RSA Identity and Access Management Platform Onboarding Cloud ...
-
Upload
khangminh22 -
Category
Documents
-
view
3 -
download
0
Transcript of RSA Identity and Access Management Platform Onboarding Cloud ...
NoticeContact Information
Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm. For sales information, contact RSA Aveksa, Inc. at [email protected] technical support, contact RSA Aveksa, Inc. at [email protected]. For more information about RSA Aveksa, Inc., visit http://www.aveksa.com.
Trademarks
RSA, the RSA Logo, Aveksa, and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.
License Agreement
This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.
No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.
This software is subject to change without notice and should not be construed as a commitment by EMC.
Third-Party Licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed by launching the RSA Aveksa product and selecting the About menu.
Note on Encryption Technologies
This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.
Distribution
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright © 2013 EMC Corporation. All Rights Reserved. Published in the USA.
December 2013
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
How This Guide Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 1: Onboarding with the Application Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Using the Create Application Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 2: Salesforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Set Up Salesforce for Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Data Collection Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Create a Salesforce Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Define Additional Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configure Salesforce Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . . 15
Salesforce Connection Configuration Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configure the Salesforce Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configure the Salesforce Entitlement Data Collector . . . . . . . . . . . . . . . . . . . . . . . . . 17
How Entitlements in Salesforce Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . . 18
Collected Account Data Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Collected Group Data Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Collected Entitlement Data Collector Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Set Up the AFX Salesforce Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Create the Salesforce Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Create an Account Request Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Create an Account Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Associate the Account Template to the Salesforce Application . . . . . . . . . . . . . . . . . . 24
Discover the Salesforce Connector in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . . 24
Bind the Connector to the Salesforce Application . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Chapter 3: Google Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Set Up Google Apps for Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Data Collection Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configure Google Apps for Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Create a Google Apps Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Define Additional Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Configure Google Apps Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . 30
Configure the Google Apps Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3
Contents
Configure the Google Apps Entitlement Data Collector . . . . . . . . . . . . . . . . . . . . . . . . 32
How Entitlements in Google Apps Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . 33
Set Up the AFX Google Apps Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Create the Google Apps Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Create an Account Request Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Create an Account Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Associate the Account Template to the Google Apps Application . . . . . . . . . . . . . . . . . 36
Discover the Google Apps Connector in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . 36
Bind the Connector to the Google Apps Application . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Chapter 4: NetSuite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Set Up NetSuite for Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Data Collection Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Create a NetSuite Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Define Additional Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Configure NetSuite Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . . . . 42
Configure the NetSuite Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Configure the NetSuite Entitlement Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
How Entitlements in NetSuite Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . . . 44
Set Up the AFX NetSuite Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
How to Prepare NetSuite for AFX Automatic Fulfillment . . . . . . . . . . . . . . . . . . . . . . . 45
Create the NetSuite Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Create an Account Request Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Create an Account Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Associate the Account Template to the NetSuite Application . . . . . . . . . . . . . . . . . . . . 47
Discover and Map the NetSuite Connector in RSA IAM Platform . . . . . . . . . . . . . . . . . 47
Bind the Connector to the NetSuite Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Chapter 5: Amazon Web Services (AWS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Get Security Credentials from AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Create an AWS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Configure AWS Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . . . . . . . 52
Configure the AWS Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Configure the AWS Entitlement Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
How Entitlements in AWS Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Set Up the AFX AWS Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Create the AWS Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Create an Account Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Associate the Account Template to the AWS Application . . . . . . . . . . . . . . . . . . . . . . 55
Discover and Map the AWS Connector in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . 56
Bind the Connector to the AWS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
4 Onboarding Cloud Applications Guide
Contents
Chapter 6: ServiceNow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Set Up ServiceNow for Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Configure ServiceNow Properties for Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Enable WS Security on the ServiceNow Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Data Collection Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Create a ServiceNow Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Define Additional Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configure ServiceNow Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . . 63
ServiceNow Connection Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Enabling WS Security for a ServiceNow Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configure the ServiceNow Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Configure the ServiceNow Entitlement Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
How Entitlements in ServiceNow Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . 66
Account Data Collector Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Collected Group Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Entitlement Data Collector Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Application Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Data Collection Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Setup the AFX ServiceNow Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Create the ServiceNow Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Create an Account Request Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Create an Account Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Associate the Account Template to the ServiceNow Application . . . . . . . . . . . . . . . . . 73
Discover and Map the ServiceNow Connector in RSA IAM Platform . . . . . . . . . . . . . . . 74
Bind the Connector to the ServiceNow Application . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Chapter 7: Zendesk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Set Up Zendesk for Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Data Collection Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Create a Zendesk Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Define Additional Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
About Privileges for the Zendesk Service Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configure Zendesk Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . . . . 79
Configure the Zendesk Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configure the Zendesk Entitlement Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
How Entitlements in Zendesk Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . . . 81
Account Data Collector Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Collected Group Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Entitlement Data Collector Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Setup the AFX Zendesk Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Onboarding Cloud Applications Guide 5
Contents
Create the Zendesk Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Create an Account Request Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Create an Account Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Associate the Account Template to the Zendesk Application . . . . . . . . . . . . . . . . . . . . 85
Discover and Map the Zendesk Connector in RSA IAM Platform . . . . . . . . . . . . . . . . . 86
Bind the Connector to the Zendesk Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
6 Onboarding Cloud Applications Guide
Preface
Audience
This guide is intended for administrators authorized to create and manage data collectors and AFX connectors for cloud applications.
Note: You require an Access Fulfillment Express license to use AFX to create auto-fulfillment connectors. Contact an RSA sales representative for more information.
How This Guide Is Organized
Wizard-based onboarding is covered in:
Chapter 1, “Onboarding with the Application Wizard,” on page 9
Data collector and AFX auto-fulfillment connector configuration instructions are organized in this guide by cloud application as follows:
• Chapter 2, “Salesforce,” on page 13
• Chapter 3, “Google Apps,” on page 27
• Chapter 4, “NetSuite,” on page 39
• Chapter 5, “Amazon Web Services (AWS),” on page 51
• Chapter 6, “ServiceNow,” on page 59
• Chapter 7, “Zendesk,” on page 77
7
Preface
Text Conventions
This guide uses the following text conventions:
Related Documents
Other documents in the RSA Identity and Access Management Platform (RSA IAM Platform) document set include:
• Installation and Upgrade Guide
• Database Setup and Management Guide
• Installation and Upgrade on WebSphere Guide
• Installation and Upgrade on WebLogic Guide
• Administrators Guide
• User Tasks Guide
• Collectors Guide
• Business Role Manager Guide
• Access Request Manager Guide
• Data Access Governance Guide
• Access Fulfillment Express Guide
• Access Fulfillment Express Connector Configuration Guide
• Public Database Schema Reference
• Novell Identity Manager Integration Guide
• Sun Identity Manager Integration Guide
• IBM Tivoli Identity Manager Integration Guide
Element Convention Used Example
Variables
(The user supplies a value for the variable.)
Courier and Italic in angle brackets (<>)
Enter the following:
DISPLAY=<workstation name>:0.0 export display
On-screen text Courier The following line displays:
path=”/audit”
User-typed text Courier Enter the following path name:
/etc/init.d/
Cross-references Underlined and hypertext-blue
See “Related Documents” on page 8.
References to documents (title and number)
Italic Installation Guide
8 Onboarding Cloud Applications Guide
Chapter 1: Onboarding with the Application Wizard
Content
• “Introduction” on page 10
• “Using the Create Application Wizard” on page 10
9
Chapter 1: Onboarding with the Application Wizard
Introduction
This guide describes how to manually onboard cloud applications (the “traditional” way) by creating the applications, any additional attributes required to be collected for the applications, the data collectors for the applications, and, if applicable, the AFX auto-fulfillment connectors. It also describes in this chapter how to complete the entire aforementioned onboarding process using the application wizards.
The wizard for each application creates a specific set of components (attributes, collectors, and, if applicable, AFX connectors) for an application using all of the specifications cited in the cloud application chapters in this guide. You may want to control what is created by creating an application and other application components manually in the way that is described in the others chapters in this manual. You may, for example, not want additional attributes created for an application or you may want to create and collect additional attributes the wizard does not create and the collectors it creates does not collect.
Using the Create Application Wizard
Note: See the cloud application chapters in this guide to review the application components (attributes, collectors, and so on) the applications wizards are designed to create.
Before you use a wizard to onboard a cloud application, you must get credentials required to access the application. You can modify all objects the wizards creates as necessary after the wizard creates the objects.
To use the application wizard to onboard an application:
1. Click the Resources tab and select Applications.
2. Click Create Application.
A list of cloud application names appears.
Note: The Other Applications option lets you create an application manually. See “Creating Applications” on page 150 in the Administrators Guide for more information. See the remaining chapters in this guide for information on how to manually onboard cloud applications.
3. Select the application you want to create, and then click Next.
The Remote Application Setup window appears.
4. Provide access credentials required to connect to the application, and then click Next.
The Connect window appears.
5. Enter a name for the application, enter connection and other required settings. If there are multiple AFX servers available, you can select a particular server from the Enter the AFX Server drop-down selection field. Otherwise, the single AFX server is displayed. See the Access Fulfillment Express Guide for more information on AFX servers.
6. Click the Test Connection button to confirm you have entered correct connection settings, and then click Next. (Correct connection settings if the test failed. You cannot proceed through the wizard if the connection settings are incorrect.)
The Confirm Changes window appears.
10 Onboarding Cloud Applications Guide
Chapter 1: Onboarding with the Application Wizard
7. Review the components the wizard is designed to create, and, if no changes are required, then click Next.
The Change Summary window appears. It indicates the components the wizard created. Click Close to exit the wizard.
Onboarding Cloud Applications Guide 11
Chapter 2: Salesforce
Content
• “Set Up Salesforce for Onboarding” on page 14
• “Data Collection Prerequisites” on page 14
• “Configure Salesforce Account and Entitlement Data Collectors” on page 15
• “How Entitlements in Salesforce Appear in RSA IAM Platform” on page 18
• “Set Up the AFX Salesforce Connector” on page 21
13
Chapter 2: Salesforce
Set Up Salesforce for Onboarding
You must create a Salesforce user to enable data collectors to gain access Salesforce data via the Salesforce API and to auto-fulfill approved change requests with AFX. Create a special user (integration user) solely for integration purposes. Assign this user a special profile with the following permissions selected:
• API Enabled
• Modify All Data (This is not mandatory if only collection is required.)
Data Collection Prerequisites
Complete the following tasks before you create Salesforce data collectors:
• Create a Salesforce application in RSA IAM Platform.
• Define additional attributes you require for Salesforce objects in RSA IAM Platform that you want to collect from Salesforce.
Create a Salesforce Application
You must create a “Salesforce” application object in RSA IAM Platform that you will associate Salesforce data collectors and an AFX auto-fulfillment connector.
To create the Salesforce application:
1. Select Resources > Applications > Create Application > Other Application.
2. Application Name: Salesforce.
See the Administrators Guide for more information on how to create and manage applications.
Define Additional Attributes
If you want to collect all available data from Salesforce, you can define a set of additional attributes for the following objects in RSA IAM Platform:
• Account
• Application Role
• Group
See the Administrators Guide for more information on how to create and manage attributes.
To define attributes:
1. Select Admin > Attributes.
2. Select the Account tab and add the following attributes:
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
External Id String <use available> Collected No No No
14 Onboarding Cloud Applications Guide
Chapter 2: Salesforce
3. Select the Group tab and add the following attributes:
4. Select the Application Role tab and add the following attributes:
Configure Salesforce Account and Entitlement Data Collectors
This section describes how to configure an account data collector and an entitlement data collector for the Salesforce application.
Note: This section’s configuration examples are based on the assumption that all of the attributes cited in “Define Additional Attributes” on page 14 were in fact defined.
Email String <use available> Collected Yes Yes No
Is Active String <use available> Collected Yes Yes No
User Role Id String <use available> Collected No No No
User Role
Name
String <use available> Collected Yes Yes No
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
External Id String <use available> Collected No No No
Email String <use available> Collected Yes Yes No
Type String <use available> Collected Yes Yes No
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
External Id String <use available> Collected No No No
Type String <use available> Collected Yes Yes No
User Type String <use available> Collected Yes Yes No
User License Id String <use available> Collected No No No
User License
Name
String <use available> Collected Yes Yes No
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
Onboarding Cloud Applications Guide 15
Chapter 2: Salesforce
Salesforce Connection Configuration Specifications
You require the following information to create Salesforce collectors:
Configure the Salesforce Account Collector
This section describes how to configure an account collector for the Salesforce application.
