Some default CA Identity Manager tasks include events, actions that CA Identity Manager performs to complete a task, that determines provisioning role membership. For example, the default Modify User task includes the AssignProvisioningRoleEvent and the RevokeProvisioningRoleEvent. Assigning or revoking a provisioning role may add or remove an account on an endpoint. In some cases, the endpoint may require that all Add actions occur before Remove actions.
To make CA Identity Manager process Add actions first, you enable the Accumulation of Provisioning Role Membership Events setting in the Management Console. When this setting is enabled, CA Identity Manager accumulates all of the Add and Remove actions into a single event, called the AccumulatedProvisioningRolesEvent. For example, if the Modify User task assigns a user to three provisioning roles and removes that user from two other provisioning roles, an AccumulatedProvisioningRolesEvent will be generated which contains five actions: 3 Add actions and 2 remove actions.
When this event executes, all Add actions are combined into a single operation and sent to the Provisioning Server for processing. Once processing of the Add actions completes, CA Identity Manager combines the Remove actions into a single operation and sends that operation to the Provisioning Server.
Enabling this setting affects the following CA Identity Manager functionality:
When an administrator adds or removes a user from a provisioning role using the Provisioning Roles tab, CA Identity Manager accumulates those actions into a single event.
All provisioning role membership events (AssignProvisioningRoleEvent or RevokeProvisioningRoleEvent ) that are generated as a result of an Identity Policy evaluation are accumulated into a single AccumulatedProvisioningRolesEvent. CA Identity Manager executes this event like any other secondary event. For example, consider an identity policy set that includes two identity policies: Policy A revokes membership in the Provisioning Role A and Policy B makes users members of Provisioning Role B. If CA Identity Manager determines that a user no longer satisfies Policy A, but now satisfies PolicyB, an AccumulatedProvisioningRolesEvent that contains two actions (one for the remove action and one for the add action) is generated. The Add action is executed first and then the Remove action is executed.
To view the status of the AccumulatedProvisioningRolesEvent and the status for each of the individual actions, use the View Submitted Tasks task to view event details.
If one of the individual actions fails, the status of the event is failed, which moves the task to a failed state.
You can associate a workflow process with the AccumulatedProvisioningRolesEvent. In this case, an approver can approve or reject the entire event, which approves or rejects each of the individual events.
Additional configuration is required to enable workflow for individual events within the AccumulatedProvisioningRolesEvent.
CA Identity Manager audits information about the AccumulatedProvisioningRolesEvent and each individual event.
Copyright © 2015 CA Technologies.
All rights reserved.