.png)
Account Discovery Task
Definition
Memority synchronization service allows the discovery of accounts and provides mechanisms to take actions on these accounts depending on their statuses. This includes performing a synchronization of the remote account with the corresponding IDM object, to ignore some accounts, to delete them, assign missing role(s) to identities or to take custom actions. These managements are provided through application configuration and a reporting widget that allows to visualize the account collection and perform these actions.
An “Account Discovery Task” searches accounts on a remote application, such as a LDAP directory, and reports the status of each account discovered on the application:
“linked” accounts already bound to an IM object, such as an Identity, because they were provisioned by Memority
“unlinked” accounts whose attributes match those of an IM object (same email for example), but no provisioning link exists between them yet because they were not provisioned by Memority. Should the application’s role be given to the IM object, the provisioning would be triggered and the account would become “linked” with the IM object (see above “linked” status)
“orphan” accounts that do not have an IM counterpart, i.e. their attributes do not match any IM object’s.
For each “linked” and “unlinked” account, the list of attributes not synced with their IM counterpart is also reported.
“Unlinked” and “orphan” accounts were probably created manually by a local administrator of the application, without Memority being aware of them.
Contrarily to a “Provisioning Task”, which is centered on IM objects (such as Identities), an Account Discovery Task takes the opposite approach; it is centered on the remote application, i.e. starting from a remote application, the status of its accounts is reported.
An Account Discovery Task does not perform bulk actions on discovered accounts, such as automatically disabling or deleting orphan accounts. It only reports the account’s situation, which becomes visible through the Memority reports.
Once the situation of each account has been recorded in the reporting database, it is possible, when displaying a Memority report listing those accounts, to execute actions on individual accounts by clicking on buttons located on the account’s line (more on this later).
Use
Launch
Similarly to a Provisioning Task, an Account Discovery Task can be launched:
automatically by a scheduled job, see the
executionPlanproperty of an Account Discovery Task Definition (see also Execution Plan).manually by a REST API call (see Account Discovery API)
Visualization
Upon the task execution, discovered accounts can be visualized in Memority reports, and customizable actions can be performed on a per-account basis.
To do so, you need to configure :
a Reporting Configuration that targets our account information builtin collection
a feature with a Reporting Account Information Widget that allows us to visualize and perform actions on these accounts.
Example
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>taskInstance</name>
<values>
<staticValues/>
</values>
</criterion><ctdbum:FeatureConfiguration id="reporting_accountInformation-counter"
xmlns:ctdbum="http://www.memority.com/citadel/bum/1_0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<name>reporting_accountInformation-counter</name>
<description/>
<type>UI</type>
<scope type="EXPRESSION" objectKind="IDENTITY">
<objectTypes>
<objectType>internal</objectType>
<objectType>partner</objectType>
<objectType>memoritySupport</objectType>
<objectType>contractor</objectType>
</objectTypes>
</scope>
<options>
<formLabelOnTop>false</formLabelOnTop>
<pendingOperationBehaviour>WARN</pendingOperationBehaviour>
<submit>
<reportDisplay>DISPLAY_ALL</reportDisplay>
</submit>
</options>
<screen>
<views>
<view id="reporting_accountInformation-counter-view-1">
<description>Allow user to display Authentication</description>
<icon>fa fa-user</icon>
<sections>
<section id="reporting-account-information-section-1">
<layout>SINGLE</layout>
<columns>
<column>
<widgets>
<widget id="reporting-account-information-top-filter-widget" xsi:type="ctdbum:ReportingWidgetType">
<hidden>false</hidden>
<displayOptions>
<modalSize>SM</modalSize>
</displayOptions>
<config>
<bordered>false</bordered>
<title>false</title>
<associations>
<association>
<criteriaMapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>true</allowEditCriteria>
<propagation>
<strategy>ALWAYS</strategy>
</propagation>
<widgetId>reporting-account-information-counter-synced-widget</widgetId>
</association>
<association>
<criteriaMapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>true</allowEditCriteria>
<propagation>
<strategy>ALWAYS</strategy>
</propagation>
<widgetId>reporting-account-information-counter-out-of-sync-widget</widgetId>
</association>
<association>
<criteriaMapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>true</allowEditCriteria>
<propagation>
<strategy>ALWAYS</strategy>
</propagation>
<widgetId>reporting-account-information-counter-orphaned-widget</widgetId>
</association>
<association>
<criteriaMapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>true</allowEditCriteria>
<propagation>
<strategy>ALWAYS</strategy>
</propagation>
<widgetId>reporting-account-information-counter-ignored-orphaned-widget</widgetId>
</association>
<association>
<criteriaMapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>true</allowEditCriteria>
<propagation>
<strategy>ALWAYS</strategy>
</propagation>
<widgetId>reporting-account-information-counter-linkable-orphaned-widget</widgetId>
</association>
<association>
<criteriaMapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>true</allowEditCriteria>
<propagation>
<strategy>ALWAYS</strategy>
</propagation>
<widgetId>reporting-account-information-counter-old-unlink-account-widget</widgetId>
</association>
</associations>
<contract>
<criteria>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT_CHOICE</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>true</mandatory>
<name>dominoApplicationId</name>
<values>
<staticValues>
<value>reporting-identity-application</value>
<value>Google-REST-Application</value>
<value>prov-activeDirectory-common-application</value>
<value>prov-memorityauthentication-common-application</value>
<value>O365-REST-Application</value>
</staticValues>
</values>
</criterion>
</criteria>
</contract>
<display>
<xySeries/>
<pieSeries/>
<axes>
<axesX/>
<axesY/>
</axes>
<chartType>NONE</chartType>
<counter>
<borderColor>grey</borderColor>
<counterColor>dark</counterColor>
</counter>
<displayOnInit>false</displayOnInit>
<legend>
<display>true</display>
</legend>
<size>
<cssHeight>500px</cssHeight>
<cssWidth>100%</cssWidth>
<radiusPercent>50</radiusPercent>
</size>
<timeline>
<bullets/>
<horizontal>false</horizontal>
<initialRange>
<endRange>1.0</endRange>
<startRange>0.0</startRange>
</initialRange>
<levelCount>3</levelCount>
<timelineColor>#67b7dc</timelineColor>
<tooltipConfiguration>
<maxHeight>500</maxHeight>
<maxWidth>500</maxWidth>
<orientation>VERTICAL</orientation>
</tooltipConfiguration>
</timeline>
</display>
<reportingId>accountInformation</reportingId>
</config>
</widget>
</widgets>
</column>
</columns>
</section>
<section id="reporting-account-information-section-2">
<layout>SINGLE</layout>
<frame>
<actions/>
<collapsible>false</collapsible>
<display>PORTLET</display>
<initiallyCollapsed>false</initiallyCollapsed>
<title>false</title>
</frame>
<columns>
<column>
<widgets>
<widget id="reporting-account-information-counter-synced-widget" xsi:type="ctdbum:ReportingWidgetType">
<hidden>false</hidden>
<displayOptions>
<modalSize>SM</modalSize>
</displayOptions>
<config>
<bordered>false</bordered>
<title>true</title>
<associations>
<association>
<criteriaMapping>
<mapping>
<conversion>
<staticValue>SYNCED</staticValue>
</conversion>
<source>accountStatus</source>
<target>accountStatus</target>
</mapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
<mapping>
<conversion>
<staticValue>LINKED</staticValue>
</conversion>
<source>syncSituation</source>
<target>syncSituation</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>true</allowEditCriteria>
<propagation>
<strategy>SELECTION</strategy>
</propagation>
<widgetId>reporting-account-information-status-widget</widgetId>
</association>
</associations>
<contract>
<criteria>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>accountStatus</name>
<staticFixedValue>SYNCED</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT_CHOICE</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>true</mandatory>
<name>dominoApplicationId</name>
<values>
<staticValues>
<value>reporting-identity-application</value>
<value>Google-REST-Application</value>
<value>prov-activeDirectory-common-application</value>
<value>prov-memorityauthentication-common-application</value>
<value>O365-REST-Application</value>
</staticValues>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>syncSituation</name>
<staticFixedValue>LINKED</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
</criteria>
</contract>
<display>
<xySeries/>
<pieSeries/>
<axes>
<axesX/>
<axesY/>
</axes>
<chartType>COUNTER_CHART</chartType>
<counter>
<aggregationExpression>count()</aggregationExpression>
<borderColor>green</borderColor>
<counterColor>green</counterColor>
<icon>icon-note</icon>
<text>tenant.reporting.synced.title.label</text>
<title>tenant.reporting.stat1.title.label</title>
</counter>
<displayOnInit>false</displayOnInit>
<legend>
<display>true</display>
</legend>
<size>
<cssHeight>500px</cssHeight>
<cssWidth>100%</cssWidth>
<radiusPercent>50</radiusPercent>
</size>
<timeline>
<bullets/>
<horizontal>false</horizontal>
<initialRange>
<endRange>1.0</endRange>
<startRange>0.0</startRange>
</initialRange>
<levelCount>3</levelCount>
<timelineColor>#67b7dc</timelineColor>
<tooltipConfiguration>
<maxHeight>500</maxHeight>
<maxWidth>500</maxWidth>
<orientation>VERTICAL</orientation>
</tooltipConfiguration>
</timeline>
</display>
<reportingId>accountInformation</reportingId>
</config>
</widget>
<widget id="reporting-account-information-counter-out-of-sync-widget" xsi:type="ctdbum:ReportingWidgetType">
<hidden>false</hidden>
<displayOptions>
<modalSize>SM</modalSize>
</displayOptions>
<config>
<bordered>false</bordered>
<title>true</title>
<associations>
<association>
<criteriaMapping>
<mapping>
<conversion>
<staticValue>OUT_OF_SYNC</staticValue>
</conversion>
<source>accountStatus</source>
<target>accountStatus</target>
</mapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
<mapping>
<conversion>
<staticValue>LINKED</staticValue>
</conversion>
<source>syncSituation</source>
<target>syncSituation</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>false</allowEditCriteria>
<propagation>
<strategy>SELECTION</strategy>
