15.3 Creating Identity and Application Sources

Identity sources provide the information to build a catalog of the people within your organization. The information that you collect from your data sources can add as much personally identifiable information as you need to create the unique identity for each person. If you have upgraded from Identity Governance 2.5, use the Identity Source Migration utility to update your Active Directory data collector, eDirectory data collector, and Identity Manager data collector to accept change events. For more information, see Migrating an Identity Collector to a Change Event Identity Collector.

Application sources provide the information to build a catalog of the permissions and accounts within your organization. These data sources are configured with one or more collectors to collect the information from that source. Identity Governance provides collector templates to facilitate this configuration, or you can import a JSON file to add identity or application sources.

NOTE:

  • If you are using the Identity Manager Identity collector, it must always be first in the list of collectors, or user authorizations fail. For more information, see User Authorizations Fail if the Primary Identity Source is not Identity Manager.

  • When collecting identities using the publish and merge setting, matching attributes become mandatory attributes to have Identity Governance include the user when publishing. If a secondary identity source has users that do not have the matching attribute defined in the collector, they will be collected, but they will not be published.

  • If you collect data from two or more identity sources that have duplicate information for the Primary Supervisor ID from Source attribute, Identity Governance cannot merge or publish the data. After collecting each identity source, you must define extended attributes, such as Source1_userID and Source2_userID, for the Primary Supervisor ID from Source attribute. Then, to merge the information, specify the extended attributes as the Join to attribute for Primary Supervisor ID from Source.

  • To collect from a CSV file, specify the full path to the file.

  • You must export data sources from the current version of Identity Governance to be able to correctly import them.

  • You can use the Identity Governance Custom Collector SDK to create collectors. For more information, see the Release Notes for Identity Governance 3.0.1.

  • The CSV collector supports TSV files. To use a TSV file, enter the word tab, in uppercase, lowercase, or any combination in the Column Delimiter field.

To create a data source:

  1. Log in to Identity Governance as a Data Administrator.

  2. Select Data Sources.

  3. (Conditional) To create an identity source collector, select Identities.

  4. (Conditional) To create an application source collector, select Applications.

  5. Select + to create a data source collector from a template.

    or

    Select Import an Identity | Application Source to specify a JSON file to import.

    IMPORTANT:You must export a data source from the current version of Identity Governance to import an updated version. Data source files exported from earlier versions of Identity Governance do not import correctly to the current version. Hence, the data source must be recreated in the current version of Identity Governance.

  6. (Conditional) To configure an identity source with change events collector, select a template name ending in with changes and observe the conditions listed in Collecting from Identity Sources with Change Events. For more information, see Understanding Change Event Collection Status and Supported Attribute Syntaxes for eDir and IDM Change Events Collection.

    NOTE:Only one event collector is allowed and any change to the collector configuration suspends change event processing, which does not resume until a full batch collection and publication completes.

    IMPORTANT:For large scale changes, disable event collection, and enable it only for incremental change events.

  7. Enter all the mandatory fields for the data source.

    For more information, see the following content in Understanding Collector Configuration:

  8. Save your settings.

  9. (Optional) If you want to preview all or part of the data, select Test Collection and Troubleshooting. For more information, see Testing Collections.

The first time you set up Identity Governance, you must collect and publish data after creating your data sources so that your catalog contains the data.

To populate the catalog:

  1. Select Collect Now for each data source on the Identities and Applications pages.

    You need to collect and publish the data for Identity Governance to add the data to the catalog.

  2. (Optional) To merge the collected data from an identity source, specify the rules for publishing and merging.

    For more information, see Setting the Merge Rules for Publication.

  3. Select Publish Now on the Identities page and next to each application data source on the Applications page.

    NOTE:When you publish any identity source, Identity Governance publishes all identity sources. For more information, see Publishing Identity Sources.

  4. When you see that publication has completed, go to Catalog to view the collected information.

15.3.1 Understanding Change Event Collection Status

The event collection displays the following status:

Change Event Collection Status

Description

DISABLED

Event processing is not enabled for this collector and identity source. If event processing is enabled from this state, the state becomes BLOCKED, and the identity source must be collected and published before it can become READY.

BLOCKED

Event processing is enabled, but cannot proceed because the preconditions for processing change events were not met. For more information, see Collecting from Identity Sources with Change Events.

READY

Event processing is enabled and not blocked, but awaiting scheduling to proceed.

IN_PROGRESS

Events are being polled for and processed.

NOTE:Event processing will be in progress either until a polling request returns no events, or until the configured maximum event processing time is reached.

15.3.2 Supported Attribute Syntaxes for eDir and IDM Change Events Collection

Identity Governance supports the collection of the following attribute syntaxes during eDir and IDM change events collection:

  • Boolean

  • Case Exact String

  • Case Ignore List

  • Case Ignore String

  • Class Name

  • Counter

  • Distinguished Name

  • Integer

  • Integer 64

  • Interval

  • Numeric String

  • Object ACL

  • Octet String

  • Path

  • Postal Address

  • Printable String

  • Telephone Number

  • Time

  • Typed Name

  • Unknown