on 09-20-2016 5:31 PM
Hello Experts,
We are currently looking at integrating an application using AD groups for access rights into our IDM and GRC workflow.
We have the groups loaded both in IDM and GRC and available for access requests.
However, when trying to send a request from IDM to GRC using the standard connector, we are faced with an issue with the group names
The VDS component is using the "=" character as separator for attributes names. Despite having backslashes in the names in IDM, the VDS is still splitting at the "=" charater when sending an access request.
We have been thinking of changing the naming scheme of the groups to remove the equals instead, but before doing this, we need to know if it may cause any other issue. As the groups have an "ACCOUNTAD" used for mapping in IDM, we are not worried about this, but we may be missing something.
Does anyone know of any possible workaround we may not know, or an issue with replacing the "=" characters in the AD group MSKEYVALUE?
Regards,
Julien Garagnon
Hi Julien,
I guess it would be best not to use the DN but the objectGUID or the common name (only if they are unique though) of the group as roleid.
The only way of "escaping" the = could be:
Replacing it with some other character or even two characters like $$ in the pass which calls the VDS. Inside the VDS do a post processing and replace the characters back. If that's even possible, I only did that on normal attributes though.
Or try loading the groups without the = into GRC so you could simply replace the = in the IdM pass.
Best regards
Dominik
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.