</propagation>
<widgetId>reporting-account-information-status-widget</widgetId>
</association>
</associations>
<contract>
<criteria>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>accountStatus</name>
<staticFixedValue>OUT_OF_SYNC</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT_CHOICE</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>true</mandatory>
<name>dominoApplicationId</name>
<values>
<staticValues>
<value>reporting-identity-application</value>
<value>Google-REST-Application</value>
<value>prov-activeDirectory-common-application</value>
<value>prov-memorityauthentication-common-application</value>
<value>O365-REST-Application</value>
</staticValues>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>syncSituation</name>
<staticFixedValue>LINKED</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
</criteria>
</contract>
<display>
<xySeries/>
<pieSeries/>
<axes>
<axesX/>
<axesY/>
</axes>
<chartType>COUNTER_CHART</chartType>
<counter>
<aggregationExpression>count()</aggregationExpression>
<borderColor>red</borderColor>
<counterColor>red</counterColor>
<icon>icon-note</icon>
<text>tenant.reporting.out-of-sync.title.label</text>
<title>tenant.reporting.stat1.title.label</title>
</counter>
<displayOnInit>false</displayOnInit>
<legend>
<display>true</display>
</legend>
<size>
<cssHeight>500px</cssHeight>
<cssWidth>100%</cssWidth>
<radiusPercent>50</radiusPercent>
</size>
<timeline>
<bullets/>
<horizontal>false</horizontal>
<initialRange>
<endRange>1.0</endRange>
<startRange>0.0</startRange>
</initialRange>
<levelCount>3</levelCount>
<timelineColor>#67b7dc</timelineColor>
<tooltipConfiguration>
<maxHeight>500</maxHeight>
<maxWidth>500</maxWidth>
<orientation>VERTICAL</orientation>
</tooltipConfiguration>
</timeline>
</display>
<reportingId>accountInformation</reportingId>
</config>
</widget>
<widget id="reporting-account-information-counter-orphaned-widget" xsi:type="ctdbum:ReportingWidgetType">
<hidden>false</hidden>
<displayOptions>
<modalSize>SM</modalSize>
</displayOptions>
<config>
<bordered>false</bordered>
<title>true</title>
<associations>
<association>
<criteriaMapping>
<mapping>
<conversion>
<staticValue>ORPHANED</staticValue>
</conversion>
<source>accountStatus</source>
<target>accountStatus</target>
</mapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
<mapping>
<conversion>
<staticValue>UNMATCHED</staticValue>
</conversion>
<source>syncSituation</source>
<target>syncSituation</target>
</mapping>
<mapping>
<conversion>
<staticValue>false</staticValue>
</conversion>
<source>ignored</source>
<target>ignored</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>false</allowEditCriteria>
<propagation>
<strategy>SELECTION</strategy>
</propagation>
<widgetId>reporting-account-information-status-widget</widgetId>
</association>
</associations>
<contract>
<criteria>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>accountStatus</name>
<staticFixedValue>ORPHANED</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT_CHOICE</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>true</mandatory>
<name>dominoApplicationId</name>
<values>
<staticValues>
<value>reporting-identity-application</value>
<value>Google-REST-Application</value>
<value>prov-activeDirectory-common-application</value>
<value>prov-memorityauthentication-common-application</value>
<value>O365-REST-Application</value>
</staticValues>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>syncSituation</name>
<staticFixedValue>UNMATCHED</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>false</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>ignored</name>
<staticFixedValue>false</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
</criteria>
</contract>
<display>
<xySeries/>
<pieSeries/>
<axes>
<axesX/>
<axesY/>
</axes>
<chartType>COUNTER_CHART</chartType>
<counter>
<aggregationExpression>count()</aggregationExpression>
<borderColor>red</borderColor>
<counterColor>red</counterColor>
<icon>icon-note</icon>
<text>tenant.reporting.orphaned.title.label</text>
<title>tenant.reporting.stat1.title.label</title>
</counter>
<displayOnInit>false</displayOnInit>
<legend>
<display>true</display>
</legend>
<size>
<cssHeight>500px</cssHeight>
<cssWidth>100%</cssWidth>
<radiusPercent>50</radiusPercent>
</size>
<timeline>
<bullets/>
<horizontal>false</horizontal>
<initialRange>
<endRange>1.0</endRange>
<startRange>0.0</startRange>
</initialRange>
<levelCount>3</levelCount>
<timelineColor>#67b7dc</timelineColor>
<tooltipConfiguration>
<maxHeight>500</maxHeight>
<maxWidth>500</maxWidth>
<orientation>VERTICAL</orientation>
</tooltipConfiguration>
</timeline>
</display>
<reportingId>accountInformation</reportingId>
</config>
</widget>
<widget id="reporting-account-information-counter-ignored-orphaned-widget" xsi:type="ctdbum:ReportingWidgetType">
<hidden>false</hidden>
<displayOptions>
<modalSize>SM</modalSize>
</displayOptions>
<config>
<bordered>false</bordered>
<title>true</title>
<associations>
<association>
<criteriaMapping>
<mapping>
<conversion>
<staticValue>ORPHANED</staticValue>
</conversion>
<source>accountStatus</source>
<target>accountStatus</target>
</mapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
<mapping>
<conversion>
<staticValue>UNMATCHED</staticValue>
</conversion>
<source>syncSituation</source>
<target>syncSituation</target>
</mapping>
<mapping>
<conversion>
<staticValue>true</staticValue>
</conversion>
<source>ignored</source>
<target>ignored</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>false</allowEditCriteria>
<propagation>
<strategy>SELECTION</strategy>
</propagation>
<widgetId>reporting-account-information-status-widget</widgetId>
</association>
</associations>
<contract>
<criteria>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>accountStatus</name>
<staticFixedValue>ORPHANED</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT_CHOICE</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>true</mandatory>
<name>dominoApplicationId</name>
<values>
<staticValues>
<value>reporting-identity-application</value>
<value>Google-REST-Application</value>
<value>prov-activeDirectory-common-application</value>
<value>prov-memorityauthentication-common-application</value>
<value>O365-REST-Application</value>
</staticValues>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>syncSituation</name>
<staticFixedValue>UNMATCHED</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>false</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>BOOLEAN</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>ignored</name>
<staticFixedValue>true</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
</criteria>
</contract>
<display>
<xySeries/>
<pieSeries/>
<axes>
<axesX/>
<axesY/>
</axes>
<chartType>COUNTER_CHART</chartType>
<counter>
<aggregationExpression>count()</aggregationExpression>
<borderColor>red</borderColor>
<counterColor>red</counterColor>
<icon>icon-note</icon>
<text>tenant.reporting.ignored.orphaned.title.label</text>
<title>tenant.reporting.stat1.title.label</title>
</counter>
<displayOnInit>false</displayOnInit>
<legend>
<display>true</display>
</legend>
<size>
<cssHeight>500px</cssHeight>
<cssWidth>100%</cssWidth>
<radiusPercent>50</radiusPercent>
</size>
<timeline>
<bullets/>
<horizontal>false</horizontal>
<initialRange>
<endRange>1.0</endRange>
<startRange>0.0</startRange>
</initialRange>
<levelCount>3</levelCount>
<timelineColor>#67b7dc</timelineColor>
<tooltipConfiguration>
<maxHeight>500</maxHeight>
<maxWidth>500</maxWidth>
<orientation>VERTICAL</orientation>
</tooltipConfiguration>
</timeline>
</display>
<reportingId>accountInformation</reportingId>
</config>
</widget>
<widget id="reporting-account-information-counter-linkable-orphaned-widget" xsi:type="ctdbum:ReportingWidgetType">
<hidden>false</hidden>
<displayOptions>
<modalSize>SM</modalSize>
</displayOptions>
<config>
<bordered>false</bordered>
<title>true</title>
<associations>
<association>
<criteriaMapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
<mapping>
<conversion>
<staticValue>UNLINKED</staticValue>
</conversion>
<source>syncSituation</source>
<target>syncSituation</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>false</allowEditCriteria>
<propagation>
<strategy>SELECTION</strategy>
</propagation>
<widgetId>reporting-account-information-status-widget</widgetId>
</association>
</associations>
<contract>
<criteria>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT_CHOICE</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>true</mandatory>
<name>dominoApplicationId</name>
<values>
<staticValues>
<value>reporting-identity-application</value>
<value>Google-REST-Application</value>
<value>prov-activeDirectory-common-application</value>
<value>prov-memorityauthentication-common-application</value>
<value>O365-REST-Application</value>
</staticValues>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>syncSituation</name>
<staticFixedValue>UNLINKED</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
</criteria>
</contract>
<display>
<xySeries/>
<pieSeries/>
<axes>
<axesX/>
<axesY/>
</axes>
<chartType>COUNTER_CHART</chartType>
<counter>
<aggregationExpression>count()</aggregationExpression>
<borderColor>red</borderColor>
<counterColor>red</counterColor>
<icon>icon-note</icon>
<text>tenant.reporting.linkable.orphaned.title.label</text>
<title>tenant.reporting.stat1.title.label</title>
</counter>
<displayOnInit>false</displayOnInit>
<legend>
<display>true</display>
</legend>
<size>
<cssHeight>500px</cssHeight>
<cssWidth>100%</cssWidth>
<radiusPercent>50</radiusPercent>
</size>
<timeline>
<bullets/>
<horizontal>false</horizontal>
<initialRange>
<endRange>1.0</endRange>
<startRange>0.0</startRange>
</initialRange>
<levelCount>3</levelCount>
<timelineColor>#67b7dc</timelineColor>
<tooltipConfiguration>
<maxHeight>500</maxHeight>
<maxWidth>500</maxWidth>
<orientation>VERTICAL</orientation>
</tooltipConfiguration>
</timeline>
</display>
<reportingId>accountInformation</reportingId>
</config>
</widget>
<widget id="reporting-account-information-counter-old-unlink-account-widget" xsi:type="ctdbum:ReportingWidgetType">
<hidden>false</hidden>
<displayOptions>
<modalSize>SM</modalSize>
</displayOptions>
<config>
<bordered>false</bordered>
<title>true</title>
<associations>
<association>
<criteriaMapping>
<mapping>
<conversion>
<staticValue>OUT_OF_SYNC</staticValue>
</conversion>
<source>accountStatus</source>
<target>accountStatus</target>
</mapping>
<mapping>
<source>dominoApplicationId</source>
<target>dominoApplicationId</target>
</mapping>
<mapping>
<conversion>
<staticValue>UNLINKED</staticValue>
</conversion>
<source>syncSituation</source>
<target>syncSituation</target>
</mapping>
<mapping>
<source>shadowId</source>
<target>shadowId</target>
</mapping>
</criteriaMapping>
<allowEditCriteria>false</allowEditCriteria>
<propagation>
<strategy>SELECTION</strategy>
</propagation>
<widgetId>reporting-account-information-status-old-link-account-widget</widgetId>
</association>
</associations>
<contract>
<criteria>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>accountStatus</name>
<staticFixedValue>OUT_OF_SYNC</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT_CHOICE</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>true</mandatory>
<name>dominoApplicationId</name>
<values>
<staticValues>
<value>reporting-identity-application</value>
<value>Google-REST-Application</value>
<value>prov-activeDirectory-common-application</value>
<value>prov-memorityauthentication-common-application</value>
<value>O365-REST-Application</value>
</staticValues>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>syncSituation</name>
<staticFixedValue>UNLINKED</staticFixedValue>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<fixedMatchOperator>IS_NULL</fixedMatchOperator>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>shadowId</name>
<values>
<staticValues/>
</values>
</criterion>
</criteria>
</contract>
<display>
<xySeries/>
<pieSeries/>
<axes>
<axesX/>
<axesY/>
</axes>
<chartType>COUNTER_CHART</chartType>
<counter>
<aggregationExpression>count()</aggregationExpression>
<borderColor>red</borderColor>
<counterColor>red</counterColor>
<icon>icon-note</icon>
<text>tenant.reporting.linkable.old.unlink.account.title.label</text>
<title>tenant.reporting.stat1.title.label</title>
</counter>
<displayOnInit>false</displayOnInit>
<legend>
<display>true</display>
</legend>
<size>
<cssHeight>500px</cssHeight>
<cssWidth>100%</cssWidth>
<radiusPercent>50</radiusPercent>
</size>
<timeline>
<bullets/>
<horizontal>false</horizontal>
<initialRange>
<endRange>1.0</endRange>
<startRange>0.0</startRange>
</initialRange>
<levelCount>3</levelCount>
<timelineColor>#67b7dc</timelineColor>
<tooltipConfiguration>
<maxHeight>500</maxHeight>
<maxWidth>500</maxWidth>
<orientation>VERTICAL</orientation>
</tooltipConfiguration>
</timeline>
</display>
<reportingId>accountInformation</reportingId>
</config>
</widget>
</widgets>
</column>
</columns>
</section>
<section id="reporting-sync-report-section-3">
<layout>SINGLE</layout>
<columns>
<column>
<widgets>
<widget id="reporting-account-information-status-widget" xsi:type="ctdbum:ReportingAccountInformationWidgetType">
<hidden>false</hidden>
<displayOptions>
<modalSize>LG</modalSize>
</displayOptions>
<config>
<bordered>false</bordered>
<title>false</title>
<contract>
<criteria>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>accountStatus</name>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT_CHOICE</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>true</mandatory>
<name>dominoApplicationId</name>
<values>
<staticValues>
<value>reporting-identity-application</value>
<value>Google-REST-Application</value>
<value>prov-activeDirectory-common-application</value>
<value>prov-memorityauthentication-common-application</value>
<value>O365-REST-Application</value>
</staticValues>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>syncSituation</name>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>false</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>ignored</name>
<values>
<staticValues/>
</values>
</criterion>
</criteria>
</contract>
<displayOnInit>false</displayOnInit>
<reportingId>accountInformation</reportingId>
<actionsGroups>
<actionsGroup>
<actions>
<action id="view-entry-btn" xsi:type="ctdbum:ButtonWidgetType">
<hidden>false</hidden>
<config>
<authenticationLevelSufficient>false</authenticationLevelSufficient>
<borderless>false</borderless>
<circle>true</circle>
<color>blue</color>
<icon>fa fa-eye</icon>
<label>true</label>
<link>feature://common-user-provisioning-management/{dataKey.idmObjectId}</link>
<linkTarget>NEW_TAB</linkTarget>
<outline>true</outline>
<size>XS</size>
</config>
</action>
<action id="view-entry-btn" xsi:type="ctdbum:ButtonWidgetType">
<hidden>false</hidden>
<config>
<objectTypes>
<objectType>contractor</objectType>
</objectTypes>
<authenticationLevelSufficient>false</authenticationLevelSufficient>
<borderless>false</borderless>
<circle>true</circle>
<color>blue</color>
<icon>fa fa-eye</icon>
<label>true</label>
<link>feature://common-user-provisioning-management/{dataKey.idmObjectId}</link>
<linkTarget>NEW_TAB</linkTarget>
<outline>true</outline>
<size>XS</size>
</config>
</action>
</actions>
<objectKind>IDENTITY</objectKind>
</actionsGroup>
</actionsGroups>
<syncActions>
<syncAction id="syncIdmObject">
<objectKinds/>
<staticContext/>
<action>SYNCHRONIZE_IDM_OBJECT</action>
</syncAction>
<syncAction id="ignoreApplicationObject">
<objectKinds/>
<staticContext/>
<action>IGNORE_APPLICATION_OBJECT</action>
</syncAction>
<syncAction id="uningnoreApplicationObject">
<objectKinds/>
<staticContext/>
<action>UNIGNORE_APPLICATION_OBJECT</action>
</syncAction>
<syncAction id="assignRole">
<objectKinds/>
<staticContext/>
<action>ASSIGN_APPLICATION_ROLE</action>
<modalLink>feature://common-user-role-management/{dataKey.idmObjectId}</modalLink>
</syncAction>
<syncAction id="customAction1">
<objectKinds/>
<staticContext>
<context>
<name>key</name>
<value>description</value>
</context>
</staticContext>
<action>CUSTOM</action>
<color>blue</color>
<icon>fa fa-bolt</icon>
</syncAction>
<syncAction id="customAction2">
<objectKinds/>
<staticContext>
<context>
<name>key</name>
<value>groups</value>
</context>
</staticContext>
<action>CUSTOM</action>
<color>blue</color>
<icon>fa fa-bolt</icon>
</syncAction>
<syncAction id="deleteApplicationObject">
<objectKinds/>
<staticContext/>
<action>DELETE_APPLICATION_OBJECT</action>
</syncAction>
</syncActions>
</config>
</widget>
<widget id="reporting-account-information-status-old-link-account-widget" xsi:type="ctdbum:ReportingAccountInformationWidgetType">
<hidden>false</hidden>
<displayOptions>
<modalSize>LG</modalSize>
</displayOptions>
<config>
<bordered>false</bordered>
<title>false</title>
<contract>
<criteria>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>accountStatus</name>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT_CHOICE</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>true</mandatory>
<name>dominoApplicationId</name>
<values>
<staticValues>
<value>reporting-identity-application</value>
<value>Google-REST-Application</value>
<value>prov-activeDirectory-common-application</value>
<value>prov-memorityauthentication-common-application</value>
<value>O365-REST-Application</value>
</staticValues>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>syncSituation</name>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>true</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<fixedMatchOperator>IS_NULL</fixedMatchOperator>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>shadowId</name>
<values>
<staticValues/>
</values>
</criterion>
<criterion>
<allowFixedValueOverride>false</allowFixedValueOverride>
<controlType>
<multivalued>false</multivalued>
<options>
<periodSelection>
<mode>IN_LAST</mode>
</periodSelection>
</options>
<valueType>TEXT</valueType>
</controlType>
<displayFixedValue>false</displayFixedValue>
<forGrouping>false</forGrouping>
<mandatory>false</mandatory>
<name>ignored</name>
<values>
<staticValues/>
</values>
</criterion>
</criteria>
</contract>
<displayOnInit>false</displayOnInit>
<reportingId>accountInformation</reportingId>
<actionsGroups>
<actionsGroup>
<actions>
<action id="view-entry-btn" xsi:type="ctdbum:ButtonWidgetType">
<hidden>false</hidden>
<config>
<authenticationLevelSufficient>false</authenticationLevelSufficient>
<borderless>false</borderless>
<circle>true</circle>
<color>blue</color>
<icon>fa fa-eye</icon>
<label>true</label>
<link>feature://common-user-provisioning-management/{dataKey.idmObjectId}</link>
<linkTarget>NEW_TAB</linkTarget>
<outline>true</outline>
<size>XS</size>
</config>
</action>
<action id="view-entry-btn" xsi:type="ctdbum:ButtonWidgetType">
<hidden>false</hidden>
<config>
<objectTypes>
<objectType>contractor</objectType>
</objectTypes>
<authenticationLevelSufficient>false</authenticationLevelSufficient>
<borderless>false</borderless>
<circle>true</circle>
<color>blue</color>
<icon>fa fa-eye</icon>
<label>true</label>
<link>feature://common-user-provisioning-management/{dataKey.idmObjectId}</link>
<linkTarget>NEW_TAB</linkTarget>
<outline>true</outline>
<size>XS</size>
</config>
</action>
</actions>
<objectKind>IDENTITY</objectKind>
</actionsGroup>
</actionsGroups>
<syncActions>
<syncAction id="syncIdmObject">
<objectKinds/>
<staticContext/>
<action>SYNCHRONIZE_IDM_OBJECT</action>
</syncAction>
<syncAction id="ignoreApplicationObject">
<objectKinds/>
<staticContext/>
<action>IGNORE_APPLICATION_OBJECT</action>
</syncAction>
<syncAction id="uningnoreApplicationObject">
<objectKinds/>
<staticContext/>
<action>UNIGNORE_APPLICATION_OBJECT</action>
</syncAction>
<syncAction id="assignRole">
<objectKinds/>
<staticContext/>
<action>ASSIGN_APPLICATION_ROLE</action>
<modalLink>feature://common-user-role-management/{dataKey.idmObjectId}</modalLink>
</syncAction>
<syncAction id="customAction1">
<objectKinds/>
<staticContext>
<context>
<name>key</name>
<value>description</value>
</context>
</staticContext>
<action>CUSTOM</action>
<color>blue</color>
<icon>fa fa-bolt</icon>
</syncAction>
<syncAction id="customAction2">
<objectKinds/>
<staticContext>
<context>
<name>key</name>
<value>groups</value>
</context>
</staticContext>
<action>CUSTOM</action>
<color>blue</color>
<icon>fa fa-bolt</icon>
</syncAction>
<syncAction id="deleteApplicationObject">
<objectKinds/>
<staticContext/>
<action>DELETE_APPLICATION_OBJECT</action>
</syncAction>
</syncActions>
</config>
</widget>
</widgets>
</column>
</columns>
</section>
</sections>
</view>
</views>
<frame>
<actions/>
<collapsible>false</collapsible>
<display>PORTLET</display>
<initiallyCollapsed>false</initiallyCollapsed>
<title>false</title>
</frame>
</screen>
<authentication>
<authenticationLevel>default</authenticationLevel>
<authenticationLevelComparison>MINIMUM</authenticationLevelComparison>
</authentication>
<operations/>
<operationOnSelf>false</operationOnSelf>
</ctdbum:FeatureConfiguration>Configuration
Account Discovery Tasks are configured by administrators having the sys.sync-schema-crud or sys.sync-schema-admin right.
Pre-requisite
Before configuring an Account Discovery task, the application targeted must have been configured.
If the target Application:
is a REST Application, then a
DISCOVER_OBJECTSGroovy operation must be configured, as described in DISCOVER OBJECTS Operationis a LDAP server (Active Directory, OpenLDAP, etc.), then its
ConnectorDefinitionmust be configured with the propertypagingStrategy=vlv
Properties
An Account Discovery Task is configured through an Account Discovery Task Definition, whose properties are listed below.
