Some default CA IdentityMinder tasks include events, actions that CA IdentityMinder performs to complete a task, that determines provisioning role membership. For example, the default Modify User task includes the AssignProvisioningRoleEvent and the RevokeProvisioningRoleEvent. Assigning or revoking a provisioning role may add or remove an account on an endpoint. In some cases, the endpoint may require that all Add actions occur before Remove actions.
To make CA IdentityMinder process Add actions first, you enable the Accumulation of Provisioning Role Membership Events setting in the Management Console. When this setting is enabled, CA IdentityMinder accumulates all of the Add and Remove actions into a single event, called the AccumulatedProvisioningRolesEvent. For example, if the Modify User task assigns a user to three provisioning roles and removes that user from two other provisioning roles, an AccumulatedProvisioningRolesEvent will be generated which contains five actions: 3 Add actions and 2 remove actions.
When this event executes, all Add actions are combined into a single operation and sent to the Provisioning Server for processing. Once processing of the Add actions completes, CA IdentityMinder combines the Remove actions into a single operation and sends that operation to the Provisioning Server.
Enabling this setting affects the following CA IdentityMinder functionality:
When an administrator adds or removes a user from a provisioning role using the Provisioning Roles tab, CA IdentityMinder accumulates those actions into a single event.
All provisioning role membership events (AssignProvisioningRoleEvent or RevokeProvisioningRoleEvent ) that are generated as a result of an Identity Policy evaluation are accumulated into a single AccumulatedProvisioningRolesEvent. CA IdentityMinder executes this event like any other secondary event. For example, consider an identity policy set that includes two identity policies: Policy A revokes membership in the Provisioning Role A and Policy B makes users members of Provisioning Role B. If CA IdentityMinder determines that a user no longer satisfies Policy A, but now satisfies PolicyB, an AccumulatedProvisioningRolesEvent that contains two actions (one for the remove action and one for the add action) is generated. The Add action is executed first and then the Remove action is executed.
To view the status of the AccumulatedProvisioningRolesEvent and the status for each of the individual actions, use the View Submitted Tasks task to view event details.
If one of the individual actions fails, the status of the event is failed, which moves the task to a failed state.
You can associate a workflow process with the AccumulatedProvisioningRolesEvent. In this case, an approver can approve or reject the entire event, which approves or rejects each of the individual events.
Additional configuration is required to enable workflow for individual events within the AccumulatedProvisioningRolesEvent.
CA IdentityMinder audits information about the AccumulatedProvisioningRolesEvent and each individual event.
|
Copyright © 2013 CA.
All rights reserved.
|
|