Global Security Forum

 View Only
  • 1.  Swapping roles with same service in ISIM not possible?

    Posted Tue May 02, 2023 04:56 AM

     We are using Security Identity Manager V7.0.2 for provisioning services based on roles to users. The issue we are having is when we have 2 roles with the same service but different parameters. For example , we have 2 roles:
    - Role A provisioning an AD account with specific AD groups to an AD server,
    - Role B provisioning an AD account but with different AD groups to the same AD server.
    If an user has Role A and we changed it to Role B then submit the change, AD groups didn't get changed. But if we remove Role A, submit, then add Role B and submit, everything is working fine. Could it be an issue with the AD configuration of the agent on the AD server, or a limitation from ISIM?
    thanks!
    Gilles



    ------------------------------
    Gilles Mahout
    Pirean
    Fareham
    ------------------------------


  • 2.  RE: Swapping roles with same service in ISIM not possible?

    Posted Wed May 03, 2023 03:02 AM

    Hi Gilles, it sounds the join directive which set the precedence of the policies when there are more than one, provisioning different values for same attribute.

    Although by default in multivalue atributes, like groups, the join directive is set as union (both groups will be provisioned), it seems to be working as priority (the highest priority policy - less value, has precedence, in your case, policy linked to role B)

    I hope it helps



    ------------------------------
    Felipe Risalde Serrano
    Security Expert
    Banco de España
    ------------------------------



  • 3.  RE: Swapping roles with same service in ISIM not possible?

    Posted Wed May 03, 2023 12:46 PM

    Hi Giles, modifying role assignments from A to B should alter the AD group memberships, but there are various configuration options that can affect that including (as per Felipe's response) join directives, overall provisioning policies (including priorities and scripts), and service enforcement (correct, suspend, or mark).  Can you give a "simplified" configuration for your scenario? My suggestion is that you open a support ticket so that you can get help troubleshooting.



    ------------------------------
    Corey Williams
    ------------------------------



  • 4.  RE: Swapping roles with same service in ISIM not possible?

    Posted Wed May 03, 2023 12:46 PM

    Hi Giles,

    The scenario should work as you expect, but (as Felipe posted) several configuration options including join directives, provision policy priorities, membership types, and entitlement settings, and service enforcement settings could affect the result.  I suggested opening a support case to get help troubleshooting his configuration.

    Regards,



    ------------------------------
    Corey Williams
    ------------------------------