20.6 Permission Reconciliation

Permission Reconciliation page allows you to compute and publish the permission assignments between Resource Catalog and connected systems.

Ensure that the drivers or entitlements are configured with CPRS settings to compute or publish.

IMPORTANT:CPRS computes all permission assignments for the selected driver or entitlement during collection. It does not filter the assignments based on the resource you configure for permission reconciliation on the Permission Reconciliation Settings page.

Perform the following actions to publish permissions for the selected driver or entitlement:

  1. Navigate to Administration > Permission Reconciliation.

  2. In Driver or Entitlement, select a driver or an entitlement that you wish to compute or publish.

    IMPORTANT:For a Fan-Out driver (for example MDAD), select a Logical system. This option is displayed only for Fan-Out driver. By default the first Logical system is selected.

  3. Click to compute the difference in assignments between the Resource Catalog and the connected application.

    Click to view the process status. You can view the computed assignments data in the CPRS Assignments table only when the process is completed for the triggered event. Click All Assignments in CPRS Assignment to view the list of all computed assignments. For more information, see CPRS Assignments Table.

    NOTE:The time taken for computation depends on the number of assignments present in the connected application and Resource Catalog.

  4. Click to assign or revoke assignments to Resource Catalog.

    NOTE:Ensure that the assignment is associated with a resource.

  5. (Conditional) Click to view the process status of the selected entitlement.

    The PROCESS STATUS page lists the following columns:

    Column Name

    Description

    Process Type

    Specifies the type of processes that are initiated for the entitlement such as Compute or Publish

    Start Time

    Specifies the start time of the process

    Completion Time

    Specifies the completion time of the process

    Status

    Specifies the status of the process. For example, Submitted, In Progress, Completed, or Error

    Message

    Displays error messages (if any)

CPRS Assignments Table

On selecting an entitlement in the Permission Reconciliation page, the assignments appears. If the computation is already performed, all the assignments is displayed.

The following actions can be performed in the CPRS Assignment section:

  • From the list of displayed assignments, you can filter assignments based on name or permission.

  • View the assignments using the following options:

    • All Assignments: This option is selected by default. All the permissions (new and revoked) are displayed.

    • New Assignments: This option displays the permissions that are available in the application but not present in the Resource Catalog.

    • Revoked Assignments: This option displays the permissions that are present in Identity Manager resource catalog but not in the application.

  • To publish one or more assignments to Resource Catalog, select the permission and click beside CPRS Assignments. Note that you can select and publish only those assignments which are configured for permission reconciliation. Other assignments for resources not present in the permission reconciliation settings may throw an error while publishing.

NOTE:By default, events generated by CPRS assignments do not flow to the Subscriber channel of the driver. This behavior is controlled by Allow Entitlement event loopback from cprs to subscriber channel Engine Control Value. To change the default setting, change the control to True. For more information about Engine Control Values, see Engine Control Values in the NetIQ Identity Manager Driver Administration Guide.