Saturday, August 3, 2019

FeaturesString Available in Sailpoint IdenityIQ


Connector Features Supported 


The Application object also has a Feature enumeration, specified as the FeaturesString attribute of the application definition, which is used to control the functionality available through the connector.it tell what all the operation idenityIQ is configured to support for this connector.

Below are the list of the value that are possible for the FeaturesString
Application. Feature
Description
ACCOUNT_ONLY_REQUEST
The application supports requesting accounts without entitlements.
ADDITIONAL_ACCOUNT_REQUEST
The application supports requesting additional accounts.
AUTHENTICATE
The application supports pass through authentication.
COMPOSITE
The application supports composite application creation.
CURRENT_PASSWORD
Some application types support verification of the current password
DIRECT_PERMISSIONS
The application supports returning DirectPermissions.
DISCOVER_SCHEMA
The application supports discovering schemas for users and groups.
ENABLE
The application supports reading if an account is enabled or disabled.
GROUPS_HAVE_MEMBERS
The application models group memberships with a member
attribute on the group object rather than a groups attribute on
the account object.
MANAGER_LOOKUP
The application supports looking up managers as they are
encountered in a feed.
NO_AGGREGATION
An application that does not support aggregation.
NO_PERMISSIONS_PROVISIONING
Indicates that the connector cannot provision direct or target
permissions for accounts.
NO_RANDOM_ACCESS
The application does not support random access and the getObject()
methods should not be called and expected to perform.
PASSWORD
The application can provision password changes.
PROVISIONING
The application can both read and write accounts.
PROXY
The application can serve as a proxy for another application.
SEARCH

SYNC_PROVISIONING
The application can provision accounts synchronously.
UNLOCK
The application supports reading if an account is locked or unlocked.
UNSTRUCTURED_TARGETS
The application supports returning unstructured Targets.
Below are the List of the featurestring value when we configure OOTB Active Directory Connector
featuresString
PROVISIONING
SYNC_PROVISIONING
AUTHENTICATE
MANAGER_LOOKUP
SEARCH
UNSTRUCTURED_TARGETS
UNLOCK
ENABLE
PASSWORD
CURRENT_PASSWORD
Posted by at
Labels: , , , , , , , , , ,

3 comments:

  1. UnknownMarch 22, 2021 at 3:59 AM

    My requirement is to Limit the AD Connector operations to READ on Aggregate and for PROVISIONING,

    do not want any AD Attribute to be modified except memberOf.
    do not want to create,disable,enable,unlock,delete or change passwords for users in AD.
    only want to add them to specific AD Groups.
    To achieve these requirements will it possible to change featuresString or do we required further customization? Looking for your suggestion.

    Regards,

    Kannan

    ReplyDelete
    Replies
    1. Vishal KejriwalMarch 22, 2021 at 12:53 PM

      As long as you haven't done any identity mapping or doing anything in before provisioning rule system will not modify any attribute in AD , what you need to do is Aggregate the data user and groups and make groups as requestable also in after provisioning rule add the check if the operation is create reject the request.

      Now if you want to perform the similar thing as the Birthright group what you can do is when you aggregate the account put the flag as isAD provioned as true and in Assignment rule/condition you can add the same condition.

      Delete
  2. LakshmiJanuary 27, 2023 at 10:00 AM

    Vishal could you elaborate this

    ReplyDelete

Subscribe to: Post Comments (Atom)