To configure the collector:
1. From the Salesforce application’s Collectors tab, click Create Account Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Configuration Specifications:
• Collector Description Page
- Collector Name: <Name of Salesforce ADC>
- Data Source Type: Salesforce
• Configuration Information
- Salesforce Instance URL: <Enter the Salesforce Instance URL specified in WSDL under the node "soap:address.">
- Target Namespace: <Enter the target namespace specified in WSDL under node "definitions" attribute "targetNamespace.">
- Salesforce API URL:< Base URL of the Salesforce instance API Access. For example, https://ap1.salesforce.com>
- Username: <username>
- Password: <password>
- Security Token: <security token>
- Salesforce API version: <Salesforce API Version>
• Map Collector Attributes to Account Mapping Attributes
Parameter Name
URL Base URL of the Salesforce instance. For example: https://ap1.salesforce.com.
Username Username for the user created for integration.
Password Password for the user created for integration.
Security Token Security token for the user created for integration. A security token is an automatically
generated key required for log in to Salesforce from an untrusted network. If the network
is trusted by Salesforce, you are not required to provide this token.
Salesforce API Version The Salesforce API version supported by the Salesforce instance.
16 Onboarding Cloud Applications Guide
Chapter 2: Salesforce
- User Reference: Email
• Map Collector Attributes to Account Attributes
- Last Login Date: LastLoginDate
- Email: Email
- External Id: ID
- Is Active: IsActive
- User role id: UserRoleId
- User role name: UserRoleName
• Map Collector Attributes to Group Attributes
- Email: GroupEmail
- External Id: GroupId
- Owner: GroupOwnerId
- Type: GroupType
• Edit User Resolution Rules
- Target Collector: <Name of the IDC the collects Salesforce users>
- User Attribute: Email Address
• Edit Member Account Resolution Rules
- Target collector: <Name of Salesforce ADC>
- Account Attribute: Account Name
• Edit Sub-Group Resolution Rules
- Target collector: <Name of Salesforce ADC>
- Group Attribute: Name
Configure the Salesforce Entitlement Data Collector
This section describes how to configure an entitlement collector for the Salesforce application.
To configure the collector:
1. From the Salesforce application’s Collectors tab, click Create Entitlement Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Configuration Specifications:
• Collector Description Page
- Collector Name: <Name of Salesforce EDC>
- Data Source Type: Salesforce
Onboarding Cloud Applications Guide 17
Chapter 2: Salesforce
• Configuration Information
- Instance URL: <Enter the Salesforce Instance URL specified in WSDL under the node "soap:address.">
- Target Namespace: <Enter target namespace specified in WSDL under node "definitions" attribute "targetNamespace.">
- Salesforce API URL: <Salesforce API URL>
- Username: <username>
- Password: <password>
- Security Token: <security token>
- Salesforce API version: <Salesforce API Version>
• Map Collector Attributes to App Role Attributes
- External Id: ID
- Type: AppRoleType
- User license id: UserLicenseId
- User license name: UserLicenseName
- User type: UserType
• Account Evaluation
- Associated account collector: <Name of Salesforce ADC>
- Account value evaluated to: Account Name
How Entitlements in Salesforce Appear in RSA IAM Platform
This section describes how Salesforce attributes are mapped to RSA IAM Platform attributes.
Collected Account Data Mapping
The Salesforce account collector gathers account and group-related information from the "User," "Group," "GroupMember," and "UserRole" objects of the Salesforce instance. RSA IAM Platform stores this information in its “Account” and “Group” objects.
Account Name
The User.Username attribute is used as the account name in the account collector.
18 Onboarding Cloud Applications Guide
Chapter 2: Salesforce
Account Attribute Mapping
The following table lists the mappings between Salesforce account attributes and RSA IAM Platform object attributes:
Account-User Resolution
One of the following attributes can be used for account to user mapping:
• Username (Preferred because it is unique for all users in the Salesforce instance)
Note: In most cases Username and Email are identical. Because, however, Salesforce includes both fields and each can have a different value, each is collected and available for mapping as an alternative to the other.
Collected Group Data Mapping
The Salesforce account collector gathers all the group data from Salesforce. It has different types of groups. "Regular" groups are the one which are created and managed by a Salesforce administrator. Other groups are created by Salesforce automatically. For example, Salesforce creates groups for each user role and uses it internally when any role-based group is created.
Group Name
The Group.Name attribute is used as the group name in the account collector. If the group name is not present (this happens in case of internal Salesforce groups of type "Role," "RoleAndSubordinates," and "Organization"), then the group name is generated as follows:
• For the "Role" and "RoleAndSubordinates" group types, the group name will be "GROUP.TYPE : ROLE.NAME."
• For the "Organization" group type, the group name will be "Organization" because only one such group having all employees of the organization as members of it exists.
Salesforce Attributes ACM Attributes Description
User.Id Account.External Id Unique ID provided by Salesforce to each user object.
User.Email Account.Email Email address of the Salesforce user.
User.LastLoginDate Account.Last Login Date Last login date of the Salesforce user
User.UserRoleId Account.UserRoleId User's role ID.
UserRole.Name Account.UserRoleName User's role name
User.IsActive Account.IsActive Indication of whether the user's account in Salesforce is
active or not.
Onboarding Cloud Applications Guide 19
Chapter 2: Salesforce
Group Attribute Mapping
The following table lists the mapping between Salesforce group attributes and RSA IAM Platform object attributes:
Group-Account and Group-Subgroup Resolutions
Groups can have accounts and other groups as members. Group members for groups are added based on group member mapping present in Salesforce's GroupMember object. Moreover, the following additional members are added based on group type:
• The “Role” group type — All the users that have a specified role in that group are members of the containing group.
• The “RoleAndSubordinates” group type — All the users that have a specified role in the group and all the subordinates of that role are added as group members.
• The “Organization” group type — All the users in the organization are member of this group.
Group Membership Resolution
For Group-Account mapping, the account's Account Name should be used.
Subgroup Resolution
For Group-Subgroup mapping, the group Name should be used.
Collected Entitlement Data Collector Mapping
The Salesforce entitlement collector gathers entitlement data from the "Profile," "PermissionSet," "PermissionSetAssignment," and "User" objects of the Salesforce instance. RSA IAM Platform stores this information in its application role object. It also provides mapping of application roles with the accounts collected from the Salesforce account collector.
Application Role
Profiles and Permission Sets in Salesforce are defined as application roles in RSA IAM Platform.
Application Role Name
The Profile.Name and PermissionSet.Name attributes are used for the application role name.
Salesforce Attributes ACM Attributes Description
Group.Id Group.External Id Unique ID provided by Salesforce to each Group object.
Group.Email Group.Email Group email Id.
Group.OwnerId Group.OwnerId Group owner. In Salesforce, Group.OwnerId is referred to
as User.Id field in Salesforce's user object. In RSA IAM
Platform, it will be converted to User.Username (which is
used as Account Name for account).
Group.Type Group.Type Group type: Role, RoleAndSubordinates, Regular, etc.
20 Onboarding Cloud Applications Guide
Chapter 2: Salesforce
Application Role Attribute Mapping
The following table lists the mappings between Salesforce entitlement attributes and RSA IAM Platform object attributes:
Application Role – Account Resolution
Application roles are assigned to accounts using an account's “Account Name” attribute.
Note: Because Salesforce grants entitlements to resources via Profiles and PermissionSets, granular entitlements that specify exact access to each resource are not collected. There is no direct way to assign a particular entitlement directly to user. Therefore, only Profiles and PermissionSets are collected as entitlements, as they provide access to all resources.
Set Up the AFX Salesforce Connector
This section describes how to configure the Salesforce connector in AFX. The Salesforce Connector can complete the following tasks:
• Add Account To Group
• Add App RoleTo Account
• Add GroupTo Group
• Create Account
• Create Group
• Delete Group
• Disable Account
• Enable Account
• Remove Account From Group
Salesforce Attributes ACM Attributes Description
Profile.Id/PermissionSet.Id AppRole.External Id Unique ID provided by Salesforce for each
Profile/PermissionSet object.
Profile.UserType AppRole.UserType User Type associated with this Profile.
Profile.UserLicenseId /
PermissionSet.UserLicenseId
AppRole.UserLicenseId User License ID associated with this
Profile/PermissionSet. Each Profile and PermissionSet
is associated with one of the user licenses. A user
license entitles a user to specific functionality and
determines the profiles and permission sets available
to the user.
UserLicense.Name AppRole.UserLicenseName User license name.
AppRole.Type This attribute is used by RSA IAM Platform to identify
whether the application role is created from the Profile
or PermisssionSet object of Salesforce.
Onboarding Cloud Applications Guide 21
Chapter 2: Salesforce
• Remove App Role From Account
• Remove Group From Group
• Update Account
See the Access Fulfillment Express Guide for more information on working with AFX.
See the Access Request Manager Guide for more information on working with request forms and account templates.
Create the Salesforce Connector
The Salesforce connector fulfills access request commands in the Salesforce system.
To create the connector:
1. Select AFX > Connectors > Create Connector.
2. Click the General tab and configure the following settings:
• Name: <Name of the Salesforce connector>
• Connector Template: Salesforce Connector
• Status: Active
3. Click the Settings tab and configure the following settings:
• Username: <Username>
• Password: <username password>
• Security Token: <Security Token>
• Salesforce API: <Salesforce API version>
4. Click the Capabilities tab and select all check-boxes, and then click OK.
Create an Account Request Form
The request form enables users to request creation of an account.
To create the form:
1. Select Requests > Configuration > Request Forms.
2. Click Create Form.
3. Select Create a new Form, click Next, and then configure as follows:
• General Properties
- Form Name: <Form Name>
- Enabled: True
- FormType: Create Account
- Changes Apply to: One user with the following attributes: All
- Fulfillment Workflow: Default AFX Fulfillment
22 Onboarding Cloud Applications Guide
Chapter 2: Salesforce
• Fields
Click New.
- Variable Name: <Profile Var Name>
- Control Type: Drop Down Select
- Question: “Enter the Profile Name”
- Options: Enter the Salesforce profile names:
Value:- <Profile Name>
Display:- <Profile Name>
Click Add. Repeat for each profile.
Click OK.
Click New.
- Variable Name: <Password Var Name>
- Control Type: Password Field
- Question: Enter Password
Click OK.
To retrieve Salesforce profile names:
1. Log into the Salesforce account.
2. Choose setup from your account menu.
3. Select Administration Set up > Manage Users > Profiles.
Create an Account Template
The account templates provides account input parameters.
To create a template:
1. Select Requests > Configuration > Account Templates.
2. Click Create Account Template, and then configure as follows:
• Name: <Account Template Name>
• Account Creation Form: Select the form previously created.
Click OK.
3. Click the name of the account template you just created. Configure as follows:
• Click Add Pending Account Parameter, and enter settings:
- Name: Name
- Value: ${User.Email_Address}
Click OK.
Onboarding Cloud Applications Guide 23
Chapter 2: Salesforce
• Click Add Parameter, and enter settings:
- Name: Password
- Form Field: <Password Var Name>
Click OK.
• Click Add Parameter, and enter settings:
- Name: Profile
- Form Field: <Profile Var Name>
Click OK.
Associate the Account Template to the Salesforce Application
You must associate the account template you just created to the Salesforce application so the template can be used for requests for accounts from the application.
To associate the template to the application:
1. Select Resources > Applications.
2. Click <Salesforce App Name>
3. Click Requests.
4. Click Edit Account Template Associations.
5. Select the <The account template you just created>.
6. Click OK.
7. Set Entitlements Require Account to Yes.
8. Select the Fulfillment Workflow: Default AFX Fulfillment.
Discover the Salesforce Connector in RSA IAM Platform
After you create the Salesforce connector in AFX, you must discover the connector in RSA IAM Platform and map Salesforce attributes to connector command parameters.
Note: The user attributes used in the AFX command mappings must be collected before the commands are executed or the mappings must be modified with other available attributes.
