Permission Reconciliation page allows you to compute and publish the permission assignments between Resource Catalog and connected systems.
Ensure that the drivers or entitlements are configured with CPRS settings to compute or publish.
IMPORTANT:CPRS computes all permission assignments for the selected driver or entitlement during collection. It does not filter the assignments based on the resource you configure for permission reconciliation on the Permission Reconciliation Settings page.
Perform the following actions to publish permissions for the selected driver or entitlement:
Navigate to Administration > Permission Reconciliation.
In Driver or Entitlement, select a driver or an entitlement that you wish to compute or publish.
IMPORTANT:For a Fan-Out driver (for example MDAD), select a Logical system. This option is displayed only for Fan-Out driver. By default the first Logical system is selected.
Click to compute the difference in assignments between the Resource Catalog and the connected application.
Click to view the process status. You can view the computed assignments data in the CPRS Assignments table only when the process is completed for the triggered event. Click All Assignments in CPRS Assignment to view the list of all computed assignments. For more information, see CPRS Assignments Table.
NOTE:The time taken for computation depends on the number of assignments present in the connected application and Resource Catalog.
Click to assign or revoke assignments to Resource Catalog.
NOTE:Ensure that the assignment is associated with a resource.
(Conditional) Click to view the process status of the selected entitlement.
The PROCESS STATUS page lists the following columns:
Column Name |
Description |
---|---|
Process Type |
Specifies the type of processes that are initiated for the entitlement such as Compute or Publish |
Start Time |
Specifies the start time of the process |
Completion Time |
Specifies the completion time of the process |
Status |
Specifies the status of the process. For example, Submitted, In Progress, Completed, or Error |
Message |
Displays error messages (if any) |
On selecting an entitlement in the Permission Reconciliation page, the assignments appears. If the computation is already performed, all the assignments is displayed.
The following actions can be performed in the CPRS Assignment section:
From the list of displayed assignments, you can filter assignments based on name or permission.
View the assignments using the following options:
All Assignments: This option is selected by default. All the permissions (new and revoked) are displayed.
New Assignments: This option displays the permissions that are available in the application but not present in the Resource Catalog.
Revoked Assignments: This option displays the permissions that are present in Identity Manager resource catalog but not in the application.
To publish one or more assignments to Resource Catalog, select the permission and click beside CPRS Assignments. Note that you can select and publish only those assignments which are configured for permission reconciliation. Other assignments for resources not present in the permission reconciliation settings may throw an error while publishing.
NOTE:By default, events generated by CPRS assignments do not flow to the Subscriber channel of the driver. This behavior is controlled by Allow Entitlement event loopback from cprs to subscriber channel Engine Control Value. To change the default setting, change the control to True. For more information about Engine Control Values, see Engine Control Values in the NetIQ Identity Manager Driver Administration Guide.