OpenIDM 4.0 – MultiAccount Linking

This topic has 5 replies, 3 voices, and was last updated 6 years, 10 months ago by mn.saran.

  • Author
    Posts
  • #6667
     mn.saran
    Participant

    The sample given in the samples guide for the multi account link is based on a role. do we have an example without a role ? I mean with normal user attributes.

    I have this scenario..

    User in IDM has multiple accounts in AD (Business, Admin, Revenue) and I want to link them in IDM during Recon and Sync. Right now we have separate mappings and connectors for each account(except Admin) and they are being linked based on Account Type attribute.

    I would like to Sync only Business and Revenue and not the Admin using the multi account linking feature.

    Please provide some direction for linking the AD accounts without using role.

    #6669
     Mike Jang
    Spectator

    Hi,

    If I’m reading correctly, you have AD organizational units of “Business”, “Revenue”, and “Admin”.

    It sounds like you want to use multi-account linking, with link qualifiers only for Business and Revenue. Yes, these are roles, but as shown in the multi-account linking sample, they are linked (with qualifiers) to the organizational units.

    My colleague Rajesh has just created a screencast on the sample. Perhaps that can help you set up the links you need between AD accounts.

    Thanks,
    Mike

    #6670
     mn.saran
    Participant

    Thanks Mike for the quick response.

    To clarify again we cannot have the multi account linking without using roles ? if there is a way without using roles please guide me.

    This is what I have right now and if you see there is an attribute for sepearting acc
    accountType == ‘revenue’

    Sync.json
    ———–

    {
    “name” : “systemAdAccounts_managedUser”,
    “source” : “system/ad/account”,
    “sourceIdsCaseSensitive” : false,
    “target” : “managed/user”,
    “enableSync” : false,
    “correlationQuery” : {
    “type” : “text/javascript”,
    “source” : “var query = {‘_queryId’ : ‘for-userName’, ‘uid’ : source.sAMAccountName};query;”
    },
    “properties” : [ ],
    “onUpdate” : {
    “type” : “text/javascript”,
    “file” : “script/idm/ad-idm-update.js”
    },
    “onLink” : {
    “type” : “text/javascript”,
    “file” : “script/idm/ad-idm-update.js”
    },
    “onUnlink” : {
    “type” : “text/javascript”,
    “file” : “script/idm/ad-idm-unlink.js”
    },
    “policies” : [
    {
    “situation” : “CONFIRMED”,
    “action” : “UPDATE”
    },
    {
    “situation” : “FOUND”,
    “action” : “UPDATE”
    },
    {
    “situation” : “ABSENT”,
    “action” : “UNLINK”
    },
    {
    “situation” : “AMBIGUOUS”,
    “action” : “EXCEPTION”
    },
    {
    “situation” : “MISSING”,
    “action” : “UNLINK”
    },
    {
    “situation” : “SOURCE_MISSING”,
    “action” : “UNLINK”
    },
    {
    “situation” : “UNQUALIFIED”,
    “action” : “IGNORE”
    },
    {
    “situation” : “UNASSIGNED”,
    “action” : “IGNORE”
    }
    ]
    },
    {
    “name” : “managedUser_systemAdAccounts”,
    “source” : “managed/user”,
    “sourceIdsCaseSensitive” : false,
    “target” : “system/ad/account”,
    “enableSync” : true,
    “links” : “systemAdAccounts_managedUser”,
    “properties” : [ ],
    “validSource” : {
    “type” : “text/javascript”,
    “source” : “source.resource_ad == ‘true'”
    },
    “onCreate” : {
    “type” : “text/javascript”,
    “file” : “script/ad/idm-ad-create.js”
    },
    “onUpdate” : {
    “type” : “text/javascript”,
    “file” : “script/ad/idm-ad-update.js”
    },
    “onUnlink” : {
    “type” : “text/javascript”,
    “file” : “script/ad/idm-ad-unlink.js”
    },
    “policies” : [
    {
    “situation” : “CONFIRMED”,
    “action” : “UPDATE”
    },
    {
    “situation” : “FOUND”,
    “action” : “UPDATE”
    },
    {
    “situation” : “ABSENT”,
    “action” : “CREATE”
    },
    {
    “situation” : “AMBIGUOUS”,
    “action” : “EXCEPTION”
    },
    {
    “situation” : “MISSING”,
    “action” : “UNLINK”
    },
    {
    “situation” : “SOURCE_MISSING”,
    “action” : “IGNORE”
    },
    {
    “situation” : “UNQUALIFIED”,
    “action” : “IGNORE”
    },
    {
    “situation” : “UNASSIGNED”,
    “action” : “IGNORE”
    }
    ]
    },
    {
    “name” : “systemAdadminAccounts_managedUser”,
    “source” : “system/adadmin/account”,
    “sourceIdsCaseSensitive” : false,
    “target” : “managed/user”,
    “enableSync” : false,
    “correlationQuery” : {
    “type” : “text/javascript”,
    “source” : “var query = {‘_queryId’ : ‘for-employeeNumber’, ‘uid’ : source.employeeID};query;”
    },
    “properties” : [ ],
    “validSource” : {
    “type” : “text/javascript”,
    “source” : “source.accountType == ‘admin'”
    },
    “onUpdate” : {
    “type” : “text/javascript”,
    “file” : “script/idm/adadmin-idm-update.js”
    },
    “onLink” : {
    “type” : “text/javascript”,
    “file” : “script/idm/adadmin-idm-update.js”
    },
    “onUnlink” : {
    “type” : “text/javascript”,
    “file” : “script/idm/adadmin-idm-unlink.js”
    },
    “policies” : [
    {
    “situation” : “CONFIRMED”,
    “action” : “UPDATE”
    },
    {
    “situation” : “FOUND”,
    “action” : “UPDATE”
    },
    {
    “situation” : “ABSENT”,
    “action” : “UNLINK”
    },
    {
    “situation” : “AMBIGUOUS”,
    “action” : “EXCEPTION”
    },
    {
    “situation” : “MISSING”,
    “action” : “UNLINK”
    },
    {
    “situation” : “SOURCE_MISSING”,
    “action” : “UNLINK”
    },
    {
    “situation” : “UNQUALIFIED”,
    “action” : “UNLINK”
    },
    {
    “situation” : “UNASSIGNED”,
    “action” : “IGNORE”
    }
    ]
    },
    {
    “name” : “managedUser_systemAdadminAccounts”,
    “source” : “managed/user”,
    “sourceIdsCaseSensitive” : false,
    “target” : “system/adadmin/account”,
    “enableSync” : true,
    “links” : “systemAdadminAccounts_managedUser”,
    “properties” : [ ],
    “validSource” : {
    “type” : “text/javascript”,
    “source” : “source.resource_adadmin == ‘true'”
    },
    “onUpdate” : {
    “type” : “text/javascript”,
    “file” : “script/adadmin/idm-adadmin-update.js”
    },
    “onUnlink” : {
    “type” : “text/javascript”,
    “file” : “script/adadmin/idm-adadmin-unlink.js”
    },
    “policies” : [
    {
    “situation” : “CONFIRMED”,
    “action” : “UPDATE”
    },
    {
    “situation” : “FOUND”,
    “action” : “UPDATE”
    },
    {
    “situation” : “ABSENT”,
    “action” : “IGNORE”
    },
    {
    “situation” : “AMBIGUOUS”,
    “action” : “EXCEPTION”
    },
    {
    “situation” : “MISSING”,
    “action” : “UNLINK”
    },
    {
    “situation” : “SOURCE_MISSING”,
    “action” : “IGNORE”
    },
    {
    “situation” : “UNQUALIFIED”,
    “action” : “UNLINK”
    },
    {
    “situation” : “UNASSIGNED”,
    “action” : “IGNORE”
    }
    ]
    },
    {
    “name” : “systemAdrevenueAccounts_managedUser”,
    “source” : “system/adrevenue/account”,
    “sourceIdsCaseSensitive” : false,
    “target” : “managed/user”,
    “enableSync” : false,
    “correlationQuery” : {
    “type” : “text/javascript”,
    “source” : “var query = {‘_queryId’ : ‘for-employeeNumber’, ‘uid’ : source.employeeID};query;”
    },
    “properties” : [ ],
    “validSource” : {
    “type” : “text/javascript”,
    “source” : “source.accountType == ‘revenue'”
    },
    “onUpdate” : {
    “type” : “text/javascript”,
    “file” : “script/idm/adrevenue-idm-update.js”
    },
    “onLink” : {
    “type” : “text/javascript”,
    “file” : “script/idm/adrevenue-idm-update.js”
    },
    “onUnlink” : {
    “type” : “text/javascript”,
    “file” : “script/idm/adrevenue-idm-unlink.js”
    },
    “policies” : [
    {
    “situation” : “CONFIRMED”,
    “action” : “UPDATE”
    },
    {
    “situation” : “FOUND”,
    “action” : “UPDATE”
    },
    {
    “situation” : “ABSENT”,
    “action” : “UNLINK”
    },
    {
    “situation” : “AMBIGUOUS”,
    “action” : “EXCEPTION”
    },
    {
    “situation” : “MISSING”,
    “action” : “UNLINK”
    },
    {
    “situation” : “SOURCE_MISSING”,
    “action” : “UNLINK”
    },
    {
    “situation” : “UNQUALIFIED”,
    “action” : “UNLINK”
    },
    {
    “situation” : “UNASSIGNED”,
    “action” : “IGNORE”
    }
    ]
    },
    {
    “name” : “managedUser_systemAdrevenueAccounts”,
    “source” : “managed/user”,
    “sourceIdsCaseSensitive” : false,
    “target” : “system/adrevenue/account”,
    “enableSync” : true,
    “links” : “systemAdrevenueAccounts_managedUser”,
    “properties” : [ ],
    “validSource” : {
    “type” : “text/javascript”,
    “source” : “source.resource_adrevenue == ‘true'”
    },
    “onUpdate” : {
    “type” : “text/javascript”,
    “file” : “script/adrevenue/idm-adrevenue-update.js”
    },
    “onUnlink” : {
    “type” : “text/javascript”,
    “file” : “script/adrevenue/idm-adrevenue-unlink.js”
    },
    “policies” : [
    {
    “situation” : “CONFIRMED”,
    “action” : “UPDATE”
    },
    {
    “situation” : “FOUND”,
    “action” : “UPDATE”
    },
    {
    “situation” : “ABSENT”,
    “action” : “IGNORE”
    },
    {
    “situation” : “AMBIGUOUS”,
    “action” : “EXCEPTION”
    },
    {
    “situation” : “MISSING”,
    “action” : “UNLINK”
    },
    {
    “situation” : “SOURCE_MISSING”,
    “action” : “IGNORE”
    },
    {
    “situation” : “UNQUALIFIED”,
    “action” : “UNLINK”
    },
    {
    “situation” : “UNASSIGNED”,
    “action” : “IGNORE”
    }
    ]
    }

    #6671
     andi
    Participant

    Even though the current samples/multiaccountlinking conditions on role, it should not really be read as role specific. A different discussion would be whether you maybe would want to model what you’re looking for via dynamic (or static) roles, but if you really don’t want roles then if you follow the elements in the readme, these should apply to any attribute.

    Specifically, study these 3 points in sync config

    a) List the link qualifiers; or in other words, what you want to name the different types of target accounts, such as “Business” and “Revenue” (or alternatively have a script that returns the applicable one(s) for this user)

    b) If you listed a static list of link qualifiers in a), and *IF* not all users should just get all those target accounts, write a condition in validSource that decides who actually gets 0, 1 or multiple target accounts.
    i.e. have the validSource condition check if this user should have the specific target account. In other words, if the user should have a target account for a specific link qualifier (the “types of target acount” you named above). This gets invoked for every user (source), for every possible link qualifier.
    bb) in your case, for example determine based on some attribute value that the user should get the target account (pseudo-code)
    (linkQualifier ===’Business’ && source.someattr===’somevalue’)

    c) To match up to existing accounts on the target (to an existing user in source), specify the correlation query for each link qualifier (type of target account), also see doc at 12.14.2 Correlating Multiple Target Objects

    HTH

    #7534
     mn.saran
    Participant

    could you please provide me a sample from Ldap to Managed/User the reverse of the sample provided?

    #7573
     mn.saran
    Participant

    am getting “object is undefined” error when using a dynamic linkQualifiers.js script in the admin ui. please advise asap.

    (function () {
    logger.info(“Launching linkQualifers.js:”+object.userName);
    var qualifier_business = [ “business” ];
    var qualifier_default = [ “default”];
    if (returnAll)
    { return [ “business”, “revenue”, “default”]; }
    if (object !== null && object.userName === “00808343”)
    { console.log(“Returning link qualifiers: ” + JSON.stringify(qualifier_business)); return qualifier_business; }
    else
    { console.log(“No link qualifiers, so returning default”); return qualifier_default; }
    }());

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?