Skip to main content

Automatic account attachment examples

The following use cases show you how to configure targets systems and a scenario component to achieve automatic account association.

Account name on the secondary target matches the user profile ID

In this example, Active Directory is configured as a source of profiles and a Linux system is configured as a secondary (non-source of profiles) target system. The Active Directory account name is "johndoe", and the Linux target account name is "johndoe".

No additional configuration is required for this scenario. Run auto discovery to associate accounts with user profiles. Click Manage the system > Maintenance > Auto discovery > Execute auto discovery.

Account name on secondary target matches account attribute on source of profiles

In this example, Active Directory is configured as a source of profiles and LDAP is configured as a secondary target. Active Directory accounts have an email address stored in the "mail" account attributes, whereas LDAP target uses the same email address as an account name.

  • AD account name: johndoe

  • Email address stored in the "mail" attribute of the AD account: john.doe@organization.com

  • LDAP account name: john.doe@organization.com

Configure the AssocID attribute

  1. Log in to the Bravura Security Fabric Front-end (PSF) as superuser .

  2. Install the Scenario.im_corp_loaddb component .

  3. From the main click Manage external data store.

  4. Configure the assocID attribute in the hid_global_configuration extdb table as shown below.

    associd-config

Configure the Active Directory mail account attribute

  1. Navigate to Manage the system > Resources > Account attributes > Target system > AD > Defaults.

  2. Find the "mail" account attribute.

  3. Click Override.

  4. Enable the Load attribute values from target system option.

  5. Click Update to save the changes.

  6. Run auto discovery to associate accounts with user profiles. Click Manage the system > Maintenance > Auto discovery > Execute auto discovery .

Account attribute on the secondary target matches an account attribute value on source of profiles

In this example, Active Directory is configured as a source of profiles (non-source of profiles) and LDAP is configured as a secondary target. Active Directory accounts have an employee ID stored in the "employeeID" account attribute, whereas the LDAP target has the same attribute value in the "employeeNumber" account attribute.

  • AD account name: johndoe

  • Employee ID stored in the employeeID attribute of the AD account: 123456

  • LDAP account name: jdoe

  • Employee ID stored in the employeeNumber attribute of the LDAP account: 123456

Configure the AssocID attribute

  1. Log in to the Bravura Security Fabric Front-end (PSF) as superuser .

  2. Install the Scenario.im_corp_loaddb component.

  3. From the main click Manage external data store.

  4. Configure the assocID attribute in the hid_global_configuration extdb table as shown below.

    assocID-employeeID

Configure the mail attribute on Active Directory

  1. Navigate to Manage the system > Resources > Account attributes > Target system > AD > Defaults.

  2. Find the "employeeID" account attribute.

  3. Click Override.

  4. Enable the Load attribute values from target system option.

  5. Click Update to save the changes.

Configure the employeeNumber attribute on LDAP

  1. Navigate Manage the system > Resources > Account attributes > Target system > LDAP.

  2. Click Add new on the Target system level overrides tab.

  3. Set the attribute ID to employeeNumber.

  4. Enable the Load attribute values from target system option.

  5. Click Update to save the changes.

Configure the LDAP target association setting

  1. Navigate to Manage the system > Resources > Target systems > Manually defined > LDAP.

  2. Set the Account attribute to automatically attach accounts to user profiles parameter to employeeNumber.

  3. Click Update to save the changes.

Run auto discovery to associate accounts with user profiles. Click Manage the system > Maintenance > Auto discovery > Execute auto discovery .

Troubleshooting automatic account assignment

In any of the above scenarios, if account association fails for any reason after running auto discovery, use the following command "force" the account association recalculation. From the util directory:

dbcmd -call -p LoaddbResyncAdd -param "\"A\" \"AD\" \"\" \"\" \"\" \"\" \"\" \"\""

Note that the command is not supposed to return any message, unless there was an error.

This command should be used only once; it should raise an internal flag for the Bravura Security Fabric to clear any caches and skip any standard performance optimization logic the next time it runs the auto discovery. if after the next auto discovery account association is not established, contact Bravura Security support.

In this section: