IBM Security Verify

Hello,
Does anybody know how to change sAMAccountName attribute of on premise Active Directory account of a user, please? Ideally without loosing its connection to its identity and entitlements in ISVG, of course.
Thank you
MarS

------------------------------
Martin Šrajer
------------------------------

When you ask questions on ISVG please mention whether this is the Governance component (aka IGI) or the IM (aka ISIM).

It is POSSIBLE to do this with some scripting - it is nothing that is supported out of the box in the adapter (and I would not expect our adapter development accepting an RFE on this).

I did this many many years ago on ISIM in a combination of utilizing the ISIM account operational workflows and the pre/post exec of the adapter. I do not think that what I did that can be utilized as a generic solution.

Here is my advice - find out what is needed to change the account name on AD (there are a LOT of articles on that on the net) - as long as you restrict this to AD only (not covering extensions like Exchange/Skype) then it is RELATIVELY simple. If you need it also to handle Exchange it gets really nasty...

When you have done this exercise you can then judge whether implementing this in ISVG is a good idea (my take is stay away from that - make this is a manual exceptional process). One of the major considerations is really that an Identity ID should not change over time (best practice) - but we all know there are exceptions to this process in the real world. I would handle it outside and then adopt the account back in ISVG and push the responsibility of the process to the AD people...

------------------------------
Franz Wolfhagen
WW IAM Consulting Leader - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Tue September 27, 2022 09:59 AM
From: Martin Šrajer
Subject: Change sAMAccountName from ISVG

Hello,
Does anybody know how to change sAMAccountName attribute of on premise Active Directory account of a user, please? Ideally without loosing its connection to its identity and entitlements in ISVG, of course.
Thank you
MarS

------------------------------
Martin Šrajer
------------------------------

Hello,
Thanks for responding to my question :-)
I am sorry, but I wasn't aware "ISVG" can be interpreted in the present context any other way than "IBM Security Verify Governance". I would expect some ambiguity whether it is version 10.0.0 or 10.0.1 and what patches are installed, but not which product is being talked about. I know "IGI" "survives" in the ISVG in many places and IBM even has article in the documentation about it.

Renaming sAMAccountName might not be recommended, but AFAIK only because of applications like ISVG, that integrate with AD the wrong way by binding to changeable attributes instead of using objectSid which exists specifically for this purpose and IS the recommended way. AFAIK the only more stable attribute is objectGUID, but it's purpose is a bit different.

My issue is not if it is recommended or even possible - I can do it manually in AGC through Manage -> Users -> select identity -> Accounts -> select AD account -> Action -> Edit -> modify Account ID - I just need to automate this manual process as ISVG can't do it out-of-the-box and I wasn't able to find any example in the documentation, SDK or on the net - if you know some example can you send a link, please?

Thank you
MarS

------------------------------
Martin Šrajer
------------------------------

Original Message:
Sent: Wed September 28, 2022 02:23 AM
From: Franz Wolfhagen
Subject: Change sAMAccountName from ISVG

When you ask questions on ISVG please mention whether this is the Governance component (aka IGI) or the IM (aka ISIM).

It is POSSIBLE to do this with some scripting - it is nothing that is supported out of the box in the adapter (and I would not expect our adapter development accepting an RFE on this).

I did this many many years ago on ISIM in a combination of utilizing the ISIM account operational workflows and the pre/post exec of the adapter. I do not think that what I did that can be utilized as a generic solution.

Here is my advice - find out what is needed to change the account name on AD (there are a LOT of articles on that on the net) - as long as you restrict this to AD only (not covering extensions like Exchange/Skype) then it is RELATIVELY simple. If you need it also to handle Exchange it gets really nasty...

When you have done this exercise you can then judge whether implementing this in ISVG is a good idea (my take is stay away from that - make this is a manual exceptional process). One of the major considerations is really that an Identity ID should not change over time (best practice) - but we all know there are exceptions to this process in the real world. I would handle it outside and then adopt the account back in ISVG and push the responsibility of the process to the AD people...

------------------------------
Franz Wolfhagen
WW IAM Consulting Leader - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Tue September 27, 2022 09:59 AM
From: Martin Šrajer
Subject: Change sAMAccountName from ISVG

Hello,
Does anybody know how to change sAMAccountName attribute of on premise Active Directory account of a user, please? Ideally without loosing its connection to its identity and entitlements in ISVG, of course.
Thank you
MarS

------------------------------
Martin Šrajer
------------------------------

On the ISVG topic - IBM has "merged" the former IGI and ISIM products under one license in ISVG. There the 2 products (or as we rather call it : components) lives on for now. Our roadmap is to merge the "components" into one integrated solution over time. This has caused a lot of confusion as the user communities are normally not reading the announcement letters that the official source of such information from IBM - so you are not alone....

