Setting account synchronization for the application

Account sync operation is the process through which target account attributes and permissions are synchronized with Verify users and permissions. If provisioning is enabled and supported by the target, Account Sync settings can be configured. Use this task to configure how the target accounts are matched to Verify users and remediated.

Before you begin

Note: If you want to set up account synchronization for federated users, you must enable the unqualifiedUserName attribute for provisioning.
  1. Go to Directory > Attributes.
  2. Search for unqualifiedUserName and select the Edit icon. Scroll to Availability and select Provisioning.
  3. Select Save.
See Managing attributes. Use unqualifiedUserName instead of perferred_username for the attribute mapping.

You can use this process to enable any custom or pre-defined attributes for provisioning and add them to the attribute-mapping menu.

About this task

Adoption policy
When accounts are fetched from the target, those accounts need to be assigned to appropriate users in Verify as account owners. Adoption policy associates Verify users as owners of the target accounts. With adoption policy, one can write a rule based on which target accounts are assigned owners in Verify.
As accounts are synchronized, the adoption accounts are evaluated according to the policy.
  • Any accounts for which an owner is found in Verify are further evaluated based on the remediation policy and the attribute mapping.
  • Any accounts for which an owner cannot be found is marked as unmatched.
Remediation policy
When account attributes and permissions are synchronized between Verify and the target, any difference that is found is identified as a non-compliant. Any account that does not have an owner, is identified as unmatched. Use the remediation policy to configure the action that is to be taken for a non-compliant or an unmatched account. An administrator can use the policy to determine where the updates that are detected by an account sync are synchronized. Account remediation can either be done manually or can be policy-driven which is triggered when the account sync operation runs.
Reverse attribute mapping

Reverse attribute mapping is used if the remediation policy is set to update Verify attributes and permissions with values that are available on the target in case of non-compliance. You can configure which target attributes are updated in the Verify user directory.

By default, no mappings are shown on the tab.

You can write a custom transformation rule to transform the values of target attributes and save them in Verify.

If supported for your application, you can configure a policy for the application for account sync.

Procedure

  1. Select Applications > Applications.
    • Select an existing application that supports account sync. Select the Settings icon and select settings.
  2. Select the Account sync tab.
  3. Set the adoption policy.
    Note: Advanced rule attributes are not supported for adoption policies.
    1. Select + Attribute pairs.
      At least one attribute must be mapped between Verify and the target for successfully adopting the accounts. If no mapping attribute is specified with the adoption policy, then all the accounts that are fetched from target are shown as unmatched.
    2. Select one or more target attributes and assign a corresponding Verify attribute to each attribute.
    3. Select Add attribute pairs.
      You can change or map more attributes by selecting + Attribute pairs.
    Note: If you later change the adoption policy, an account synchronization is automatically started when you click Save.

    This account synchronization performs the following actions:

    • Reassesses all accounts to assign matching Verify users as account owner.
    • Remediates the matched accounts according to the remediation policy that is configured.
    • Any accounts that are provisioned to the target from Verify or manually adopted to Verify users are remediated and not assigned to new owners.
    The reconciliation reassesses all the accounts for unmatched and non-compliant accounts according to the new adoption policy. You cannot make changes to the account lifecycle or account synchronization configuration while the account synchronization is running. If you want to change those configurations, you must first stop the account synchronization process. See Starting and stopping account sync.
  4. Set the remediation policy.
    1. Select one of the following options for remediating non-compliant accounts.
      Do not remediate non-compliant accounts automatically.
      This option indicates that non-compliant accounts are not acted on after an account sync operation. The administrator can evaluate the non-compliant accounts from the application's Accounts view and manually select the remediation action to remediate the accounts. You can also use this remediation policy manually assign ownership to unmatched accounts on an individual basis.
      Update IBM Security Verify with the target application's values.
      This option indicates that after an account sync, if conflicting account attribute values between the target and Verify exist, account attribute values from target overwrite the Verify values as specified in the reverse attribute map.
      Update the target application with IBM Security Verify values.
      If you want the ability to remediate individual unmatched accounts by manually adding an owner for the account, select this option.This option indicates that after an account sync, if conflicting account attribute values between the target and Verify exist, the account attribute values from Verify overwrite the target values.
    2. If you update the policy from Do not remediate non compliant accounts automatically to select one of the policy-driven options to automatically remediate on Verify or target application, the Apply new policy pop-up window is displayed.
    3. Select Now, if you want to apply the new remediation policy to current non-compliant accounts or if you select Later the policy will be applied the next time that you run account sync.
      Note: If you update both the adoption and remediation policies at the same time, the option to apply new policy is not shown because it is automatically handled in the account synchronization.
  5. Set reverse attribute mapping.
    In reverse attribute mapping, assign a corresponding target application user attribute for each of the Verify attributes. Map the attributes based on the application requirements. Reverse attribute mapping controls how Verify consumes the user attributes from the application. The attributes are populated with whatever values are held by the mapped target application user attributes.
    Reverse attribute mapping occurs when an account sync operation is performed.
    Note: If remediation is set to Update IBM Security Verify with the target application's values, at least one reverse mapping needs to exist to synchronize the account on Verify.
    1. Select the target attribute from the attribute menu.
    2. Optional: Select a transform for the value.
      You can choose to transform the value with any of the built-in transformations that are provided in the Transformation menu. The default setting is None, which means that the value is passed unchanged. With scripting support, you can create a custom transform to transform the target application attribute value and set it to the Verify attribute. See Creating a custom rule for reverse attribute mapping.
    3. Specify the Verify attribute from the menu.
    Note:
    • After a custom rule is specified for attribute mapping, a built-in transformation cannot be applied to it.
    • In reverse attribute mapping, you cannot map duplicate target attributes.
    • These attribute-reverse mappings are used for account remediation on Verify.
  6. Select Save.

What to do next

To run an account synchronization, see Starting and stopping account sync.