cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unstructured target aggregation basics

Unstructured target aggregation basics

 

Introduction

The following steps detail the IIQ feature to aggregate "unstructured" targets on an application. The feature requires the IQService executable running on a server (preferably a domain server) with access to the (directory or share) targets.

 

Configure target aggregation on an AD application

The "objectSid" attribute must appear in both account and group schemas, with "Correlation Key" enabled, for the target aggregation to correlate properly.

Active Directory applications display the "Unstructured Targets" tab.

This tab configures the targets to process for links to accounts and groups.

 

The first part holds the settings required for connection to IIQservice:

a) IQService Host

b) IQService Port

c) Number of targets per block : blocksize in targets (files)

 

The second part defines the targets. Each target requires the following:

a) Path : UNC Style path to a share or local directory

b) WildCard : Which files within the share or directory to include

c) Directory Depth: How far deep the collector should traverse

d) Administrator: Admin with has access to this share

This value could be the users principal name, user@xyz.com,

or the fully qualified domain user, name domain\\user format.

e) Password: credentials to Admininstrator value

Note: running IQService as System or any user with access makes the Administrator/Password fields optional.

 

The last part specifies the rules to correlate and to transform the targets.

 

a) Correlation Rule: runs on each target's users/groups

                     to correlate to an IIQ identity or account group

 

The Windows implementation correlates based on "objectSid" attr.

This rule runs with the following args:

 

target : target returned, containing native account/group ids with normalized rights

application: application where the targetsource is defined

targetSource: configuration data

context: SailPointContext for object lookups

isGroup: true if id is a group id otherwise its an account id

nativeId: native id of a group or account

 

b) Creation Rule: runs before storing the target info

 

This rule can massage the target, modifies the target directly,

returns nothing, and runs with the following args:

 

target: target returned, containing native account/group ids with normalized rights

application: application where the targetsource is defined

targetSource: configuration data

context: SailPointContext for object lookups

 

2) cfg/run "Account Aggregation" task

3) cfg/run "Account Group Aggregation" task

 

This provides accounts/groups that the targets' access lists to correlate to.

 

4) cfg/run "Target Aggregation" task on the application

 

This task scans the shares, returns any

files/directories, and correlates them to

identities and account groups.

Note: the "iiq console" tool offers a cmd to test target aggregation, "connectorDebug <App> iterate unstructured", similar to "account" and "group"

 

5) Run Identity Refresh w/"Refresh assigned and detected roles" enabled

 

This promotes "targetPermissions" settings to the entitlement tab.

Labels (1)
Comments

Hi,

For unstructured target, is it a read only (aggregation) functionality? Will deprovisioning happens in the following scenario:

  • User click on remove "cross" from their current access
  • Certifier decides to revoke the access during certification

Is it able to auto-deprovision the unstructured access or will manual work changes requested work order generated and route to application owner?

Regards,

Weizhe

Version history
Revision #:
3 of 3
Last update:
‎Aug 01, 2023 08:23 PM
Updated by:
 
Contributors