To discover the connector and map attributes:
1. Select AFX > Map Connectors.
2. Click Discover Connectors From AFX Server.
3. Click Apply Changes.
4. From the AFX Connector Summary window, click <Name of Salesforce connector>.
5. Click the Commands tab.
6. Map command attributes as follows:
24 Onboarding Cloud Applications Guide
Chapter 2: Salesforce
• AddAccountToGroup
- AccountName: ${Account.Name}
- GroupName: ${Group.Name}
• AddAppRoleToAccount
- AccountName: ${Account.Name}
- PermissionSetName: ${ApplicationRole.Name}
• AddGroupToGroup
- GroupName: ${Group.Name}
- SubGroupName: ${Group.Name}
• CreateAccount
- Alias: ${User.First_Name}
- Email: ${User.Email_Address}
- EmailEncodingKey: ISO-8859-1 (for example)
- Firstname: ${User.First_Name}
- LanguageLocaleKey: en_US (for example)
- Lastname: ${User.Last_Name}
- LocaleSidKey: en_US (for example)
- Password: ${AccountTemplate.Password}
- ProfileName: ${AccountTemplate.Profile}
- TimeZoneSidKey: America/Los_Angeles (for example)
- Username: ${User.Email_Address}
• ResetPassword
- AccountName: ${Account.Name}
- Password: ${AccountTemplate.Password}
• CreateGroup
- Not available in v6.5
• DeleteGroup
- GroupName: ${Group.Name}
• DisableAccount
- AccountName: ${Account.Name}
• EnableAccount
- AccountName: ${Account.Name}
Onboarding Cloud Applications Guide 25
Chapter 2: Salesforce
• RemoveAccountFromGroup
- AccountName: ${Account.Name}
- GroupName: ${Group.Name}
• RemoveAppRoleFromAccount
- AccountName: ${Account.Name}
- PermissionSetName: ${ApplicationRole.Name}
• RemoveGroupFromGroup
- GroupName: ${Group.Name}
- SubGroupName: ${Group.Name}
• UpdateAccount
- AccountName:${User.Email_Address}
- Firstname: ${User.First_Name}
- Lastname: ${User.Last_Name}
- Alias: ${User.First_Name}
- EmailEncodingKey: ISO-8859-1 (for example)
- LanguageLocaleKey: en_US (for example)
- LocaleSidKey: en_US (for example)
- TimeZoneSidKey: America/Los_Angeles (for example)
7. From the AFX Connector Summary window, click Enable for each command (to enable each command).
8. Click the General tab, and then click Enable (to enable the connector).
Bind the Connector to the Salesforce Application
You must associate, or bind, the Salesforce connector to the Salesforce application to implement auto-fulfillment of access request tasks you want completed in the Salesforce system.
To bind the connector:
1. Select Resources > Applications > Salesforce > AFX Connector Binding.
2. Click Edit Connector Binding.
3. Select the Salesforce connector from the drop-down list, and then click OK.
Note: Ensure that the application is associated with either the default AFX fulfillment workflow or a custom version of it.
26 Onboarding Cloud Applications Guide
Chapter 3: Google Apps
Content
• “Set Up Google Apps for Onboarding” on page 28
• “Data Collection Prerequisites” on page 28
• “Configure Google Apps Account and Entitlement Data Collectors” on page 30
• “How Entitlements in Google Apps Appear in RSA IAM Platform” on page 33
• “Set Up the AFX Google Apps Connector” on page 33
27
Chapter 3: Google Apps
Set Up Google Apps for Onboarding
To use the Google Apps collectors and to auto-fulfill change requests with AFX, the client domain has to be registered with Google Apps For Business.
Do the following:
• Get a test domain and test the Google Apps accounts:
1. Go to the following URL:
http://www.google.com/enterprise/apps/business/pricing.html?utm_expid=59436268-7
2. Select the type of account you want to use.
On the next page, you are asked for a domain. If you have one, register it, or you can buy a domain by clicking the Find Domain button.
• Enable the Google Apps provisioning API:
1. Go to the following URL:
https://www.google.com/a/cpanel/<Your Domain>/Dashboard
You are redirected to a log in page.
2. Enter domain admin credentials.
The control panel page is loaded.
3. Click the Domain settings tab, and then click the User Settings sub-tab.
4. Select Enable provisioning API.
5. Save the changes.
• Create a project for use by the collector:
1. Go to the following URL:
https://code.google.com/apis/console/
2. Create a new project with the name of your choice.
Enable Calendar and Drive APIs.
Data Collection Prerequisites
Complete the following tasks before you create Google Apps data collectors:
• Configure Google Apps for collection.
• Create a Google Apps application in RSA IAM Platform.
• Define additional attributes you require for Google Apps objects in RSA IAM Platform that you want to collect from Google Apps.
28 Onboarding Cloud Applications Guide
Chapter 3: Google Apps
Configure Google Apps for Collection
To use the Google Apps collector, the client domain has to be registered with Google Apps For Business.
• Get a test domain and test the Google Apps accounts:
1. Go to the following URL:
http://www.google.com/enterprise/apps/business/pricing.html?utm_expid=59436268-7
2. Select the type of account you want to use.
On the next page, you are asked for a domain. If you have one, register it, or you can buy a domain by clicking the Find Domain button.
• Enable the Google Apps provisioning API:
1. Go to the following URL:
https://www.google.com/a/cpanel/<Your Domain>/Dashboard
You are redirected to a log in page.
2. Enter domain admin credentials.
The control panel page is loaded.
3. Click the Domain settings tab, and then click the User Settings sub-tab.
4. Select Enable provisioning API.
5. Save the changes.
• Create a project for use by the collector:
1. Go to the following URL:
https://code.google.com/apis/console/
2. Create a new project with the name of your choice.
Enable Calendar and Drive APIs.
Create a Google Apps Application
You must create a “Google Apps” application object in RSA IAM Platform with which you will associate Google Apps data collectors and an AFX auto-fulfillment connector.
To create the Google Apps application:
1. Select Resources > Applications > Create Application > Other Application.
2. Application Name: Google Apps.
See the RSA IAM Platform Administrators Guide for more information on how to create and manage applications.
Onboarding Cloud Applications Guide 29
Chapter 3: Google Apps
Define Additional Attributes
If you want to collect all available data from Google Apps, you can define a set of additional attributes for the following objects in RSA IAM Platform:
• Account
• Application Role
• Group
See the RSA IAM Platform Administrators Guide for more information on how to create and manage attributes.
To define Google Apps application attributes:
1. Select Admin > Attributes.
2. Select the Account tab and add the following attributes:
3. Select the Group tab and add the following attributes:
4. Select the Resources tab and add the following attributes:
Configure Google Apps Account and Entitlement Data Collectors
This section describes how to configure the following data collector for the Google Apps application:
• Account Collector — Collects account and group related information from Google Apps. It also provides the mapping between RSA IAM Platform users and the accounts collected from Google Apps. The account collector uses two services provided by the user for this purpose: UserService, AppsGroupsService. User email is used for mapping RSA IAM Platform users to Google accounts.
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
FamilyName String <use available> Collected No No No
GivenName String <use available> Collected Yes Yes No
Is Active String <use available> Collected Yes Yes No
Email String <use available> Collected Yes Yes No
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
Other Owners String <use available> Collected No No No
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
OwnerName String <use available> Collected No No No
30 Onboarding Cloud Applications Guide
Chapter 3: Google Apps
• Entitlement Collectors — Collects the information about the permissions users/groups have on Google documents/calendars.
Note: This section’s configuration examples are based on the assumption that all of the attributes cited in “Define Additional Attributes” on page 30 were in fact defined.
About Resource Action – Account Resolution
Permissions on different documents/ calendars are assigned to accounts/groups using the account email id. Thus calendars and documents are treated as Resources. Roles are considered as Actions. The entitlement relationship captures whether the resource is entitled to a group or an account and the name of the corresponding group/account.
Configure the Google Apps Account Collector
This section describes how to configure an account collector for the Google Apps application.
To configure the Google Apps Account Collector:
1. From the Google Apps application’s Collectors tab, click Create Account Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Configuration Specifications:
• Collector Description Page
- Collector Name: <Name of Google Apps ADC>
- Data Source Type: Google Apps
• Configuration Information
- Admin Email Address: <Email Address of the admin of the domain registered with Google>
- Password: <Password of the admin of the domain registered with Google>
- Application Name: <Name of the project created on the Google Apps API Console>
- Domain Name: <Name of the domain registered with Google Apps>
• Map Collector Attributes to Account Mapping Attributes
- User Reference: Email
• Map Collector Attributes to Account Attributes
- Admin Email Address: <Email Address of the admin of the domain registered with Google>
- Password: <Password of the admin of the domain registered with Google>
- Application Name: <Name of the project created on the Google Apps API Console>
- Domain Name: <Name of the domain registered with Google Apps>
- Family Name: familyName
- Given Name: givenName
Onboarding Cloud Applications Guide 31
Chapter 3: Google Apps
- Is Active: status
• Map Collector Attributes to Group Attributes
- Name: groupName
- Backup Owner: backupOwner
- Owner: groupOwner
- Other Owners: otherOwners
• Edit User Resolution Rules
- Target Collector: <Name of the IDC that collects Google Apps users> or Users
- User Attribute: Email Address
• Edit Member Account Resolution Rules
- Target collector: <Name of Google Apps ADC>
- Account Attribute: Account Name
• Edit Sub-group Resolution Rules
- Associated collector: <Name of Google Apps ADC>
- Group Attribute: Name
Configure the Google Apps Entitlement Data Collector
This section describes how to configure an entitlement collector for the Google Apps application.
To configure the Google Apps Entitlement Collector:
1. From the Google Apps application’s Collectors tab, click Create Account Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Configuration Specifications:
• Collector Description
- Collector Name: <Name of Google Apps EDC>
- Data Source Type: Google Apps
• Configuration Information
- Admin Email Address: Email Address of the admin of the domain registered with Google.
- Password: Password of the admin of the domain registered with Google.
- Application Name: Name of the project created on the Google Apps API Console.
- Domain Name: Name of the domain registered with Google Apps.
• Group Evaluation
- Associated collector: <Name of Google Apps ADC>
32 Onboarding Cloud Applications Guide
Chapter 3: Google Apps
- Group value evaluates to: Name
• Account Evaluation
- Associated account collector: <Name of Google Apps ADC>
- Account value evaluates to: Name
How Entitlements in Google Apps Appear in RSA IAM Platform
The following table illustrates mapping between RSA IAM Platform attributes and Google Apps attributes.
Set Up the AFX Google Apps Connector
This section describes how to configure Google Apps connector configuration in AFX, discover and map connector attributes in RSA IAM Platform, and associate the connector with the Google Apps application in RSA IAM Platform. The Google Apps Connector completes the following tasks:
• Create Account
• Delete Account
• Disable Account
• Enable Account
• Create Group
• Delete Group
• Add Account to Group
• Remove Account From Group
• Add Entitlement to Account
• Remove Entitlement from Account
• Remove Entitlement from Group
See the Access Fulfillment Express Guide for more information on working with AFX.
See the Access Request Manager Guide for more information on working with request forms and account templates.
Application Name ACM Attribute Name Google Apps Attribute Name
Remark
Google Docs
Resource Name Document Name
Resource Action Role Reader/ Writer/ Owner
Google Calendar
Resource Name Calendar Name Name of default calendar is
the user's email id.
Resource Action Role FreeBusy/ Read/ Editor/
Owner
Onboarding Cloud Applications Guide 33
Chapter 3: Google Apps
Create the Google Apps Connector
The Google Apps connector fulfills access request commands in the Google Apps system.
To create the connector:
1. Select AFX > Connectors > Create Connector.
2. Click the General tab and configure the following settings:
• Name: <Name of the Google Apps connector>
• Connector Template: Google Apps Connector
• Status: Active
3. Click the Settings tab and configure the following settings:
• Username: <Username>
• Password: <Password>
• Application Name: <Project Name>
• Domain: <Domain>
4. Click the Capabilities tab and select all check-boxes, and then click OK.
Create an Account Request Form
The request form enables users to request creation of an account.
