IBM Security Verify

With SVG supporting the concepts of applications and account configurations, I'm looking into a way to configure business applications that share a directory (=account configuration).
The goal is to be able to create IT/Applications roles at the level of a (business) application that will hold a selection of entitlements out of the shared directory. Those IT/Application roles should then be requestable by end users via self service portal.

I configured an enterprise connector to a (shared) LDAP directory. This automatically creates an account configuration and application, both with the name given to the connector ("LDAPDemo" in my case). Next I created a new application BusinessApp1 and configured the LDAPDemo account configuration as the account to be used and same for Event Marker.

When enabling the enterprise connector + change log, I see the entitlements of the LDAP are read, but I do get an error "OBJECT_NOT_UNIQUE -Application-" in the TARGET inboud - Access events. I think this indicates that SVG is not able to connect the entitlement to the correct application (either LDAPDemo or BusinessApp1).

I think you can use a (pre)mapping rule in the connector to map entitlements to the correct business application, but with a large directory (and lack of standardization/naming convention) this becomes maintenance intensive.

Does anyone has experience with this scenario and a (simple) way to solve it ?

------------------------------
Kees de Jager
------------------------------

I believe you are correct in the assumption that you need to perform the mapping using rules. But as I am not yet fully expert level on ISVG GI (aka IGI) I am not fully sure - but I think I have heard this from customers.
Could you raise a case and have the use case verified ? 

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Wed May 17, 2023 08:47 AM
From: Kees de Jager
Subject: ISVG (v10) How to configure business applications using a shared directory

With SVG supporting the concepts of applications and account configurations, I'm looking into a way to configure business applications that share a directory (=account configuration).
The goal is to be able to create IT/Applications roles at the level of a (business) application that will hold a selection of entitlements out of the shared directory. Those IT/Application roles should then be requestable by end users via self service portal.

I configured an enterprise connector to a (shared) LDAP directory. This automatically creates an account configuration and application, both with the name given to the connector ("LDAPDemo" in my case). Next I created a new application BusinessApp1 and configured the LDAPDemo account configuration as the account to be used and same for Event Marker.

When enabling the enterprise connector + change log, I see the entitlements of the LDAP are read, but I do get an error "OBJECT_NOT_UNIQUE -Application-" in the TARGET inboud - Access events. I think this indicates that SVG is not able to connect the entitlement to the correct application (either LDAPDemo or BusinessApp1).

I think you can use a (pre)mapping rule in the connector to map entitlements to the correct business application, but with a large directory (and lack of standardization/naming convention) this becomes maintenance intensive.

Does anyone has experience with this scenario and a (simple) way to solve it ?

------------------------------
Kees de Jager
------------------------------