Property Name | Type | Mandatory | Description | Values (default value in bold) |
|---|---|---|---|---|
id |
| YES | The Task identifier. | - |
name |
| YES | The Task name. | - |
description |
| NO | The Task description. | - |
active |
| NO | Whether the Task is active or not. If not it cannot be launched. | true, false |
applicationId |
| YES | The id of the application holding the remote accounts to discover. | - |
objectClassId |
| YES | The class of objects to discover on the remote application (e.g | - |
shadowKind |
| YES | The kind of Shadow that is expected to be discovered: account, organization, etc. |
|
searchExpression |
| NO | The expression used to search the accounts to discover on the remote application. If no search expression if configured, then "find all" is assumed. | - |
sortExpression |
| YES | The sort expression applied when searching remote accounts, for example: | - |
filterExpression |
| NO | An additional "programmatic" filter applied on the Memority side (not on the remote application) enabling to further refine the search with elaborate criteria that are not natively supported by the remote application. For example, in the LDAP case, such a criterion could be "DN does not end with OU=technical,DC=memority,DC=com" | |
pageSize |
| YES | The size of paged searches. | 1000 |
reportingConditionRule |
| NO | A The following elements are always published to the Reporting service, regardless of this condition evaluation:
| null Example where only “orphaned” accounts are reported:
GROOVY
|
executionPlan |
| NO | Configure the execution plan if the task is scheduled (see Execution Plan). | - |
Example
<?xml version="1.0" encoding="UTF-8"?>
<AccountDiscoveryTaskDefinition xmlns:ctd="http://www.memority.com/citadel/1_0" xmlns:ctdcore="http://www.memority.com/citadel/core/1_0"
xmlns:dmn="http://www.memority.com/domino_sync/1_0"
xmlns:kit="http://www.memority.com/toolkit/1_0"
xmlns:notify="http://www.memority.com/toolkit/addons/notify/1_0"
xmlns:rule="http://www.memority.com/toolkit/rule/1_0"
xmlns:search="http://www.memority.com/toolkit/search-expression/1_0"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
id="some-active-directory-discovery">
<name>Active Directory Discovery</name>
<description>Discover accounts on Active Directory</description>
<active>true</active>
<applicationId>active-directory-app</applicationId>
<executionPlan>
<scheduleType>ONCE</scheduleType>
<fireTime>2024-02-08T16:25:53.718Z</fireTime>
<interval>0</interval>
</executionPlan>
<shadowKind>ACCOUNT</shadowKind>
<objectClassId>inetOrgPerson</objectClassId>
<pageSize>50</pageSize>
<searchExpression>
<search:Prop op="EQUALS" name="department">
<value script="false">sales</value>
</search:Prop>
</searchExpression>
<sortExpression>createdAt,ASC</sortExpression>
<filterExpression>
<search:Prop op="ENDS_WITH_LIKE" name="__NAME__">
<value script="false">OU=MIM,DC=memority,DC=lan</value>
</search:Prop>
</filterExpression>
<reportingConditionRule>
<script><![CDATA[return ACCOUNT.__accountStatus__ == AccountStatus.ORPHANED]]></script>
</reportingConditionRule>
</AccountDiscoveryTaskDefinition>Notifications Events
The following Notifications Events are dedicated to this use case :
Notification event type | Location | Actors | Payload contains ... |
|---|---|---|---|
DOMINO_ACCOUNT_DISCOVERY_REPORT_PUBLICATION | SYNC | senders
recipients
| Variables:
|
Active Directory Notes
When discovering accounts on Active Directory, Active Directory must be configured so that:
the
MaxTempTableSizeparameter is set to a value greater than the total count of discovered accounts. For more information, see:VLV support is enabled (this is the default), see https://www.netiq.com/documentation/privileged-account-manager-42/npam_admin/data/t4dyu7ey5ol9.html
REST API
The Memority Synchronization service exposes the Account Discovery REST API.
JSON Representations
Account Discovery Task Definition
Here is the JSON representation of an Account Discovery Task Definition:
{
"id":"some-active-directory-discovery",
"name":"Active Directory Discovery",
"description":"Discover accounts on Active Directory",
"active":true,
"applicationId":"active-directory-app",
"objectClassId":"inetOrgPerson",
"shadowKind":"ACCOUNT",
"searchExpression":{
"prop":"department",
"op":"EQUALS",
"values":[
{
"script":false,
"content":"sales"
}
]
},
"sortExpression":"createdAt,ASC",
"pageSize":50,
"executionPlan":{
"scheduleType":"ONCE",
"fireTime":"2024-02-08T16:25:53.718Z",
"interval":0
}
}Account Discovery Task Report
Upon execution of an Account Discovery task, an Account Discovery task report is generated.
Here is its JSON representation:
{
"id":"account-discovery-task-instance",
"taskId":"test_accountDiscoveryTask",
"actor":null,
"status":"ERROR",
"startDate":"2024-02-08T17:39:14.720Z",
"processingTimeMillis":5000,
"numberOfEntriesToProcess":245
"numberOfProcessedEntries":245
"numberOfIgnoredEntries":35,
"numberOfErrors":0,
"numberOfLinkedAccounts":155,
"numberOfUnlinkedAccounts":10,
"numberOfOrphanedAccounts":45
"progressPercentage":100,
"canceled":false,
"triggerType":"MANUAL"
}Account Discovery API
The table below lists the full Account Discovery REST API:
Resource | Method | Body | Permission | Description | Response |
|---|---|---|---|---|---|
APIs related to the configuration of an Account Discovery Task | |||||
| GET | N/A |
| List all the Account Discovery Task Definitions | As usual for configuration management. |
| POST | JSON |
| Create a new Account Discovery Task Definition | As usual for configuration management. |
| GET/PUT/DELETE | N/A |
| Get or update or delete an Account Discovery Task Definition | As usual for configuration management. |
APIs related to the execution of an Account Discovery Task | |||||
| POST | JSON |
| Launch an Account Discovery task by providing the identifier of an The execution of this method is asynchronous, it immediately returns to the caller an UUID, the task instance id, that can then be used in the API methods below. | Success HTTP code 200. Body: a task instance id as a simple string (not JSON): an UUID identifier enabling to monitor the task progress, or cancel the running task (see below). Errors HTTP code 404 if the task configuration id is not found. |
| GET | N/A |
| Get the report of all the Account Discovery task executions | Success HTTP code 200. Body: a JSON list of task reports (see above) |
| GET | N/A |
| Monitor the execution of an Account Discovery task. It returns a task progress The | Success HTTP code 200. Body: JSON Task progress information of a given task instance (see below) Errors HTTP code 404 if the task instance id is not found. |
| POST | N/A |
| Cancel a task. | Success HTTP code 200 Body: empty. Errors HTTP code 404 if the task instance id is not found. HTTP code 409 ("conflict") if the task cannot be canceled because it is in a terminal state. |
Executing Actions on Discovered Accounts
When displaying a list of discovered accounts, manual actions that may be executed on accounts are proposed on a per-account basis; buttons corresponding to actions are appended to each account line. The list of available actions is configurable in the Reporting Widget. Possible actions depend on the account state; some actions are incompatible with some states, and the corresponding buttons are not displayed.