To create the form:
1. Select Requests > Configuration > Request Forms.
2. Click Create Form.
3. Select Create a new Form, click Next, and then configure as follows:
• General Properties
- Form Name: <Form Name>
- Enabled: True
- FormType: Create Account
- Changes Apply to: One user with the following attributes: All
- Fulfillment Workflow: Default AFX Fulfillment
• Fields
Click New.
- Variable Name: <Username Var Name>
- Control Type: Text Field
- Question: “Enter the user login name you want to set”
Click OK.
34 Onboarding Cloud Applications Guide
Chapter 3: Google Apps
Click New.
- Variable Name: <Password Var Name>
- Control Type: Password Field
- Question: “Enter Password”
Click OK.
Create an Account Template
The account templates provides account input parameters.
To create a template:
1. Select Requests > Configuration > Account Templates.
2. Click Create Account Template, and then configure as follows:
• Name: <Account Template Name>
• Account Creation Form: Select the form previously created.
Click OK.
3. Click the name of the account template you just created. Configure as follows:
• Click Add Pending Account Parameter, and enter settings:
- Name: Name
- Value: ${User.Email_Address}
Click OK.
• Click Add Parameter, and enter settings:
- Name: User
- Form Field: <User Var Name>
Click OK.
• Click Add Parameter, and enter settings:
- Name: Password
- Form Field: <Password Var Name>
Click OK.
Onboarding Cloud Applications Guide 35
Chapter 3: Google Apps
Associate the Account Template to the Google Apps Application
You must associate the account template you just created to the Google Apps application so the template can be used for requests for accounts from the application.
To associate the template with the application:
1. Select Resources > Applications.
2. Click <Google Apps App Name>
3. Click Requests.
4. Click Edit Account Template Associations.
5. Select the <The account template you just created>.
6. Click OK.
7. Set Entitlements Require Account to Yes.
8. Select the Fulfillment Workflow: Default AFX Fulfillment.
Discover the Google Apps Connector in RSA IAM Platform
After you create the Google Apps connector in AFX, you must discover the connector in RSA IAM Platform and map Google Apps attributes to connector command parameters.
Note: The user attributes used in the AFX command mappings must be collected before the commands are executed or the mappings must be modified with other available attributes.
To discover the connector and map attributes:
1. Select AFX > Map Connectors.
2. Click Discover Connectors From AFX Server.
3. Click Apply Changes.
4. From the AFX Connector Summary window, click <Name of Google Apps connector>.
5. Click the Capabilities tab.
Map command attributes as follows:
• CreateAccount
- FamilyName: ${User.First_Name}
- GivenName: ${User.Last_Name}
- User: ${User.First_Name}${User.Last_Name}
- Password: ${AccountTemplate.Password}
• DeleteAccount
- User: ${$Account.Name}
• DisableAccount
- User: ${$Account.Name}
36 Onboarding Cloud Applications Guide
Chapter 3: Google Apps
• EnableAccount
- User: ${$Account.Name}
• ResetPassword
- User: ${$Account.Name}
• CreateGroup
- Group: ${Group.Name}
• DeleteGroup
- Group: ${Group.Name}
• AddAccountToGroup
- Group: ${Group.Name}
- User: ${$Account.Name}
• AddGroupToGroup
- Group: ${Group.Name}
- GroupName: ${Group.Name}
• RemoveAccountFromGroup
- Group: ${Group.Name}
- User: ${$Account.Name}
• RemoveGroupFromGroup
- Group: ${Group.Name}
- GroupName: ${Group.Name}
• AddEntToAccount
- ResourceName: ${Resource.Name}
- User: ${$Account.Name}
- Role: ${Action.Name}
• RemoveEntFromAccount
- ResourceName: ${Resource.Name}
- User: ${$Account.Name}
- Role: ${Action.Name}
• RemoveEntFromGroup
- ResourceName: ${Resource.Name}
- GroupName: ${Group.Name}
- Role: ${Action.Name}
Onboarding Cloud Applications Guide 37
Chapter 3: Google Apps
6. From the AFX Connector Summary window, click Enable for each command (to enable each command).
7. Click the General tab, and then click Enable (to enable the connector).
Bind the Connector to the Google Apps Application
You must associate, or bind, the Google Apps connector to the Google Apps application to implement auto-fulfillment of access request tasks you want completed in the Google Apps system.
To bind the connector:
1. Select Resources > Applications > Google Apps > AFX Connector Binding.
2. Click Edit Connector Binding.
3. Select the Google Apps connector from the drop-down list, and then click OK.
Note: Ensure that the application is associated with either the default AFX fulfillment workflow or a custom version of it.
38 Onboarding Cloud Applications Guide
Chapter 4: NetSuite
Content
• “Set Up NetSuite for Onboarding” on page 40
• “Data Collection Prerequisites” on page 41
• “Configure NetSuite Account and Entitlement Data Collectors” on page 42
• “How Entitlements in NetSuite Appear in RSA IAM Platform” on page 44
• “Set Up the AFX NetSuite Connector” on page 45
39
Chapter 4: NetSuite
Set Up NetSuite for Onboarding
To use the NetSuite collector, the client domain must be registered with NetSuite For Business. Log in to NetSuite as “Administrator” to complete the role and employee searches.
• Create a role search and get the search results:
1. Go to List > Search > Saved Searches > New.
2. Click Role.
3. Provide a search title and click the Results tab.
4. In the Sort By drop down select Name.
5. In the columns sub-tab select Internal ID and click Add.
6. Add the following columns:
- Level
- Permission
- Name
- Permission Change
- Permission Change Date
- Permission Change Level
- Inactive
- Center Type
- Custom/Standard
7. Click Save & Run.
8. Click Email to e-mail the search results to yourself. Please make sure you select send as csv option when you send the e-mail.
9. Save the attachment as a Role Search.csv file.
• Create an employee search and get the search results:
1. Go to List > Search > Saved Searches > New.
2. Click Employee.
3. Provide a search title and click the Results tab.
4. In the Sort By drop down select Email.
5. In the columns sub-tab select Email and click Add.
6. Add the following columns:
- Internal ID
- Date Created
- Department
40 Onboarding Cloud Applications Guide
Chapter 4: NetSuite
- Employee Status
- First Name
- Last Name
- Middle Name
- Gender
- Inactive
- Login Access
- Role
- Supervisor
- Type
7. Click Save & Run to save and run the search.
8. Click Email to e-mail the search results to yourself. Please make sure you select send as csv option when you send the e-mail.
9. Save the attachment as a Employee Search.csv file.
Data Collection Prerequisites
Complete the following tasks before you create NetSuite data collectors:
• Create a NetSuite application in RSA IAM Platform.
• Define additional attributes you require for NetSuite objects in RSA IAM Platform that you want to collect from NetSuite.
Create a NetSuite Application
You must create a “NetSuite” application object in RSA IAM Platform with which you will associate NetSuite data collectors and an AFX auto-fulfillment connector.
To create the NetSuite application:
1. Select Resources > Applications > Create Application > Other Application.
2. Application Name: NetSuite.
See the Administrators Guide for more information on how to create and manage applications.
Onboarding Cloud Applications Guide 41
Chapter 4: NetSuite
Define Additional Attributes
You must define attributes cited as mandatory in this section. If you want to collect all available data from NetSuite, you can define a set of additional attributes for the following objects in RSA IAM Platform:
• Account
• Application Role
• Group
See the Administrators Guide for more information on how to create and manage attributes.
To define attributes:
1. Select Admin > Attributes.
2. Select the Account tab and add the following attributes:
The “Email” attribute represents the user name in NetSuite.
3. Select the Application Role tab and add the following attributes:
The “External Id” attribute must be collected for NetSuite roles because when you configure the NetSuite connector's CreateAccount command, you are required to provide the role id. NetSuite does not provide the role search feature through web services. Thus you must collect this attribute so it can be referenced during connector configuration.
Configure NetSuite Account and Entitlement Data Collectors
This section describes how to configure an account data collector and an entitlement data collector for the NetSuite application.
Note: This section’s configuration examples are based on the assumption that all of the attributes cited in “Define Additional Attributes” on page 42 were in fact defined.
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
Email String <use available> Collected Yes Yes Yes
Acct Date Date <use available> Collected Yes Yes No
Login Access String <use available> Collected Yes Yes No
Is Active String <use available> Collected Yes Yes No
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
External Id String <use available> Collected No No Yes
42 Onboarding Cloud Applications Guide
Chapter 4: NetSuite
Configure the NetSuite Account Collector
This section describes how to configure an account collector for the NetSuite application.
To configure the collector:
1. From the NetSuite application’s Collectors tab, click Create Account Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Configuration Specifications:
• Collector Description
- Collector Name: <Name of NetSuite ADC>
- Data Source Type: NetSuite
• Configuration Information
- Employees search result file: Enter the absolute path of the csv file that includes employee search results.
- The employee search result csv file must be formatted as follows:
• The first row should have the attribute/column names.
• The file must have Email, Internal ID, Date Created, Department, Employee Status, First Name, Last Name, Middle Name, Gender, Inactive, Login Access, Role, Supervisor, Type attributes/columns.
• The search results must be sorted by the Email attribute/column.
• Map Collector Attributes to Account Mapping Attributes
- User Reference: Email
• Map Collector Attributes to Account Attributes
- Email: Email
• Edit User Resolution Rules
- Target collector: <Name of the IDC that collects NetSuite users> or Users
- User Attribute: Email Address
Configure the NetSuite Entitlement Collector
This section describes how to configure an entitlement collector for the NetSuite application.
To configure the collector:
1. From the NetSuite application’s Collectors tab, click Create Entitlement Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Onboarding Cloud Applications Guide 43
Chapter 4: NetSuite
Configuration Specifications:
• Collector Description
- Collector Name: <Name of NetSuite EDC>
- Data Source Type: NetSuite
• Configuration Information (See “Configure the NetSuite Account Collector” on page 43 for more information on connection settings.)
- Role search result file: Enter the absolute path of the csv file that includes role search results.
• The first row should have the attribute/column names.
• The file must have Name, Internal ID, Permission, and Level attributes/columns
• The search results must be sorted by the Name attribute/column.
- Employees search result file: Enter the absolute path of the csv file that includes employee search results.
The employee search result csv file must be formatted as follows:
• The first row should have the attribute/column names.
• The file must have Email, Internal ID, Date Created, Department, Employee Status, First Name, Last Name, Middle Name, Gender, Inactive, Login Access, Role, Supervisor, Type attributes/columns.
• The search results must be sorted by the Email attribute/column
• App Role Attribute Mapping Information
- External Id: Internal_ID
• Account Evaluation
- Associated collector: <Name of NetSuite ADC>
- Account value evaluates to: AccountName
How Entitlements in NetSuite Appear in RSA IAM Platform
NetSuite entitlements are of the Resource:Action type. A NetSuite Role is a bag which contains these entitlements and has member accounts. The NetSuite roles are represented in RSA IAM Platform by application roles. The Id and name attribute of an application role together uniquely identifies the corresponding NetSuite role. The entitlements in NetSuite are provided to an account through NetSuite roles. The account entity in RSA IAM Platform represents the NetSuite account. The Email and Id of an RSA IAM Platform account together uniquely identifies its corresponding NetSuite account.
44 Onboarding Cloud Applications Guide
Chapter 4: NetSuite
Set Up the AFX NetSuite Connector
This document provides information regarding NetSuite connector configuration in AFX. The NetSuite Connector completes the following tasks:
• Create Account
• Delete Account
• Disable Account
• Enable Account
• Reset Password
• Update Account
See the Access Fulfillment Express Guide for more information on working with AFX.
See the Access Request Manager Guide for more information on working with request forms and account templates.
How to Prepare NetSuite for AFX Automatic Fulfillment
To enable web services on NetSuite:
1. Log in to NetSuite as “Administrator.”
2. Click Setup > Company > Enable Features.
3. Click the SuiteFlex tab.
4. Select Web Services, and then click Save.
Create the NetSuite Connector
To create the connector:
1. Select AFX > Connectors > Create Connector.
2. Click the General tab and configure the following settings:
• Name: <Name of NetSuite connector>
• Connector Template: NetSuite Connector
• Status: Active
3. Click the Settings tab and configure the following settings:
• Username: <NetSuite Admin username>
• Password: <NetSuite Admin password>
• Account: <NetSuite Admin Account>
• Role Id: <NetSuite Admin role id>
4. Click the Capabilities tab and select all check-boxes, and then click OK.
Onboarding Cloud Applications Guide 45
Chapter 4: NetSuite
Create an Account Request Form
The request form enables users to request creation of an account.
