You can synchronize new and modified identities and application permissions in Identity Governance with user and resource objects in Identity Manager. The Identity Governance driver includes policies that tell Identity Manager how to respond to changes that occur to application and identity data in Identity Governance. You configure these policies in the Global Configuration Values.
The Identity Governance driver synchronizes only the identities that are created in Identity Governance after you enable synchronization with Identity Manager. If you already have identities in Identity Governance when you enable synchronization, you need to migrate the existing user objects. For more information, see Section 7.5, Migrating User Objects to the Identity Vault.
The following GCVs allow you to configure how the Identity Governance driver and Identity Manager synchronize user objects.
Specifies the container in the Identity Vault that stores the users created by the driver. When attempting to match Identity Governance identities with Identity Manager identities, the Identity Governance driver looks first in this sub-tree to determine whether an identity from Identity Governance already exists in Identity Manager. The driver recognizes a matched identity by its Distinguished Name value in Identity Manager. When the driver creates new users in the Identity Vault, this policy writes the GUID of the Identity Governance user object to a value of the DirXML-Accounts attribute on the user object.
The default value is \data\users\arusers. Specify a different folder than the one that contains identities imported from connected systems. When you use separate folders for identities from systems connected to Identity Manager and identities from Identity Governance, you can efficiently remove users collected from Identity Governance.
Provides options for Identity Manager when responding to an identity deleted from Identity Governance. When the Identity Governance driver communicates the delete event through the driver, you can configure Identity Manager to perform one of the following actions:
Remove Association: Removes the DirXML association for the identity between Identity Manager and Identity Governance. The user object remains in the Identity Vault.
Disable Users, Remove Association: (Default setting) Breaks the relationship for the identity between Identity Manager and Identity Governance. Identity Manager disables the user object. This is the only time the driver can set or reset the Login Disabled flag for a user object in Identity Manager.
Delete Users: Deletes the user object from the Identity Vault.
For more information about configuring GCVs in a driver, see When and How to Use Global Configuration Values
in the NetIQ Identity Manager Driver Administration Guide.
The Publisher Resource Object Unlink GCV specifies how Identity Manager responds when you remove an application source from Identity Governance. This policy has the following options:
Delete Unlinked Resources: Deletes the application and its associated permissions and permission resources form Identity Manager.
Keep Unlinked Resources: (Default setting) Flags the application resources in Identity Manager to indicate that your organization is no longer interested in the application.
This policy also applies when you deselect Reflect permissions and assignments as resources in Identity Manager for the application in Identity Governance. For more information about reflecting permissions, see the following sections: