Import entitlements
As part of the application on-boarding process, we should import the entitlements in the target application. This is needed to enable:
- Setting user entitlements during the provisioning process
- Populating the service catalog for request approval
- Viewing the access that a user currently has
Entitlements can be imported using Connectors, for applications with connectors, and a CSV file for manual application. Both steps are described below.
Applications with connectors
To import entitlements using a connector, you need to follow the steps listed below:
- Ensure that you have established a connection to your application as in the Connection details
- Configure a synchronization task as described below to import the entitlements
Configure synchronization process
If a sample synchronization configuration already exists, then leverage that configuration; especially if you are new to OpenIAM. Alternatively, use the steps described below to create your own configuration.
The configuration here is based on OpenLDAP. Check the connector documentation for details about configuring these processes for your specific application.
From the Webconsole:
- Go to
Provisioning
->Synchronization
- Go to
Create Synchronization
from the side menu
Complete the form as described below. Replace the Ldap specific details with the details needed for your application
Field name | Description | Example Value |
---|---|---|
Name | Descriptive value to identify this configuration. | Entitlement synch - OpenLDAP |
Number of Threads | Set this value to 1 , which is the default. This controls how many threads will be created to process data coming from the connector or CSV file. This is a performance optimization for processing large datasets. However, creating too many threads can take away resources from other operations and thereby have a negative impact. | 1 |
Is active? | Flag which determines if the synchronization configuration can be executed. Making a configuration In-active is a way to disable the task. | True |
Detect orphan | Orphan management should not be enabled for processing data from a source system. Orphan management is used to detect records in a target system which are not in source. Since we are importing entitlements, and source system has not been loaded, there are no orphans to detect | False |
Provision to target systems | This flag enables down stream provisioning to target system. Once you have configured you synchronization and managed systems, you MUST enable this checkbox to allow for downstream provisioning. Since we are importing entitlements, there is nothing provision. | False |
Synchronization source | This is the source of your data. In this case, if we using LDAP, then our source should be the connector. | Connector (since 4.2.1.2) |
Managed System | Name of the managed system configuration which will be used by the connector | Test - OpenLDAP |
Synchronization object | Defines the type of object that will be imported. In this case, its the type of entitlement that we are importing. | Group |
Synch type | Allows you to define if this should be an incremental or complete synch. Since we are loading data, it should be complete synch. | Complete |
Synch Frequency | Describes how often the synchronization process should run. If you are an implementation mode, then you can leave this feel blank. In production, if there is a need to actively synch from the selected application, then you can define a cron expression to control the frequency: Example, if you want it to running automatically. The frequency is expressed as a CRON expression. | |
Example Cron expressions: Every day at 23:00 | 0 0 23 * * | |
Example Cron expressions: Every 1 hour: | 0 * * * * | |
Example Cron expressions: Every 15 minutes: | /15 * * * | |
Pre-processor script | Pre-processor script runs before synchronization starts. | Leave blank |
Post-processor script | Post-processor script runs after synchronization has been completed. | Leave blank |
Validation Rule | Groovy script to validate the incoming data from the file. |