To create the form:
1. Select Requests > Configuration > Request Forms.
2. Click Create Form.
3. Select Create a new Form, click Next, and then configure as follows:
• General Properties
- Form Name: <Form Name>
- Enabled: True
- FormType: Create Account
- Changes Apply to: One user with the following attributes: All
- Fulfillment Workflow: Default AFX Fulfillment
• Fields
Click New.
- Variable Name: <Var1 Name>
- Control Type: Text Field
- Question: “Enter the Internal ID”
Click OK.
Click New.
- Variable Name: <Var2 Name>
- Control Type: Password Field
- Question: “Enter Password”
Click OK.
Create an Account Template
The account templates provides account input parameters.
To create the template:
1. Select Requests > Configuration > Account Templates.
2. Click Create Account Template, and then configure as follows:
• Name: <Account Template Name>
• Account Creation Form: Select the form previously created.
Click OK.
3. Click the name of the account template you just created. Configure as follows:
46 Onboarding Cloud Applications Guide
Chapter 4: NetSuite
• Click Add Pending Account Parameter, and enter settings:
- Name: Name
- Value: ${User.Email_Address}
Click OK.
• Click Add Parameter, and enter settings:
- Name: User
- Form Field: <Var1 Name>
Click OK.
• Click Add Parameter, and enter settings:
- Name: Password
- Form Field: <Var2 Name>
Click OK.
Associate the Account Template to the NetSuite Application
You must associate the account template you just created to the NetSuite application so the template can be used for requests for accounts from the application.
To associate the template with the application:
1. Select Resources > Applications.
2. Click <NetSuite App Name>
3. Click Requests.
4. Click Edit Account Template Associations.
5. Select the <The account template you just created>.
6. Click OK.
7. Set Entitlements Require Account to Yes.
8. Select the Fulfillment Workflow: Default AFX Fulfillment.
Discover and Map the NetSuite Connector in RSA IAM Platform
After you create the NetSuite connector in AFX, you must discover the connector in RSA IAM Platform and map NetSuite attributes to connector command parameters.
Note: The user attributes used in the AFX command mappings must be collected before the commands are executed or the mappings must be modified with other available attributes.
To discover the connector and map the attributes:
1. Select AFX > Map Connectors.
2. Click Discover Connectors From AFX Server.
Onboarding Cloud Applications Guide 47
Chapter 4: NetSuite
3. Click Apply Changes.
4. From the AFX Connector Summary window, click <Name of NetSuite connector>.
5. Click the Capabilities tab.
6. Map command attributes as follows:
• CreateAccount
- Email: ${User.Email_Address}
- Firstname: ${User.First_Name}
- Lastname: ${User.Last_Name}
- InternalId: ${AccountTemplate.InternalId}
- Password: ${AccountTemplate.Password}
• DisableAccount
- Email: ${Account.Email}
• EnableAccount
- Email: ${Account.Email}
• DeleteAccount
- Email: ${Account.Email}
• ResetPassword
- Email: ${Account.Email}
- Password: ${AccountPassword}
• UpdateAccount
- Email: ${User.Name}
- FirstName: <First name attribute for user>
- LastName: <Last name attribute for user>
- MiddleName: <Middle name attribute for user>
- Gender: <Gender attribute for user>
7. From the AFX Connector Summary window, click Enable for each command (to enable each command).
8. Click the General tab, and then click Enable (to enable the connector).
48 Onboarding Cloud Applications Guide
Chapter 4: NetSuite
Bind the Connector to the NetSuite Application
You must associate, or bind, the NetSuite connector to the NetSuite application to implement auto-fulfillment of access request tasks you want completed in the NetSuite system.
To bind the connector to the application:
1. Select Resources > Applications > NetSuite > AFX Connector Binding.
2. Click Edit Connector Binding.
3. Select the NetSuite connector from the drop-down list, and then click OK.
Note: Ensure that the application is associated with either the default AFX fulfillment workflow or a custom version of it.
Onboarding Cloud Applications Guide 49
Chapter 5: Amazon Web Services (AWS)
Content
• “Get Security Credentials from AWS” on page 52
• “Create an AWS Application” on page 52
• “Configure AWS Account and Entitlement Data Collectors” on page 52
• “How Entitlements in AWS Appear in RSA IAM Platform” on page 54
• “Set Up the AFX AWS Connector” on page 54
51
Chapter 5: Amazon Web Services (AWS)
Get Security Credentials from AWS
You are required to provide AWS security credentials in the collector configuration settings and AFX connector configuration settings.
To get the credentials:
1. Log in to the following URL:
https://portal.aws.amazon.com/gp/aws/securityCredentials
2. From the Access Keys tab on the AWS Access Credential page, note the following credentials:
• Access Key ID
• Secret Access Key
Create an AWS Application
You must create a “AWS” application object in RSA IAM Platform with which you will associate AWS data collectors and an AFX auto-fulfillment connector.
To create the AWS application:
1. Select Resources > Applications > Create Application > Other Application.
2. Application Name: AWS.
See the Administrators Guide for more information on how to create and manage applications.
Configure AWS Account and Entitlement Data Collectors
This section describes how to configure an account data collector and an entitlement data collector for the AWS application.
Configure the AWS Account Collector
This section describes how to configure an account collector for the AWS application.
To configure the collector:
1. From the AWS application’s Collectors tab, click Create Account Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Configuration Specifications:
• Collector Description
- Collector Name: <Name of AWS ADC>
- Data Source Type: AmazonAWS
• Configuration Information
52 Onboarding Cloud Applications Guide
Chapter 5: Amazon Web Services (AWS)
- Access Key: <AmazonAWS Access Key>
- Secret Key: <AmazonAWS Secret Access Key>
• Map Collector Attributes to Account Mapping Attributes
- User Reference: AccountName
• Map Collector Attributes to Account Attributes
- Name: AccountName
• Edit User Resolution Rules
- Target collector: Users
- User Attribute: User Id
• Edit Member Account Resolution Rules
- Target collector: <Name of the AWS ADC>
- User Attribute: AccountName
Configure the AWS Entitlement Collector
This section describes how to configure an entitlement collector for the AWS application.
To configure the collector:
1. From the AWS application’s Collectors tab, click Create Entitlement Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Configuration Specifications:
• Collector Description
- Collector Name: <Name of AWS EDC>
- Data Source Type: AmazonAWS
• Configuration Information
- Access Key: <AmazonAWS Access Key>
- Secret Key: <AmazonAWS Secret Access Key>
• Group Evaluation
- Associated collector: <Name of AWS ADC>
- Group value evaluates to: Name
• Account Evaluation
- Associated account collector: <Name of AWS ADC>
- Account value evaluates to: Account Name
Onboarding Cloud Applications Guide 53
Chapter 5: Amazon Web Services (AWS)
How Entitlements in AWS Appear in RSA IAM Platform
AWS entitlements are of the Resource:Action type. The AmazonAWS policy is considered as the Resource and the Action is null. The AmazonAWS user policy is assigned to users directly, and the AmazonAWS group policy can be assigned to users through groups. The policy name is prepended to either the username or group name. Therefore the resource is policy name + user/group name.
Set Up the AFX AWS Connector
This section describes how to set up the AWS connector in AFX. The AWS Connector completes the following tasks:
• Create Account
• Delete Account
• Remove Entitlement From Account
• Add Account To Group
• Remove Account From Group
• Create Group
• Delete Group
• Remove Entitlement From Group
See the Access Fulfillment Express Guide for more information on working with AFX.
See the Access Request Manager Guide for more information on working with account templates.
Create the AWS Connector
This section describes how to create the connector.
To create the connector:
1. Select AFX > Connectors > Create Connector.
2. Click the General tab and configure the following settings:
• Name: <Name of AWS connector>
• Connector Template: AWS Connector
• Status: Active
3. Click the Settings tab and configure the following settings:
• Access Key: <AmazonAWS Access Key>
• Secret Key: <AmazonAWS Secret Access Key>
See “Get Security Credentials from AWS” on page 52 if you require information on how to get security credentials.
4. Click the Capabilities tab and select all check-boxes, and then click OK.
54 Onboarding Cloud Applications Guide
Chapter 5: Amazon Web Services (AWS)
Create an Account Template
The account templates provides account input parameters.
To create the account template:
1. Select Requests > Configuration > Account Templates.
2. Click Create Account Template, and then configure as follows:
• Name: <Account Template Name>
• Account Creation Form: Select the form previously created.
Click OK.
3. Click the name of the account template you just created. Configure as follows:
• Click Add Pending Account Parameter, and enter settings:
- Name: Name
- Value: ${User.User_Id}
Click OK.
Associate the Account Template to the AWS Application
You must associate the account template you just created to the AWS application so the template can be used for requests for accounts from the application.
To associate the account template to the application:
1. Select Resources > Applications.
2. Click <AWS App Name>
3. Click Requests.
4. Click Edit Account Template Associations.
5. Select the <The account template you just created>.
6. Click OK.
7. Set Entitlements Require Account to Yes.
8. Select the Fulfillment Workflow: Default AFX Fulfillment.
Onboarding Cloud Applications Guide 55
Chapter 5: Amazon Web Services (AWS)
Discover and Map the AWS Connector in RSA IAM Platform
After you create the AWS connector in AFX, you must discover the connector in RSA IAM Platform and map AWS attributes to connector command parameters.
Note: The user attributes used in the AFX command mappings must be collected before the commands are executed or the mappings must be modified with other available attributes.
To discover the connector and the map attributes:
1. Select AFX > Map Connectors.
2. Click Discover Connectors From AFX Server.
3. Click Apply Changes.
4. From the AFX Connector Summary window, click <Name of AWS connector>.
5. Click the Capabilities tab.
6. Map command attributes as follows:
• CreateAccount
- User Name: ${User.User_Id}
• CreateGroup
- GroupName: ${Group.Name}
• DeleteGroup
- GroupName: ${Group.Name}
• DeleteAccount
- UserName: ${Account.Name}
• AddAccountToGroup
- GroupName: ${Group.Name}
- UserName: ${Account.Name}
• RemoveAccountFromGroup
- GroupName: ${Group.Name}
- UserName: ${Account.Name}
• RemoveEntFromAccount
- PolicyName: ${Entitlement.Resource_Name}
- UserName: ${Account.Name}
• RemoveEntFromGroup
- GroupName: ${Group.Name}
- PolicyName: ${Entitlement.Resource_Name}
56 Onboarding Cloud Applications Guide
Chapter 5: Amazon Web Services (AWS)
7. From the AFX Connector Summary window, click Enable for each command (to enable each command).
8. Click the General tab, and then click Enable (to enable the connector).
Bind the Connector to the AWS Application
You must associate, or bind, the AWS connector to the AWS application to implement auto-fulfillment of access request tasks you want completed in the AWS system.
To bind the connector to the application:
1. Select Resources > Applications > AWS > AFX Connector Binding.
2. Click Edit Connector Binding.
3. Select the AWS connector from the drop-down list, and then click OK.
Note: Ensure that the application is associated with the default AFX fulfillment workflow or a custom version of it.
Onboarding Cloud Applications Guide 57
Chapter 6: ServiceNow
Content
• “Set Up ServiceNow for Onboarding” on page 60
• “Data Collection Prerequisites” on page 61
• “Configure ServiceNow Account and Entitlement Data Collectors” on page 63
• “How Entitlements in ServiceNow Appear in RSA IAM Platform” on page 66
• “Setup the AFX ServiceNow Connector” on page 71
59
Chapter 6: ServiceNow
Set Up ServiceNow for Onboarding
Before you create ServiceNow data collectors and collect ServiceNow data and auto-fulfill requests for entitlements from ServiceNow with AFX, you must do the following:
• Configure ServiceNow properties for collection.
• (Optional) Enable WS security on the ServiceNow instance.
Configure ServiceNow Properties for Collection
This section describes how to configure the ServiceNow instance for data collection.