It is not possible to execute bulk actions on a selection of multiple accounts; a single action is executed on a single account.
Account State
Actions that may be executed on an account depend on the account’s state. The state of an account is defined by two properties of the account: accountStatus and syncSituation. Those two properties are determined by the discovery task execution, they are described in the following table:
Account Property | Description | Possible Values |
|---|---|---|
| Describe the state of the account’s attributes regarding the state of a possible IDM object matching the account, if such an IDM object exists. |
|
| Indicate whether the account has been provisioned by Memority or not. |
|
Account Actions
Available actions depend on the account state, they are listed below:
Action | Description | Compatible syncSituation |
|---|---|---|
| This action is only possible when the account is provisioned by Memority, i.e. when its This action triggers a provisioning operation where the target account’s attributes are re-synchronized with the source IDM object’s attributes |
|
Give a provisioning Role to the IDM object | This action is only possible when the account is not provisioned by Memority, but an IDM object matching the account exists, i.e. when the account When clicking on the corresponding button, no action is executed on the account, but a redirection to the page where roles can be assigned occurs, so that the IDM object matching the account can receive the Role that will trigger the provisioning and link the account. |
|
| Delete an orphaned account. |
|
| Exclude from the reporting an orphaned account. No action is executed on the account, but it is not listed anymore in discovery reports. |
|
| Report again an orphaned account that was previously excluded from the reporting. No action is executed on the account. |
|
| Apply a custom patch on an orphaned account. A |
|
Configuring a Custom Action
It is possible to execute a custom action on an orphaned account, for example to disable it. This is configured through a ComputeRule returning an ObjectPatch. No provisioning mechanism is involved here; the computed patch is directly applied on the remote account.
The custom action is configured on an Application, in the ObjectSchemaMappingDefinition sub-section, as illustrated below:
<Application>
<name>Sample Application</name>
<connectorId>sample_connector</connectorId>
<schemaMappingDefinition>
<objectSchemaMappingDefinitions>
<objectSchemaMappingDefinition>
<customAction>
<script><![CDATA[return MANAGE.newPatch().set("enabled").value(false).get()]]></script>
</customAction>
...
</objectSchemaMappingDefinition>
</objectSchemaMappingDefinitions>
</schemaMappingDefinition>
...
</Application>In the above example, the enabled attribute of the remote account is set to false to disable the account.
Since only a single custom action can be configured per Application, to handle more complex business cases, it is possible to configure a context on the reporting widget’s button that is propagated to the action, via the EXTERNAL Groovy binding.
For example, a “Disable Account” button can be configured on the widget with the context “disabled=true”, and a “Lock Account” button button can be configured with the context “locked=true”.
The Groovy script computing the patch can exploit the external context as follows:
if (EXTERNAL.disabled) {
return MANAGE.newPatch().set("enabled").value(false).get()
} else if (EXTERNAL.locked) {
return MANAGE.newPatch().set("locked").value(true).get()
} else {
// Do something else
}The construction of the ObjectPatch is thus conditional.
Read Next
- Application
Application is the main synchronization configuration entry point. An "Application" conceptually designates a remote system, external to Synchronization Service, exposing a repository of accounts (or organizations), such as a LDAP directory, or a CSV file. Usually an Application is configured to perform either “inbound” operations, such as importing a CSV file, or “outbound” operations, such as provisioning an LDAP directory. Technically, the same Application could be configured to perform both inbound and outbound operations, but this is a rare functional case, because most of the time there is a single “authoritative side”. For example, a HR CSV file is the unique “source of truth” to create or update IM Identities, and in turn IM Identities are the source of truth to create or update accounts in a LDAP directory. The Application namely defines “attribute mappings”, i.e. how to map an IDM object’s attributes (such as a last name) with the attributes of an object belonging to a remote system, such as the columns of a CSV file or the attributes of an LDAP account. Attribute mapping rules may vary according to the type of an IDM object, e.g. for an IDM object of type “employee” the mapped attributes could differ from an IDM object of type “partner”. An Application's population may thus be divided into several IDM Object Types, hence the possible diversification, within an Application's configuration, of sub-configurations per Object Type, as shown in the schema below:
- Reporting Account Information Widget
This widget is dedicated to the display of Account Information (provisioned accounts). It can also perform synchronization actions on the Accounts if configured.