Account sync operation is the process through which target account attributes and
permissions are synchronized with Verify users and permissions. If
provisioning is enabled and supported by the target, Account Sync settings can be configured. Use
this task to configure how the target accounts are matched to Verify users and
remediated.
Before you begin
Note: If you want to set up account synchronization for federated users, you must
enable the
unqualifiedUserName
attribute for provisioning.
- Go to .
- Search for
unqualifiedUserName
and select the Edit icon.
Scroll to Availability and select Provisioning.
- Select Save.
See
Managing attributes. Use
unqualifiedUserName
instead of
perferred_username
for the
attribute mapping.
You can use this process to enable any custom or pre-defined attributes for
provisioning and add them to the attribute-mapping menu.
About this task
- Adoption policy
- When accounts are fetched from the target, those accounts need to be assigned to appropriate
users in Verify as account
owners. Adoption policy associates Verify users as owners of the
target accounts. With adoption policy, one can write a rule based on which target accounts are
assigned owners in Verify.
As accounts are synchronized, the adoption accounts are evaluated according to the policy.
- Any accounts for which an owner is found in Verify are further evaluated
based on the remediation policy and the attribute mapping.
- Any accounts for which an owner cannot be found is marked as unmatched.
- Remediation policy
- When account attributes and permissions are synchronized between Verify and the target, any
difference that is found is identified as a non-compliant. Any account that
does not have an owner, is identified as unmatched. Use the remediation policy to configure the
action that is to be taken for a non-compliant or an unmatched account. An
administrator can use the policy to determine where the updates that are detected by an account sync
are synchronized. Account remediation can either be done manually or can be policy-driven which is
triggered when the account sync operation runs.
- Reverse attribute mapping
-
Reverse attribute mapping is used if the remediation policy is set to update Verify attributes and
permissions with values that are available on the target in case of non-compliance. You can
configure which target attributes are updated in the Verify user directory.
By default, no mappings are shown on the tab.
You can write a custom transformation rule to transform the values of target attributes and save
them in Verify.
If supported for your application, you can configure a policy for the application for account
sync.
Procedure
-
Select .
- Select an existing application that supports account sync. Select the
icon and select settings.
-
Select the Account sync tab.
- Set the adoption policy.
Note: Advanced rule attributes are not supported for adoption policies.
-
Select + Attribute pairs.
At least one attribute must be mapped between Verify and the target for
successfully adopting the accounts. If no mapping attribute is specified with the adoption policy,
then all the accounts that are fetched from target are shown as unmatched.
- Select one or more target attributes and assign a corresponding Verify attribute to each
attribute.
-
Select Add attribute pairs.
You can change or map more attributes by selecting + Attribute
pairs.
Note: If you later change the adoption policy, an account synchronization is automatically started
when you click
Save.
This account synchronization performs the following
actions:
- Reassesses all accounts to assign matching Verify users as account
owner.
- Remediates the matched accounts according to the remediation policy that is configured.
- Any accounts that are provisioned to the target from Verify or manually adopted to
Verify users are remediated
and not assigned to new owners.
The reconciliation reassesses all the accounts for unmatched and non-compliant accounts
according to the new adoption policy. You cannot make changes to the account lifecycle or account
synchronization configuration while the account synchronization is running. If you want to change
those configurations, you must first stop the account synchronization process. See
Starting and stopping account sync.
- Set the remediation policy.
- Select one of the following options for remediating non-compliant accounts.
- Do not remediate non-compliant accounts automatically.
- This option indicates that non-compliant accounts are not acted on after an account sync
operation. The administrator can evaluate the non-compliant accounts from the application's
Accounts view and manually select the remediation action to remediate the
accounts. You can also use this remediation policy manually assign ownership to
unmatched accounts on an individual basis.
- Update IBM Security Verify with the target
application's values.
- This option indicates that after an account sync, if conflicting account attribute values
between the target and Verify exist, account attribute values from target overwrite the Verify values as specified in
the reverse attribute map.
- Update the target application with IBM Security Verify values.
- If you want the ability to remediate individual unmatched accounts by
manually adding an owner for the account, select this option.This option indicates that after
an account sync, if conflicting account attribute values between the target and Verify exist, the account
attribute values from Verify
overwrite the target values.
- If
you update the policy from Do not remediate non compliant accounts
automatically to select one of the policy-driven options to automatically remediate on
Verify or target
application, the Apply new policy pop-up window is displayed.
- Select Now, if you want to apply the new remediation policy to
current non-compliant accounts or if you select Later the policy will be
applied the next time that you run account sync.
Note: If you update both the adoption and remediation policies at the same time, the option to apply
new policy is not shown because it is automatically handled in the account synchronization.
-
Set reverse attribute mapping.
In reverse attribute mapping, assign a corresponding target application user attribute for
each of the
Verify
attributes. Map the attributes based on the application requirements. Reverse attribute mapping
controls how
Verify consumes
the user attributes from the application. The attributes are populated with whatever values are held
by the mapped target application user attributes.
Reverse attribute mapping occurs when an
account sync operation is performed.
Note: If remediation is set to Update IBM Security
Verify with the target application's values, at least one reverse mapping needs to
exist to synchronize the account on Verify.
- Select the target attribute from the attribute menu.
- Optional: Select a transform for the
value.
You can choose to transform the value with any of the built-in transformations
that are provided in the
Transformation menu. The default setting is
None
, which means that the value is passed unchanged. With scripting support, you
can create a custom transform to transform the target application attribute value and set it to the
Verify attribute. See
Creating a custom rule for reverse attribute mapping.
- Specify the Verify attribute from the
menu.
Note:
- After a custom rule is specified for attribute mapping, a built-in transformation cannot be
applied to it.
- In reverse attribute mapping, you cannot map duplicate target attributes.
- These attribute-reverse mappings are used for account remediation on Verify.
-
Select Save.
What to do next
To run an account synchronization, see Starting and stopping account sync.