To configure ServiceNow for collection:
1. Activate elevated privileges for the current session: click the Lock icon (left top corner), select Security Admin, and then click OK.
2. Go to System Web Services > Properties, and configure properties as follows:
• Require WS-Security header verification for all incoming SOAP requests — Deselect.
• This property sets the elementFormDefault attribute of the embedded XML schema to the value of unqualified, if set to true. This attribute indicates whether or not locally declared elements must be qualified by the target namespace in an instance document. If the value of this attribute is 'unqualified', then locally declared elements should not be qualified by the target namespace. If the value of this attribute is 'qualified', then locally declared elements must be qualified by the target namespace. For compatibility with Clients generated from WSDL (.NET Web Reference, Axis2 stub, webMethods, and so on), set this value to false. This value defaults to true. — Deselect.
• Require basic authorization for incoming SOAP requests — Select.
Enable WS Security on the ServiceNow Instance
Enabling WS security on the ServiceNow instance is optional. The ServiceNow administrator enables WS security.
To enable WS security:
1. Go to the Certificates module (System Definition > Certificates).
2. Create a new X.509 Certificate. Configure the following fields:
• Name: SoapTest (for example)
• Format: PEM
• Type: Trust Store Cert
• Active: true
3. Paste the PEM certificate in the PEM certificate text area.
4. Click Submit.
Your certificate record should be listed with any other certificates you may have loaded into your instance. A WS-Security profile in ServiceNow to accept and validate x509 signed SOAP requests must now be set up.
60 Onboarding Cloud Applications Guide
Chapter 6: ServiceNow
5. Go to the WS Security Profiles module inside of the System Web Services application. Create a new profile by clicking New.
6. Select the x509 profile and select the user you would like this profile to execute as with the SOAP action. You will also need to select the certificate record we created in Step 1 (SoapTest) so that you can validate the signature.
7. Enable WS security for all inbound SOAP requests by selecting the following properties in System Web Services -> Properties:
• Require WS-Security header verification for all incoming SOAP requests
• Require basic authorization for incoming SOAP requests
8. Ensure that the following property is deselected:
This property sets the elementFormDefault attribute of the embedded XML schema to the value of unqualified, if set to true. This attribute indicates whether or not locally declared elements must be qualified by the target namespace in an instance document. If the value of this attribute is 'unqualified', then locally declared elements should not be qualified by the target namespace. If the value of this attribute is 'qualified', then locally declared elements must be qualified by the target namespace. For compatibility with Clients generated from WSDL (.NET Web Reference, Axis2 stub, webMethods, and so on), set this value to false. This value defaults to true.
Note: ServiceNow collectors and ServiceNow AFX connectors are both developed and tested against X.509 Certificate and Private keys generated using the RSA algorithm.
Data Collection Prerequisites
Complete the following tasks before you create ServiceNow data collectors:
• Create a ServiceNow application in RSA IAM Platform.
• Define additional attributes you require for ServiceNow objects in RSA IAM Platform that you want to collect from ServiceNow.
Create a ServiceNow Application
You must create a “ServiceNow” application object in RSA IAM Platform with which you will associate ServiceNow data collectors and an AFX auto-fulfillment connector.
To create the ServiceNow application:
1. Select Resources > Applications > Create Application > Other Application.
2. Application Name: ServiceNow.
See the Administrators Guide for more information on how to create and manage applications.
Onboarding Cloud Applications Guide 61
Chapter 6: ServiceNow
Define Additional Attributes
You must define attributes cited as mandatory in this section. If you want to collect all available data from ServiceNow, you can define a set of additional attributes for the following objects in RSA IAM Platform:
• Account
• Application Role
• Group
See the Administrators Guide for more information on how to create and manage attributes.
To define attributes:
1. Select Admin > Attributes.
2. Select the Account tab and add the following attributes:
3. Select the Group tab and add the following attributes:
4. Select the Application Role tab and add the following attributes:
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
External Id String <use available> Collected No No No
Email String <use available> Collected Yes Yes No
Name String <use available> Collected Yes Yes No
Active String <use available> Collected Yes Yes No
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
External Id String <use available> Collected No No No
Email String <use available> Collected Yes Yes No
Name String <use available> Collected Yes Yes No
Active String <use available> Collected Yes Yes No
Type String <use available> Collected Yes Yes No
Manager String <use available> Collected Yes Yes No
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
External Id String <use available> Collected No No No
Role Name String <use available> Collected Yes Yes No
Description String <use available> Collected Yes Yes No
62 Onboarding Cloud Applications Guide
Chapter 6: ServiceNow
Configure ServiceNow Account and Entitlement Data Collectors
This section describes how to configure an account data collector and an entitlement data collector for the ServiceNow application.
Note: This section’s configuration examples are based on the assumption that all of the attributes cited in “Define Additional Attributes” on page 62 were in fact defined.
ServiceNow Connection Configuration
The following information is required to configure ServiceNow data collectors:
• URL: Base URL of ServiceNow Instance
• Username: Admin User Name
• Password: Admin Password
Enabling WS Security for a ServiceNow Collector
This procedure applies to the ServiceNow account and entitlement collector configuration.
To enable WS security for a collector:
1. Select Enable WS Security.
2. Enter the Private Key Password.
3. Enter the Private Key in the PEM format (private key of the certificate that is uploaded on the ServiceNow instance) in the text area.
4. Enter the X.509 PEM format of the certificate (that is uploaded on the ServiceNow instance) in the X.509 Certificate uploaded on ServiceNow in the text area.
Configure the ServiceNow Account Collector
This section describes how to configure an account collector for the ServiceNow application.
To configure the collector:
1. From the ServiceNow application’s Collectors tab, click Create Account Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Configuration Specifications:
• Collector Description
- Collector Name: <Name of ServiceNow ADC>
- Data Source Type: ServiceNow
• Configuration Information
- URL: <Base URL of the ServiceNow instance>
Onboarding Cloud Applications Guide 63
Chapter 6: ServiceNow
- Username: <Admin user name>
- Password: <Admin user password>
- Enable WS Security: Select if WS Security is enabled.
- Private Key Password: <PrivateKeyPassword> if WS Security is enabled.
- Private key: <PrivateKey> if WS Security is enabled.
- X.509 Certificate uploaded on ServiceNow: <Certificate> if WS Security is enabled
• Map Collector Attributes to Account Mapping Attributes
- User Reference: User name
• Map Collector Attributes to Account Mapping Attributes
- Last Login Date: last_login_time
- Email: email
- External Id: sys_id
- Active: active
- Name: name
• Map Collector Attributes to Group Attributes
- Email: Email
- Manager: manager
- External Id: sys_id
- Active: active
- Name: name
- Type: Type
• Edit User Resolution Rules
- Target Collector: <Name of the identity collector the collects Salesforce users> or Users
- User Attribute: <Attribute to which ServiceNow Accounts will be mapped, User Id for example>
• Edit Member Account Resolution Rules
- Target collector: <Name of ServiceNow ADC>
- Account Attribute: Account Name
• Edit Sub-group Resolution Rules
- Target collector: <Name of ServiceNow ADC>
- Group Attribute: Name
64 Onboarding Cloud Applications Guide
Chapter 6: ServiceNow
Configure the ServiceNow Entitlement Collector
This section describes how to configure an entitlement collector for the ServiceNow application.
To configure the collector:
1. From the ServiceNow application’s Collectors tab, click Create Entitlement Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Configuration Specifications:
• Collector Description
- Collector Name: <Name of the ServiceNow EDC>
- Data Source Type: ServiceNow
• Configuration Information
- URL: <Base URL of the ServiceNow instance>
- Username: <Admin user name>
- Password: <Admin user password>
- Enable WS Security: Select if WS Security is enabled.
- Private Key Password: <PrivateKeyPassword> if WS Security is enabled.
- Private key: <PrivateKey> if WS Security is enabled.
- X.509 Certificate uploaded on ServiceNow: <Certificate> if WS Security is enabled
• Map Collector Attributes to App Role Attributes
- External Id: sys_id
- Role Name: role_name
- Description: description
• Group Evaluation
- Associated collector: <Name of the ServiceNow ADC>
- Group value evaluates to: Name
• Account Evaluation
- Associated account collector: <Name of the ServiceNow ADC>
- Account value evaluates to: Account Name
Note: The following views are created on the ServiceNow instance after the collector is executed for the first time: AveksaGroupHasRoleView, AveksaGroupView, AveksaRoleView, AveksaUserGrMemberView, AveksaUserHasRoleView, AveksaUserRoleContainsView, and AveksaUserView. Maintain these view definitions as is; otherwise, the collector will not work. You can see these views on ServiceNow under System UI -> Views.
Onboarding Cloud Applications Guide 65
Chapter 6: ServiceNow
How Entitlements in ServiceNow Appear in RSA IAM Platform
This section provides information regarding how particular ServiceNow attributes are mapped to RSA IAM Platform attributes.
Account Data Collector Mapping
The account collector gathers account and group-related information from following ServiceNow instance web services:
• http://<instance_name>.service-now.com/sys_user.do?WSDL
• http://<instance_name>.service-now.com/sys_user_group.do?WSDL
• http://<instance_name>.service-now.com/sys_user_grmember.do?WSDL
It store this information in account and group objects in RSA IAM Platform.
Account Name
The ''user_name'' field that is retrieved from the following web service is used as the account name in the account collector:
http://<instance_name>.service-now.com/sys_user.do?WSDL
Account Attribute Mapping
The following table lists the mapping of ServiceNow account-related attributes to RSA IAM Platform object attributes:
Account - User Resolution
One of the following attributes can be used for account to user mapping:
• user_name — This is preferred because it is unique for all users in the Servicenow instance.
• email — This is not unique in the ServiceNow instance.
Note: ServiceNow allows creation of empty accounts, those with no user name for instance. Aveksa, however, does not collect such entities.
ServiceNow Attributes ACM Attributes Description
active Account.active Status of the ServiceNow user (active or inactive).
name Account.name Name of the ServiceNow user.
user_name Account.Account_name User name of the ServiceNow user.
email Account.email Email Id of the ServiceNow user.
Last_Login_Time Account.Last Login Date Last login date of the ServiceNow user.
sys_id Account.sys_id Unique Id provided by ServiceNow.
66 Onboarding Cloud Applications Guide
Chapter 6: ServiceNow
Collected Group Data
Groups are collected by the account collector.
Group Name
The ''user_name'' field that is retrieved from the following web service is used as the group name in group collection:
http://<instance_name>.service-now.com/sys_user_group.do?WSDL
Group Attribute Mapping
The following table lists the mapping of ServiceNow group-related attributes to RSA IAM Platform object attributes:
Group Account and Group Subgroup Resolutions
Groups can include accounts or other groups as members.
Group Membership Resolution
For group-account mapping, the account's account name should be used.
Mapping between users and groups is retrieved from the following web service:
http://<instace_name>.service-now.com/sys_user_grmember.do?WSDL
Subgroup Resolution
For group-subgroup mapping, the group name should be used. The 'parent' field is fetched from the web service. This parent field will have parent group's name. That’s how mapping of group and sub group is maintained.
ServiceNow Attributes ACM Attributes Description
active Group.active Status of the group (active or inactive).
Name Group.Group_Name Name of the group.
email Group.email Email address of the group.
manager Group.manager Manager of the group.
type Group.type The group type.
sys_id Group.sys_id The unique Id provided by ServiceNow.
ServiceNow Attributes ACM Attributes
group Group.Group_Name
user Account.Account_Name
Onboarding Cloud Applications Guide 67
Chapter 6: ServiceNow
Entitlement Data Collector Mapping
The entitlement collector gathers entitlement-related data in the form of application roles from the ServiceNow instance. It also provides the mapping of application roles with the accounts and groups collected by the ServiceNow account collector.
The entitlement collector collects information from following ServiceNow web services:
• http://<instance_name>.service-now.com/sys_user_role.do?WSDL
• http://<instance_name>.service-now.com/sys_user_has_role.do?WSDL
• http://<instance_name>.service-now.com/sys_group_has_role.do?WSDL
• http://<instance_name>.service-now.com/sys_user_role_contains.do?WSDL
Application Role
Roles in ServiceNow are defined as application roles in RSA IAM Platform.
Application Role Name
The "name" attribute is used as the application role name.
Application Role Attribute Mapping
All roles are collected from the following web service:
http://<instance_name>.service-now.com/sys_user_role.do?WSDL
ServiceNow attributes are mapped to RSA IAM Platform object attributes as follows:
Note: ServiceNow allows creation of empty roles, those with no names for instance. Aveksa, however, does not collect such entities.
Application Role – Account Resolution
User and role mapping information is retrieved from the following web service:
http://<instance_name>.service-now.com/sys_user_has_role.do?WSDL
Application roles are assigned to accounts using an account's account name attribute.
Application Role – Group Resolution
Group and role mapping information is retrieved from the following web service:
http://<instance_name>.service-now.com/sys_group_has_role.do?WSDL web service. Application roles are assigned to groups using a group's Group Name attribute.
ServiceNow Attributes ACM Attributes Description
name AppRole.Name The ServiceNow role name.
description AppRole.description The ServiceNow role description.
sys_id AppRole.sys_id The unique role Id provided by ServiceNow.
68 Onboarding Cloud Applications Guide
Chapter 6: ServiceNow
Application Role – Sub Role Resolution
Role and sub-role mapping information is retrieved from the following web service:
http://<instance_name>.service-now.com/sys_user_role_contains.do?WSDL
Application sub-roles are assigned to application roles using an application role's role name attribute.
Data Collection Limitations
To deal with WSDL changes across different ServiceNow instances, Aveksa collects data using "System UI Views." Aveksa creates these System UI views programatically using following web services.
• http://<instance_name>.service-now.com/sys_ui_view.do?WSDL
• http://<instance_name>.service-now.com/sys_ui_element.do?WSDL
• http://<instance_name>.service-now.com/sys_ui_section.do?WSDL
If these WSDLs change and extra fields are present in a WSDL for a particular ServiceNow instance, then creation of the views would fail.
System UI View WSDL Description
http://<instance_name>.service-now.com/sys_ui_view.do?WSDL
The following fields are supported in View WSDL. For each field, the minimum occurrence is zero and maximum occurrence is one.
• group
• hidden
• name
• roles
• sys_created_by
• sys_created_on
• sys_id
• sys_mod_count
• sys_updated_by
• sys_updated_on
• title
• user
Onboarding Cloud Applications Guide 69
Chapter 6: ServiceNow
System UI Section WSDL Description
http://<instance_name>.service-now.com/sys_ui_section.do?WSDL
The following fields are supported in UI Section WSDL. For each field the minimum occurrence is zero and the maximum occurrence is one.
• caption
• header
• name
• roles
• sys_created_by
• sys_created_on
• sys_domain
• sys_id
• sys_mod_count
• sys_overrides
• sys_updated_by
• sys_updated_on
• sys_user
• title
• view
• view_name
System UI Element WSDL Description
http://<instance_name>.service-now.com/sys_ui_element.do?WSDL
The following fields are supported in UI Element WSDL. For each field the minimum occurrence is zero and the maximum occurrence is one.
• element
• position
• sys_created_by
• sys_created_on
• sys_id
• sys_mod_count
• sys_ui_section
• sys_updated_by
• sys_updated_on
70 Onboarding Cloud Applications Guide
Chapter 6: ServiceNow
• sys_user
• type
Setup the AFX ServiceNow Connector
Note: If the ServiceNow instance is already configured for collection, no any additional configuration is required. AFX uses the same configuration as the ServiceNow collectors with or without WS security. Because System UI Views created during collection process are used for AFX commands, collectors must be run first before auto-fulfilling requests with AFX.
This document provides information regarding ServiceNow connector configuration in AFX. The ServiceNow Connector completes the following tasks:
• AddAccountToGroup
• AddAppRoleToAccount
• AddAppRoleToGroup
• AddGroupToGroup
• AddAppRoleToAppRole
• CreateAccount
• CreateGroup
• DeleteAccount
• DeleteGroup
• DisableAccount
• EnableAccount
• ResetPassword
• RemoveAccountFromGroup
• RemoveAppRoleFromAccount
• RemoveAppRoleFromGroup
• RmoveAppRoleFromAppRole
• UpdateAccount
See the Access Fulfillment Express Guide for more information on working with AFX.
See the Access Request Manager Guide for more information on working with request forms and account templates.
Onboarding Cloud Applications Guide 71
Chapter 6: ServiceNow
Create the ServiceNow Connector
To create the connector:
1. Select AFX > Connectors > Create Connector.
2. Click the General tab and configure the following settings:
• Name: <Name of ServiceNow connector>
• Connector Template: ServiceNow Connector
• Status: Active
3. Click the Settings tab and configure the following settings:
• InstanceName: <InstanceName>
• Username: <Username>
• Password: <Password>
• Select Enable WS Security (if WS Security is enabled on the ServiceNow instance).
• Enter the Private Key Password (if WS Security is enabled).
• Enter the Private Key of the certificate (which is uploaded on the ServiceNow instance) in the text area in PEM format (if WS Security is enabled).
• Enter the X.509 PEM format of the certificate in (which is uploaded on the ServiceNow instance) in the X.509 Certificate uploaded on ServiceNow text area.
4. Click the Capabilities tab and select all check-boxes, and then click OK.
Create an Account Request Form
The request form enables users to request creation of an account.
To create the form:
1. Select Requests > Configuration > Request Forms.
2. Click Create Form.
3. Select Create a new Form, click Next, and then configure as follows:
• General Properties
- Form Name: <Form Name>
- Enabled: True
- FormType: Create Account
- Changes Apply to: One user with the following attributes: All
- Fulfillment Workflow: Default AFX Fulfillment
• Fields
Click New.
72 Onboarding Cloud Applications Guide
Chapter 6: ServiceNow
- Variable Name: <Var1 Name>
- Control Type: Password Field
- Question: “Enter Password”
Click OK.
Create an Account Template
The account templates provides account input parameters.
To create the account template:
1. Select Requests > Configuration > Account Templates.
2. Click Create Account Template, and then configure as follows:
• Name: <Account Template Name>
• Account Creation Form: Select the form previously created.
Click OK.
3. Click the name of the account template you just created. Configure as follows:
• Click Add Pending Account Parameter, and enter settings:
- Name: Name
- Value: ${User.User_Id}
Click OK.
• Click Add Parameter, and enter settings:
- Name: User
- Form Field: <Var1 Name>
Click OK.
• Click Add Parameter, and enter settings:
- Name: Password
- Form Field: <Var1 Name>
Click OK.
Associate the Account Template to the ServiceNow Application
You must associate the account template you just created to the ServiceNow application so the template can be used for requests for accounts from the application.
To associate the template to the application:
1. Select Resources > Applications.
2. Click <ServiceNow App Name>
3. Click Requests.
Onboarding Cloud Applications Guide 73
Chapter 6: ServiceNow
4. Click Edit Account Template Associations.
5. Select the <The account template you just created>.
6. Click OK.
7. Set Entitlements Require Account to Yes.
8. Select the Fulfillment Workflow: Default AFX Fulfillment.
Discover and Map the ServiceNow Connector in RSA IAM Platform
After you create the ServiceNow connector in AFX, you must discover the connector in RSA IAM Platform and map ServiceNow attributes to connector command parameters.
Note: The user attributes used in the AFX command mappings must be collected before the commands are executed or the mappings must be modified with other available attributes.
To discover the connector and map attributes:
1. Select AFX > Map Connectors.
2. Click Discover Connectors From AFX Server.
3. Click Apply Changes.
4. From the AFX Connector Summary window, click <Name of ServiceNow connector>.
5. Click the Capabilities tab.
6. Map command attributes as follows:
• AddAccoutToGroup
- AccountName: ${Account.Name}
- GroupName: ${Group.Name}
• AddAppRoleToAccount
- AccountName: ${Account.Name}
- Role: ${ApplicationRole.Name}
• AddAppRoleToAppRole
- Role: ${ApplicationRole.Name}
- SubAppRoleName: ${ApplicationRole.Name}
• AddAppRoleToGroup
- GroupName:${Group.Name}
- Role: ${ApplicationRole.Name}
• AddGroupToGroup
- GroupName: ${Group.Name}
- ParentGroupName: ${Group.Name}
74 Onboarding Cloud Applications Guide
Chapter 6: ServiceNow
• CreateAccount
- Email: ${User.Email_Address}
- Firstname: ${User.First_Name}
- Lastname: ${User.Last_Name}
- Password: ${AccountTemplate.Password}
- Username: ${User.User_Id}
• CreateGroup
- Not available in v6.5
• DeleteAccount
- UserName: ${Account.Name}
• DeleteGroup
- GroupName: ${Group.Name}
• DisableAccount
- UserName: ${Account.Name}
• EnableAccount
- UserName: ${Account.Name}
• RemoveAccountFromGroup
- UserName: ${Account.Name}
- GroupName: ${Group.Name}
• RemoveAppRoleFromAccount
- UserName: ${Account.Name}
- Role: ${ApplicationRole.Name}
• RemoveAppRoleFromAppRole
- Role: ${ApplicationRole.Name}
- SubAppRoleName: ${ApplicationRole.Name}
• RemoveAppRoleFromGroup
- GroupName: ${Group.Name}
- Role: ${ApplicationRole.Name}
• ResetPassword
- Password: <Any password>
- UserName: ${Account.Name}
• UpdateAccount
- UserName: ${User.User_Id}
Onboarding Cloud Applications Guide 75
Chapter 6: ServiceNow
- FirstName: ${User.First_Name}
- LastName: ${User.Last_Name}
- Email: ${User.Email_Address}
7. From the AFX Connector Summary window, click Enable for each command (to enable each command).
8. Click the General tab, and then click Enable (to enable the connector).
Bind the Connector to the ServiceNow Application
You must associate, or bind, the ServiceNow connector to the ServiceNow application to implement auto-fulfillment of access request tasks you want completed in the ServiceNow system.
1. Select Resources > Applications > ServiceNow > AFX Connector Binding.
2. Click Edit Connector Binding.
3. Select the ServiceNow connector from the drop-down list, and then click OK.
Note: Ensure that the application is associated with either the default AFX fulfillment workflow or a custom version of it.
76 Onboarding Cloud Applications Guide
Chapter 7: Zendesk
Content
• “Set Up Zendesk for Onboarding” on page 78
• “Data Collection Prerequisites” on page 78
• “About Privileges for the Zendesk Service Account” on page 79
• “Configure Zendesk Account and Entitlement Data Collectors” on page 79
• “How Entitlements in Zendesk Appear in RSA IAM Platform” on page 81
• “Setup the AFX Zendesk Connector” on page 83
77
Chapter 7: Zendesk
Set Up Zendesk for Onboarding
Before you create Zendesk data collectors and collect Zendesk data and auto-fulfill requests for entitlements from Zendesk with AFX, you must obtain administrator or owner credentials to Zendesk.
Data Collection Prerequisites
Complete the following tasks before you create Zendesk data collectors:
• Create a Zendesk application in RSA IAM Platform.
• Define additional attributes you require for Zendesk objects in RSA IAM Platform that you want to collect from Zendesk.
Create a Zendesk Application
You must create a “Zendesk” application object in RSA IAM Platform with which you will associate Zendesk data collectors and an AFX auto-fulfillment connector.
To create the Zendesk application:
1. Select Resources > Applications > Create Application > Other Application.
2. Application Name: Zendesk.
See the Administrators Guide for more information on how to create and manage applications.
Define Additional Attributes
You must define attributes cited as mandatory in this section. If you want to collect all available data from Zendesk, you can define a set of additional attributes for the following objects in RSA IAM Platform:
• Account
• Application Role
• Group
See the Administrators Guide for more information on how to create and manage attributes.
To define attributes:
1. Select Admin > Attributes.
2. Select the Account tab and add following attributes:
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
GivenName String <use available> Collected Yes Yes No
Email String <use available> Collected Yes Yes No
Date Date <use available> Collected Yes Yes No
78 Onboarding Cloud Applications Guide
Chapter 7: Zendesk
3. Select the Group tab and add the following attributes:
About Privileges for the Zendesk Service Account
The service account must be an administrator for the particular subscription. This is a requirement for the Zendesk (AFX) connector as RSA IAM Platform provisions agent accounts into Zendesk. Only administrator users have the privileges to create agents. For Enterprise subscriptions, Zendesk allows you to customize the roles; however, the agent creation fails under the administrator role.
