The Identity Governance driver has an optional Publisher channel functionality that enables the driver to capture identities added to Identity Governance then synchronize them with the Identity Vault. To ensure that synchronization does not create duplicate identities, the driver adds only the identities that do not have a value for the Distinguished Name attribute. It is recommended that you configure synchronization in the driver for matching identities between Identity Governance and Identity Manager.
However, you might have previously configured the driver to prevent identity synchronization and now need to change that decision. For example, you enabled synchronization after you collected a set of identities. Since the Publisher channel is event driven, the driver publishes only the identities added to Identity Governance after you start synchronization. The only way to publish pre-existing identities to the Identity Vault is to migrate them using the Subscriber channel.
NOTE:
You cannot migrate identities if you have not configured synchronization. For more information about synchronizing identities, see Section 7.4.1, Synchronizing New User Objects.
Before starting user migration to the Identity Vault, enable Adds and Migrate Allowed in the driver configuration then restart the driver.
For more information, see the following sections:
To support migration, the Identity Governance driver provides a full set of migration queries. The migration queries allow for wildcards for any of the supported schema attributes. In general, you should migrate only the identities that do not exist in the Identity Vault. For example, you might already have used the Identity Manager Identity Collector to collect identities from the Identity Vault. You would not want to migrate these identities since they already have user objects in the Identity Vault. The Identity Governance driver recognizes these synchronized identities by the value of their Distinguished Name attribute. To avoid duplicating identities, you can add the DirXML-Accounts attribute to the migration query. The DirXML-Accounts attribute has the following values:
false: When you set the value to false, the query targets only the identities in Identity Governance that do not have the Distinguished Name attribute value. Use this setting to identify the user objects that you want to create in the Identity Vault.
true: When you set the value to true, the query targets only the identities in Identity Governance with the Distinguished Name attribute value. Use this setting to find identities that have already been collected from Identity Manager.
To target all of the Identity Governance identities, regardless whether they already exist in the Identity Vault, do not use the DirXML-Accounts attribute in the migration query.
When you migrate identities to Identity Manager, the Identity Governance driver does not include any permission assignments associated with those identities. To add the permission assignments, you must enable reflection for the target application. Then the driver uses the Publisher channel to synchronize the permission and assignments. Each time you modify the application or change the published data for the application, the driver reflects the changes to Identity Manager. For more information, see the following sections: