Skip to main content
Skip table of contents

Application Profile

An Application Profile targets a specific Application, e.g. the "Trade" Active Directory. Having an Application Profile always implies having an account on the target Application.

Definition

An Application Profile targets a specific Application, e.g. the "Trade" Active Directory. Having an Application Profile always implies having an account on the target Application (this is implicit), but the Application Profile also configures all the "Entitlement" Assignments (e.g. the asset associations) that are possible for the Application, in terms of group membership and/or privilege attribution. “Entitlements” can thus be assigned to a provisioned account. Typically, for the LDAP directory case, an Entitlement is a LDAP group. Upon account provisioning, group membership is enforced, according to configured rules.

To sum up, if an Application internally manages a set of groups and/or privileges (i.e. Entitlements), a set of Assignments can be configured to represent the possible associations of user accounts with those entitlements, as illustrated below:

ApplicationProfiles are conditionally associated with IDM objects, such as IDM Identities or IDM Organizations. A profile association is conditional, because an IDM object must match an ApplicationProfile’s Object Matching Condition to be provisioned on a target Application. If the ApplicationProfile matches, then the account is provisioned on the target Application, and Entitlements (if any) are assigned to the account.

The next section details this.

Configuration

You can access the Application Profiles configuration :

  • by clicking on "Synchronization" → "Application Profiles"

  • by clicking on "System" → "Configurations"->”Synchronization Service” and perform an import/export.

Properties

The possible ApplicationProfile configuration elements are :

Property Name

Type

Mandatory

Description

id

String

YES

The Application Profile identifier.

name

String

YES

The Application Profile name.

description

String

NO

The Application Profile description.

assignments

List<Assignment>

NO

A list of Assignments enabling to associated Entitlements (groups, privileges) to a provisioned account. See next table for more information.

applicationId

String

YES

The id of the target Application.

enabled

Boolean

YES

The Application Profile status.

Default value : true

objectMatchingCondition

objectMatchingCondition

YES

A condition ObjectMatchingCondition determining whether an IDM object should have the ApplicationProfile or not, e.g. be provisioned on the target Application.

An ObjectMatchingCondition defines general “matching” conditions. One of those conditions can be the IDM object's access rights. For example, if an IDM Identity with the "fr" lang has the IDM "sales" right, then an account will be created in the "trade" LDAP directory, and put in the "sales-fr" LDAP group.

shadowKind

Enum

YES

ACCOUNT, ORGANIZATION, RESOURCE, ROLE, ROLE_PUBLICATION, ENTITLEMENT

Assignment properties

Property Name

Type

Mandatory

Description

entitlementsSearchRule

ComputeRule

OBJECT CATEGORY

YES

How to search on the remote Application the Entitlement(s) to be assigned to the account.

This is a ComputeRule, returning a SearchExpression aimed at finding Entitlements.

The list of Entitlements to be found can be constructed dynamically, typically by listing the roles of a provisioned IM object.

association

String

YES

The name of the AssociationDefinition configuration, i.e. put a created account into a group, or give a privilege to the created account.

AssociationDefinitions are configured inside the ObjectSchemaMappingDefinition section of an Application.

entitlementsSearchBase

String

NO

A search base for entitlements.

If not specified, entitlements are searched from root.

matchingCondition

objectMatchingCondition

NO

A "matching condition" indicating whether this assignment should be applied or not on the account.

If null then this assignment is always applied.

detectIllegalEntitlements

Boolean

NO

Whether to detect "illegal" Entitlements, given outside Memority's jurisdiction. Those are Entitlements that have been given to an account by a local Application administrator, and they do not match entitlementsSearchRule.

If true:

  • account reporting and account discovery include this “illegal entitlements” information

  • illegal entitlements are removed when provisioning the account, supposing they are not ignored by illegalEntitlementsFilterRule, see below

illegalEntitlementsFilterRule

ConditionRule

OBJECT CATEGORY

NO

An optional rule enabling to ignore some Entitlements given outside Memority’s jurisdiction.

It is an additional "programmatic" filter applied on the Memority side (not on the remote application), enabling to further refine the list of illegal entitlements, using elaborate criteria that are not natively supported by the remote application.

For example, in the LDAP case, such a criterion could be "group DN does not end with ou=technical-groups,dc=memority,dc=com"

This is a ConditionRule, returning true or false. If not configured, all Entitlements outside Memority’s jurisdiction are deemed “illegal”. If configured, then only those Entitlements for which the ConditionRule returns true are considered illegal.

Example

Exampleby
XML 
   <dmn:ApplicationProfile id="prov-activeDirectory-common-applicationProfile">
      <name>prov-activeDirectory-common-applicationProfile</name>
      <description></description>
      <assignments>
         <assignment>
            <entitlementsSearchRule>
               <script><![CDATA[
          expr { prop('cn').eq('DnsAdmins') }
          ]]></script>
            </entitlementsSearchRule>
            <association>group</association>
            <entitlementsSearchBase>DC=memority,DC=lan</entitlementsSearchBase>
            <matchingCondition>
               <objectKind>IDENTITY</objectKind>
               <objectTypes/>
               <simpleObjectMatchingStrategyDefinition>
                  <inputAttributeId>function</inputAttributeId>
                  <regex>ASSISTANT-TECHNIQUE</regex>
               </simpleObjectMatchingStrategyDefinition>
            </matchingCondition>
         </assignment>
         <assignment>
            <entitlementsSearchRule>
               <script><![CDATA[
               def group = IDM_OBJECT.adGroup as String
               
               expr {prop('cn').eq(group)}]]></script>
            </entitlementsSearchRule>
            <association>group</association>
            <entitlementsSearchBase>DC=memority,DC=lan</entitlementsSearchBase>
            <matchingCondition>
               <objectKind>IDENTITY</objectKind>
               <objectTypes/>
               <simpleObjectMatchingStrategyDefinition>
                  <inputAttributeId>function</inputAttributeId>
                  <regex>CUISINE</regex>
               </simpleObjectMatchingStrategyDefinition>
            </matchingCondition>
           <illegalEntitlementsFilterRule>
                <script><![CDATA[
                    return !ENTITLEMENT.__name__.toLowerCase().contains("manual")
                    ]]></script>
            </illegalEntitlementsFilterRule>
         </assignment>
         <assignment>
            <entitlementsSearchRule>
               <script><![CDATA[
               expr {prop('cn').eq('Domain Admins')}]]></script>
            </entitlementsSearchRule>
            <association>group</association>
            <entitlementsSearchBase>DC=memority,DC=lan</entitlementsSearchBase>
         </assignment>
      </assignments>
      <applicationId>prov-activeDirectory-common-application</applicationId>
      <enabled>false</enabled>
      <objectMatchingCondition>
         <objectKind>IDENTITY</objectKind>
         <objectTypes/>
         <rightMatchingCondition>
            <names>
               <name>app.prov.identity-activeDirectory</name>
            </names>
            <targets/>
            <nameAndTargets/>
         </rightMatchingCondition>
      </objectMatchingCondition>
      <shadowKind>ACCOUNT</shadowKind>
   </dmn:ApplicationProfile>

Read Next

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close