Configure Zendesk Account and Entitlement Data Collectors
This section describes how to configure an account data collector and an entitlement data collector for the Zendesk application.
Note: This section’s configuration examples are based on the assumption that all of the attributes cited in “Define Additional Attributes” on page 78 were in fact defined.
Configure the Zendesk Account Collector
This section describes how to configure an account collector for the Zendesk application.
To configure the collector:
1. From the Zendesk application’s Collectors tab, click Create Account Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Configuration Specifications:
• Collector Description
- Collector Name: <Name of Zendesk ADC>
- Data Source Type: Zendesk
• Configuration Information
- Admin Email Address: <Email Address of the admin of the domain registered on Zendesk>
- Admin Password: <Password of the admin of the domain registered with Zendesk>
- Company Name: <Company URL>
• Map Collector Attributes to Account Mapping Attributes
- Email: <Email Address of the admin of the domain registered on Zendesk>
Attribute Name
Data Type Database ID Data Source In Detail In Popup Mandatory
CreatedAt String <use available> Collected Yes Yes No
Onboarding Cloud Applications Guide 79
Chapter 7: Zendesk
• Map Collector Attributes to Account Attributes
- User Reference: email
- Type: type
- GivenName: name
- Date: created_at
• Map Collector Attributes to Group Attributes
- Name: groupName
- CreatedAt: created_at
• Edit User Resolution Rules
- Target Collector: <Name of the identity collector the collects Zendesk users> or Users
- User Attribute: Email Address
• Edit Member Account Resolution Rules
- Target collector: <Name of Zendesk ADC>
- Account Attribute: Name
• Edit Sub-group Resolution Rules
- Target collector: <Name of Zendesk ADC>
- Group Attribute: Name
Configure the Zendesk Entitlement Collector
This section describes how to configure an entitlement collector for the Zendesk application.
To configure the collector:
1. From the Zendesk application’s Collectors tab, click Create Entitlement Collector.
2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.
Configuration Specifications:
• Collector Description
- Collector Name: <Name of the Zendesk EDC>
- Data Source Type: Zendesk
• Group Evaluation
- Associated Collector: <Name of Zendesk ADC>
- Group Value Evaluates to: Account Name
80 Onboarding Cloud Applications Guide
Chapter 7: Zendesk
• Account Evaluation
- Associated Account Collector: <Name of Zendesk ADC>
- Account Value Evaluates to: Account Name
How Entitlements in Zendesk Appear in RSA IAM Platform
This section provides information regarding how particular Zendesk attributes are mapped to RSA IAM Platform attributes.
Account Data Collector Mapping
Account collector gathers account and group related information from "User", "Group", and "GroupMember" objects of the Zendesk instance. It store these information in the 'Account' and 'Group' objects of RSA IAM Platform:
Account Name
User.Username is used as Account name in Account Collector.:
Account Attribute Mapping
The following table lists the mapping of Zendesk account-related attributes to RSA IAM Platform object attributes:
Account - User Resolution
One of the following attributes can be used for account to user mapping:
• user_name — User Id.
• email — This is preferred because it is unique for all users in the Zendesk instance.
Collected Group Data
Groups are collected by the account collector.
Group Name
Group.Name is used as Group name in the account collector.
Zendesk Attributes ACM Attributes Description
User.Id Account.External Id Unique ID provided by Zendesk to each user object.
User.IsActive Account.Status Whether the user's account in Zendesk is active or not.
User. Email Account.email Email address of the Zendesk user.
Onboarding Cloud Applications Guide 81
Chapter 7: Zendesk
Group Attribute Mapping
The following table lists the mapping of Zendesk group-related attributes to RSA IAM Platform object attributes:
Group Account and Group Subgroup Resolutions
Groups can have accounts as members.
Group members for groups are added based on group member mapping present in Zendesk's GroupMember object.
Group Membership Resolution
For Group-Account mapping, an account's Account Name should be used.
Entitlement Data Collector Mapping
The entitlement collector gathers entitlement-related data in the form of application roles from the Zendesk instance. It also provides the mapping of application roles with the accounts collected by the Zendesk account collector.
Application Roles
This collector collects information from users on the roles they belong to. It stores this data as application roles in RSA IAM Platform.
Application Role Name
The Role.Name attribute is used as the application role name.
Application Role Attribute Mapping:
Application Role – Account Resolution
Application Roles will be assigned to accounts using account's Account Email Address attribute.
Zendesk Attributes ACM Attributes Description
Group.Id Group.Id Unique ID provided by Zendesk to each group object.
Group.Name Group.Name Name of the group.
Group.Created_at Group.Created_at Date the group was created.
Zendesk Attributes ACM Attributes Description
Role.name AppRole.Name Role specified for each user in Zendesk is the user’s app
role in RSA IAM Platform.
82 Onboarding Cloud Applications Guide
Chapter 7: Zendesk
Setup the AFX Zendesk Connector
This document provides information regarding Zendesk connector configuration in AFX. The Zendesk Connector completes the following tasks:
• Create Account
• Delete Account
• Disable Account
• Enable Account
• Create Group
• Delete Group
• Add Account to Group
• Remove Account From Group
• Update Account
See the Access Fulfillment Express Guide for more information on working with AFX.
See the Access Request Manager Guide for more information on working with request forms and account templates.
Create the Zendesk Connector
When you create the Zendesk connector, enter the same credentials required to create the Zendesk account and entitlement collectors.
To create the connector:
1. Select AFX > Connectors > Create Connector.
2. Click the General tab and configure the following settings:
• Name: <Name of Zendesk connector>
• Connector Template: Zendesk Connector
• Status: Active
3. Click the Settings tab and configure the following settings:
• Username: <Username>
• Password: <Password>
• Company Name: <Company URL>
4. Click the Capabilities tab and select all check-boxes, and then click OK.
Onboarding Cloud Applications Guide 83
Chapter 7: Zendesk
Create an Account Request Form
The request form enables users to request creation of an account.
To create the form:
1. Select Requests > Configuration > Request Forms.
2. Click Create Form.
3. Select Create a new Form, click Next, and then configure as follows:
• General Properties
- Form Name: <Form Name>
- Enabled: True
- FormType: Create Account
- Changes Apply to: One user with the following attributes: All
- Fulfillment Workflow: Default AFX Fulfillment
• Fields
Click New.
- Variable Name: <Var1 Name>
- Control Type: Drop Down Select
- Question: “Enter the Role”
- Options: Enter the following:
Value:- Admin
Display:- Admin
Click Add.
Value:- Agent
Display:- Agent
Click Add.
Click OK.
84 Onboarding Cloud Applications Guide
Chapter 7: Zendesk
Create an Account Template
The account templates provides account input parameters.
To create the account template:
1. Select Requests > Configuration > Account Templates.
2. Click Create Account Template, and then configure as follows:
• Name: <Account Template Name>
• Account Creation Form: Select the form previously created.
Click OK.
3. Click the name of the account template you just created. Configure as follows:
• Click Add Pending Account Parameter, and enter settings:
- Name: Name
- Value: ${User.Email_Address}
Click OK.
• Click Add Parameter, and enter settings:
- Name: Role
- Form Field: <Var1 Name>
Click OK.
Associate the Account Template to the Zendesk Application
You must associate the account template you just created to the Zendesk application so the template can be used for requests for accounts from the application.
To associate the template to the application:
1. Select Resources > Applications.
2. Click <Zendesk App Name>
3. Click Requests.
4. Click Edit Account Template Associations.
5. Select the <The account template you just created>.
6. Click OK.
7. Set Entitlements Require Account to Yes.
8. Select the Fulfillment Workflow: Default AFX Fulfillment.
Onboarding Cloud Applications Guide 85
Chapter 7: Zendesk
Discover and Map the Zendesk Connector in RSA IAM Platform
After you create the Zendesk connector in AFX, you must discover the connector in RSA IAM Platform and map Zendesk attributes to connector command parameters.
Note: The user attributes used in the AFX command mappings must be collected before the commands are executed or the mappings must be modified with other available attributes.
To discover the connector and map the attributes:
1. Select AFX > Map Connectors.
2. Click Discover Connectors From AFX Server.
3. Click Apply Changes.
4. From the AFX Connector Summary window, click <Name of Zendesk connector>.
5. Click the Capabilities tab.
6. Map command attributes as follows:
• AddAccoutToGroup
- Group: ${Group.Name}
- Email: ${Account.Name}
• AddGroupToGroup
- GroupName: ${Group.Name}
- ParentGroupName: ${Group.Name}
• CreateAccount
- GivenName: ${User.Name}
- Email: ${Account.Name}
- Verified: true or false
- Role: ${AccountTemplate.Role}
• CreateGroup
- Group: ${Group.Name}
• DeleteAccount
- User: ${Account.Name}
• DeleteGroup
- Group: ${Group.Name}
• DisableAccount
- User: ${Account.Name}
• EnableAccount
- User: ${Account.Name}
86 Onboarding Cloud Applications Guide
Chapter 7: Zendesk
• RemoveAccountFromGroup
- User: ${Account.Name}
- Group: ${Group.Name}
• Update Account
- Email: ${Account.Name}
- GivenName: ${User.Name}
7. From the AFX Connector Summary window, click Enable for each command (to enable each command).
8. Click the General tab, and then click Enable (to enable the connector).
Bind the Connector to the Zendesk Application
You must associate, or bind, the Zendesk connector to the Zendesk application to implement auto-fulfillment of access request tasks you want completed in the Zendesk system.
To bind the connector to the application:
1. Select Resources > Applications > Zendesk > AFX Connector Binding.
2. Click Edit Connector Binding.
3. Select the Zendesk connector from the drop-down list, and then click OK.
Note: Ensure that the application is associated with either the default AFX fulfillment workflow or a custom version of it.
Onboarding Cloud Applications Guide 87
Index
Aaccount request forms
Google Apps 34NetSuite 46Salesforce 22ServiceNow 72Zendesk 84
account templateAmazon Web Services 55Google Apps 35NetSuite 46Salesforce 23ServiceNow 73Zendesk 85
account template associationAmazon Web Services 55Google Apps 36NetSuite 47Salesforce 24ServiceNow 73Zendesk 85
AFX auto-fulfillment connectorsAmazon Web Services 54Google Apps 33NetSuite 45Salesforce 21ServiceNow 71Zendesk 83
Amazon Web Servicesaccount template 55application 52associate account template to application 55bind connector to application 56data collectors 52entitlement mapping 54onboarding with the application wizard 10security credentials 52
set up request fulfillment connector 54application onboarding wizard 9
Ddata collectors
Amazon Web Services 52Google Apps 28, 30NetSuite 42Salesforce 15ServiceNow 63Zendesk 79
GGoogle Apps
account request form 34account template 35application 29associate account template to application 36attributes 30bind connector to application 38data collectors 28, 30entitlement mapping 33onboarding with the application wizard 10set up for onboarding 28set up request fulfillment connector 33
NNetSuite
account request form 46account template 46application 41associate account template to application 47attributes 42
89
Index
bind connector to application 49data collectors 42enable web services for AFX auto-
fulfillment 45onboarding with the application wizard 10set up for onboarding 40set up request fulfillment connector 45
SSalesforce
account request form 22account template 23application 14associate account template to application 24attributes 14bind connector to application 26collected account data mapping 18collected group data mapping 19data collectors 15onboarding with the application wizard 10request auto-fulfillment connector 21set up for onboarding 14
ServiceNowaccount data mapping 66account request form 72account template 73application 61associate account template to application 73attributes 62bind connector to application 76collected group data 67data collection limitations 69data collectors 63entitlement data mapping 68onboarding with the application wizard 10set up for onboarding 60set up request fulfillment connector 71system UI views 69WS security for a ServiceNow collector 63WS security for the ServiceNow instance 60
ZZendesk
account data mapping 81account request form 84account template 85application 78associate account template to application 85attributes 78bind connector to application 87
collected group data 81data collectors 79entitlement data mapping 82onboarding with the application wizard 10set up for onboarding 78set up request fulfillment connector 83
90 Onboarding Cloud Applications Guide