As you reference AGC you are using the what was formerly the IGI component and not the Identity Manager  (ISVG IM) as I assumed in previously answer. You do not have the same backend workflows available in IGI as you have in IM - the workflows in IGI is for handling mainly approval or other "front-end" UI flows. I am pretty sure that when you do what you describe here in your post the AD Adapter change the adapter name - but that dos not necessarily mean that all the necessary AD actions are performed and the account name change will work - did you really test that ? - remember there is profiles/shares/mailboxes and other things that needs to be changed as well and I am pretty sure the adapter does NOT perform these changes....

My recommendation is to handle this in the AD and reconcile the changes back to IGI instead of trying to automate it - it is IMHO not worth the effort and it is definitely not best practice to implement an IGA/IdM where the account IDs can change - they should be immutable in the design although I reckon that there are cases where this is not enforceable ( I had once a case where a new CEO insisted on a specific userid that was owned by an existing user - and here we ended up giving the existing user a new id as it was simply to complex to gt the renaming working - here the biggest problem was Exchange..)

HTH

------------------------------
Franz Wolfhagen
WW IAM Consulting Leader - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Fri September 30, 2022 12:17 PM
From: Martin Šrajer
Subject: Change sAMAccountName from ISVG

Hello,
Thanks for responding to my question :-)
I am sorry, but I wasn't aware "ISVG" can be interpreted in the present context any other way than "IBM Security Verify Governance". I would expect some ambiguity whether it is version 10.0.0 or 10.0.1 and what patches are installed, but not which product is being talked about. I know "IGI" "survives" in the ISVG in many places and IBM even has article in the documentation about it.

Renaming sAMAccountName might not be recommended, but AFAIK only because of applications like ISVG, that integrate with AD the wrong way by binding to changeable attributes instead of using objectSid which exists specifically for this purpose and IS the recommended way. AFAIK the only more stable attribute is objectGUID, but it's purpose is a bit different.

My issue is not if it is recommended or even possible - I can do it manually in AGC through Manage -> Users -> select identity -> Accounts -> select AD account -> Action -> Edit -> modify Account ID - I just need to automate this manual process as ISVG can't do it out-of-the-box and I wasn't able to find any example in the documentation, SDK or on the net - if you know some example can you send a link, please?

Thank you
MarS

------------------------------
Martin Šrajer

Original Message:
Sent: Wed September 28, 2022 02:23 AM
From: Franz Wolfhagen
Subject: Change sAMAccountName from ISVG

When you ask questions on ISVG please mention whether this is the Governance component (aka IGI) or the IM (aka ISIM).

It is POSSIBLE to do this with some scripting - it is nothing that is supported out of the box in the adapter (and I would not expect our adapter development accepting an RFE on this).

I did this many many years ago on ISIM in a combination of utilizing the ISIM account operational workflows and the pre/post exec of the adapter. I do not think that what I did that can be utilized as a generic solution.

Here is my advice - find out what is needed to change the account name on AD (there are a LOT of articles on that on the net) - as long as you restrict this to AD only (not covering extensions like Exchange/Skype) then it is RELATIVELY simple. If you need it also to handle Exchange it gets really nasty...

When you have done this exercise you can then judge whether implementing this in ISVG is a good idea (my take is stay away from that - make this is a manual exceptional process). One of the major considerations is really that an Identity ID should not change over time (best practice) - but we all know there are exceptions to this process in the real world. I would handle it outside and then adopt the account back in ISVG and push the responsibility of the process to the AD people...

------------------------------
Franz Wolfhagen
WW IAM Consulting Leader - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Tue September 27, 2022 09:59 AM
From: Martin Šrajer
Subject: Change sAMAccountName from ISVG

Hello,
Does anybody know how to change sAMAccountName attribute of on premise Active Directory account of a user, please? Ideally without loosing its connection to its identity and entitlements in ISVG, of course.
Thank you
MarS

------------------------------
Martin Šrajer
------------------------------

Hello,

With Identity Manager, it is possible without any customization. Because Identity manager uses eruid = samAccountName mapping. You can then put eruid as a mandatory attribute in provisioning policy and you are good to go. We have a client working like this for 7 years.

With Identity Governance, eruid is not available in the "AGC-> target attributes" menu. If it was there, it would be simple as that, because the agent is the same on both products. Open an IDEAS request maybe they implement it 2 years later.

