not support using the Identity collector with changes when you merge idenity sources.

Full collection and publication includes data collection, provisioning technical and business roles, and SoD and risk calcuations and might take more processing time and memory when compared to incremently collecting changes. Identity sources with change events provide incremental change events for user and group data from certain identity sources to incrementally update the identity catalog and improve processing time and reduce database growth.

Always monitor processing times, system memory usage, and database growth and evaluate if full collection or change collection will be the best option for your environment. For example, if Active Directory is your LDAP source and by default you collect Last Login attribute, collecting only change events might also take as much as time as a full collection. In that scenario, change events collection might not be the optimal option.

IMPORTANT:The identity source with change event collectors is not intended to handle large-scale changes to the source directory, such as changes to the user population resulting from mergers or spin-offs, major changes to group memberships, or major reorganizations of any kind. In such cases, you should disable event processing and enable it after the major changes.

To periodically pull change events and incrementally make changes to your identity catalog, the following conditions must be met:

Identity Governance allows you to configure multiple non-merging identity source collectors to collect change events. You can set the polling interval and maximum polling time in minutes for each collector so that they can function independently. We do not recommend setting the polling interval time to less than 35 minutes.If you do not set the polling values while configuring the collector, Identity Governance uses the globally set preconfigured values to determine the polling frequency. However, the polling values set at the collector level takes precedence over the globally set values. Identity Governance uses the global configuration parameters: com.netiq.iac.rtc.event.polling.interval and com.netiq.iac.rtc.max.polling.timeout to set the polling values.

You must perform at least one collection and publication before Identity Governance launches into the polling cycle, or the Enable change event processing flag will remain blocked.

The Identity Change Event Productions allows you to see details of the change events that occurred during the polling time, such as, entities that were added, modified, or deleted. Depending on your requirement, you can select or sort the columns, or use event data to search events. You can also filter event data based on specific event type.

If you collect for one of the data sources after enabling event collection, Identity Governance suspends polling for that source but continues polling for the other identity sources with change event collection. Polling for the suspended source does not resume until the collection is published by the next identity publication.

NOTE:When an identity publication is in progress, polling for all identity sources change event collectors is temporarily suspended until the publication completes.

Typically, events are collected in batches of up to 100 events. However, if the identity source’s Batch Size Limit as configured in the Service Parameters is less than 100, then that batch size is the upper limit for event collection.

During event collection, Identity Governance treats a user record move in the underlying LDAP tree from outside of to inside of the scope of the configured Search Base as an ADD event. Likewise, Identity Governance treats a user record move to the outside of the Search Base scope as a DELETE event. The Data Sources > Activity page reports the number of events of each type that were processed in the most recent event processing period as part of the detail of the most recent collection for that collector.

For more efficient event processing, Identity Governance does not generate change events for any dynamic changes in eDirectory or Identity Manager dynamic groups. Also, removing a member from an eDirectory or Identity Manager group will not remove that member from any of the group's super groups if those groups have been configured to report nested members in membership query.

If you have upgraded from a previous version of Identity Governance, use the Identity Source Migration utility to update your Active Directory data collector, eDirectory data collector, and Identity Manager data collector to accept change events.

7.3.1 Understanding Change Event Collection Status

The event collection displays the following status:

Change Event Collection Status

Description

DISABLED

Event processing is not enabled for this collector and identity source. If event processing is enabled from this state, the state becomes BLOCKED, and the identity source must be collected and published before it can become READY.

BLOCKED

Event processing is enabled, but cannot proceed because the preconditions for processing change events were not met. For more information, see Section 7.3, Collecting from Identity Sources with Change Events.

READY

Event processing is enabled and not blocked, but awaiting scheduling to proceed.

IN_PROGRESS

Events are being polled for and processed.

NOTE:Event processing will be in progress either until a polling request returns no events or until the configured maximum event processing time is reached.

7.3.2 Supported Attribute Syntaxes for eDirectory and Identity Manager Change Events Collection

Identity Governance supports the collection of the following attribute syntaxes during eDirectory and Identity Manager change events collection:

  • Boolean

  • Case Exact String

  • Case Ignore List

  • Case Ignore String

  • Class Name

  • Counter

  • Distinguished Name

  • Integer

  • Integer 64

  • Interval

  • Numeric String

  • Object ACL

  • Octet String

  • Path

  • Postal Address

  • Printable String

  • Telephone Number

  • Time

  • Typed Name

  • Unknown

7.3.3 Converting an Identity Collector to a Change Event Identity Collector

Identity Governance allows you to convert an existing identity collector to one that accepts change events. While converting, you can compare the parameters of the two versions and make changes to the fields as required. You can convert the following identity collectors:

Collector

Convert to

AD Identity

AD Identity with changes

eDirectory Identity

eDirectory Identity with changes or IDM Identity with changes

eDirectory Identity with changes

IDM Identity with changes

Identity Manager Identity

IDM Identity with changes

To convert an identity source to one with changes:

  1. In Identity Governance, select Data Sources > Identities.

  2. Select the identity source, then expand the view of the collector.

  3. (Conditional) If a higher version of the collector template is available, then Identity Governance provides the option to upgrade the template. To upgrade:

    1. Specify details as necessary and save.

    2. Select Upgrade.

    3. Compare configurations and make changes as needed.

    4. Select Upgrade.

    5. Select Back to data source page.

    6. (Optional) Restore to Template Version number if you want to revert to the older template.

  4. To convert the template to with changes, click Convert.

  5. Review the following updates:

    • Identity Governance changed the template name to with changes template corresponding to the one prior to the update.

    • The Service Parameters section prompts to re-enter the password.

    • Under Collect Identity and Collect Group (the user view):

      • (Conditional) For Active Directory identity change event source, Identity Governance has added the new parameter LDAP Identity Changes Search Filter, with the value (objectClass=user). This parameter identifies events in Active Directory DirSync or AD Connect that the connector delivers in this view to Identity Governance. Only modify this parameter if you have other object classes in the local AD that correspond to users and only by adding other objectClass terms to an LDAP expression.

      • (Conditional) For Active Directory identity change event source, Identity Governance has added the new parameter AD Object Categories for Changes, with the value user. You can modify this value if needed by adding other object category names in a comma-separated list.

    • The option Enable Change Event Collection is checked and requires input for the following fields:

      • Polling interval

        We do not recommend setting this to less than 35 minutes.

      • Maximum poll time

      • Last poll time

  6. Click Convert.