IBM Security Verify

 View Only
  • 1.  IBM security identity manager creating windows id in different OU

    Posted Thu May 28, 2020 03:08 AM
    We have one query on creating ids on different OUs. For example, from ISIM SSUI while creating windows id, I gave id creation format in this way accountid@hostname, which got created successfully in givenhostname but we checked the servername agent cfg file and found that new users created in OU=New_Users,dc=servername,dc=net path

    I think sysadmin can change this path in cfg file, the ISIM will create ids to new path.

    Here we are looking an option to create ids different OUs. For example:

    Can we have option to create ids in different OUs while raising ID creation request, like:

    case 1- OU=project1,OU=Users,OU=Location1,OU=CountryName,DC=servername,DC=companyname,DC=NET
    case 2- OU=project2,OU=Users,OU=Location1,OU=CountryName,DC=servername,DC=companyname,DC=NET
    case 3- OU=project3,OU=Users,OU=Location1,OU=CountryName,DC=servername,DC=companyname,DC=NET
    case 4- OU=project4,OU=Users,OU=Location2,OU=CountryName,DC=servername,DC=companyname,DC=NET

    ------------------------------
    Himanshu Ranjan
    ------------------------------


  • 2.  RE: IBM security identity manager creating windows id in different OU

    Posted Thu May 28, 2020 04:38 AM
    The attribute that is governing the OU is the "Container" (eradcontainer in ldap) and is on the account an offset the user basepoint specified on the service.
    So if you need some accounts placed in a different OU your basepoint must include your OU and then the provisioning policy logic can derive the value and you can override this in the account creation unless your policy is mandatory and service is set to "correct compliance".

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 3.  RE: IBM security identity manager creating windows id in different OU

    Posted Thu May 28, 2020 12:02 PM
    Hi Franz,
    Thanks for your input. Do you have any kind of sample example, if so could you please post it to me. Like what changes is require in basepoint and policy.

    ------------------------------
    himanshu ranjan3
    ------------------------------



  • 4.  RE: IBM security identity manager creating windows id in different OU

    Posted Fri May 29, 2020 02:43 AM
    You are asking questions that depend insight on how the actual system is setup and what the exact requirements are - I cannot help with that without understanding the implementation/requirement in more detail.

    That said - you should be able to find all relevant information in the formal documentation - the way basepoint works is defined in the Windows AD adapter documentation (and release notes - always read these...) - provisioning policy setup is a very broad knowledge item and is part of any ISIM design - understanding this is prerequisite in handling account management (i.e. provisioning in general) in ISIM.

    So - examples of how this works is something you would need to study - it is NOT rocket science. Basepoint is normally defined once as it defines the scope of what to manage in Windows AD (be aware of the difference between user basepoint and group basepoint - the difference is important if you handle very large/complex ADs - but the AD administrators is the key persons to help on that). Provisioning Policy setup is part of your core ISIM design and you will need to work with those responsible for that to understand how this should work (e.g. is this role based or request based and what is the business rules).

    HTH

    ------------------------------
    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs
    ------------------------------



  • 5.  RE: IBM security identity manager creating windows id in different OU

    Posted Mon June 01, 2020 05:57 AM
    Hi Franz,
    Thanks a lot for your input. I am going through your recommended points.

    ------------------------------
    himanshu ranjan3
    ------------------------------