You have to write a pre or post mapping rule on the adapter according to your logic to change eruid "on the fly".
Regards

------------------------------
Ali Malik Gürbüz
Bilgibirikim Std.Lti - Turkey/EMEA
IBM Business Partner
9+ Years with ISIM/ISVG etc.
5.2.5 Certified Exam Developer *I* - 2019
------------------------------

Original Message:
Sent: Sat October 01, 2022 05:27 AM
From: Franz Wolfhagen
Subject: Change sAMAccountName from ISVG

On the ISVG topic - IBM has "merged" the former IGI and ISIM products under one license in ISVG. There the 2 products (or as we rather call it : components) lives on for now. Our roadmap is to merge the "components" into one integrated solution over time. This has caused a lot of confusion as the user communities are normally not reading the announcement letters that the official source of such information from IBM - so you are not alone....

As you reference AGC you are using the what was formerly the IGI component and not the Identity Manager  (ISVG IM) as I assumed in previously answer. You do not have the same backend workflows available in IGI as you have in IM - the workflows in IGI is for handling mainly approval or other "front-end" UI flows. I am pretty sure that when you do what you describe here in your post the AD Adapter change the adapter name - but that dos not necessarily mean that all the necessary AD actions are performed and the account name change will work - did you really test that ? - remember there is profiles/shares/mailboxes and other things that needs to be changed as well and I am pretty sure the adapter does NOT perform these changes....

My recommendation is to handle this in the AD and reconcile the changes back to IGI instead of trying to automate it - it is IMHO not worth the effort and it is definitely not best practice to implement an IGA/IdM where the account IDs can change - they should be immutable in the design although I reckon that there are cases where this is not enforceable ( I had once a case where a new CEO insisted on a specific userid that was owned by an existing user - and here we ended up giving the existing user a new id as it was simply to complex to gt the renaming working - here the biggest problem was Exchange..)

HTH

------------------------------
Franz Wolfhagen
WW IAM Consulting Leader - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Fri September 30, 2022 12:17 PM
From: Martin Šrajer
Subject: Change sAMAccountName from ISVG

Hello,
Thanks for responding to my question :-)
I am sorry, but I wasn't aware "ISVG" can be interpreted in the present context any other way than "IBM Security Verify Governance". I would expect some ambiguity whether it is version 10.0.0 or 10.0.1 and what patches are installed, but not which product is being talked about. I know "IGI" "survives" in the ISVG in many places and IBM even has article in the documentation about it.

Renaming sAMAccountName might not be recommended, but AFAIK only because of applications like ISVG, that integrate with AD the wrong way by binding to changeable attributes instead of using objectSid which exists specifically for this purpose and IS the recommended way. AFAIK the only more stable attribute is objectGUID, but it's purpose is a bit different.

My issue is not if it is recommended or even possible - I can do it manually in AGC through Manage -> Users -> select identity -> Accounts -> select AD account -> Action -> Edit -> modify Account ID - I just need to automate this manual process as ISVG can't do it out-of-the-box and I wasn't able to find any example in the documentation, SDK or on the net - if you know some example can you send a link, please?

Thank you
MarS

------------------------------
Martin Šrajer

Original Message:
Sent: Wed September 28, 2022 02:23 AM
From: Franz Wolfhagen
Subject: Change sAMAccountName from ISVG

When you ask questions on ISVG please mention whether this is the Governance component (aka IGI) or the IM (aka ISIM).

It is POSSIBLE to do this with some scripting - it is nothing that is supported out of the box in the adapter (and I would not expect our adapter development accepting an RFE on this).

I did this many many years ago on ISIM in a combination of utilizing the ISIM account operational workflows and the pre/post exec of the adapter. I do not think that what I did that can be utilized as a generic solution.

Here is my advice - find out what is needed to change the account name on AD (there are a LOT of articles on that on the net) - as long as you restrict this to AD only (not covering extensions like Exchange/Skype) then it is RELATIVELY simple. If you need it also to handle Exchange it gets really nasty...

When you have done this exercise you can then judge whether implementing this in ISVG is a good idea (my take is stay away from that - make this is a manual exceptional process). One of the major considerations is really that an Identity ID should not change over time (best practice) - but we all know there are exceptions to this process in the real world. I would handle it outside and then adopt the account back in ISVG and push the responsibility of the process to the AD people...

------------------------------
Franz Wolfhagen
WW IAM Consulting Leader - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Tue September 27, 2022 09:59 AM
From: Martin Šrajer
Subject: Change sAMAccountName from ISVG

Hello,
Does anybody know how to change sAMAccountName attribute of on premise Active Directory account of a user, please? Ideally without loosing its connection to its identity and entitlements in ISVG, of course.
Thank you
MarS

------------------------------
Martin Šrajer
------------------------------