Hello,
Thanks for responding to my question :-)
I am sorry, but I wasn't aware "ISVG" can be interpreted in the present context any other way than "IBM Security Verify Governance". I would expect some ambiguity whether it is version 10.0.0 or 10.0.1 and what patches are installed, but not which product is being talked about. I know "IGI" "survives" in the ISVG in many places and IBM even has article in the documentation about it.
Renaming sAMAccountName might not be recommended, but AFAIK only because of applications like ISVG, that integrate with AD the wrong way by binding to changeable attributes instead of using objectSid which exists specifically for this purpose and IS the recommended way. AFAIK the only more stable attribute is objectGUID, but it's purpose is a bit different.
My issue is not if it is recommended or even possible - I can do it manually in AGC through
Manage -> Users -> select identity -> Accounts -> select AD account -> Action -> Edit -> modify Account ID - I just need to automate this manual process as ISVG can't do it out-of-the-box and I wasn't able to find any example in the documentation, SDK or on the net - if you know some example can you send a link, please?
Thank you
MarS
------------------------------
Martin Šrajer
------------------------------
Original Message:
Sent: Wed September 28, 2022 02:23 AM
From: Franz Wolfhagen
Subject: Change sAMAccountName from ISVG
When you ask questions on ISVG please mention whether this is the Governance component (aka IGI) or the IM (aka ISIM).
It is POSSIBLE to do this with some scripting - it is nothing that is supported out of the box in the adapter (and I would not expect our adapter development accepting an RFE on this).
I did this many many years ago on ISIM in a combination of utilizing the ISIM account operational workflows and the pre/post exec of the adapter. I do not think that what I did that can be utilized as a generic solution.
Here is my advice - find out what is needed to change the account name on AD (there are a LOT of articles on that on the net) - as long as you restrict this to AD only (not covering extensions like Exchange/Skype) then it is RELATIVELY simple. If you need it also to handle Exchange it gets really nasty...
When you have done this exercise you can then judge whether implementing this in ISVG is a good idea (my take is stay away from that - make this is a manual exceptional process). One of the major considerations is really that an Identity ID should not change over time (best practice) - but we all know there are exceptions to this process in the real world. I would handle it outside and then adopt the account back in ISVG and push the responsibility of the process to the AD people...
------------------------------
Franz Wolfhagen
WW IAM Consulting Leader - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Tue September 27, 2022 09:59 AM
From: Martin Šrajer
Subject: Change sAMAccountName from ISVG
Hello,
Does anybody know how to change sAMAccountName attribute of on premise Active Directory account of a user, please? Ideally without loosing its connection to its identity and entitlements in ISVG, of course.
Thank you
MarS
------------------------------
Martin Šrajer
------------------------------