RSA Identity and Access Management Platform Onboarding Cloud ...

RSA Identity and Access Management Platform

Onboarding Cloud ApplicationsGuideV6.8.1

NoticeContact Information

Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm. For sales information, contact RSA Aveksa, Inc. at [email protected] technical support, contact RSA Aveksa, Inc. at [email protected]. For more information about RSA Aveksa, Inc., visit http://www.aveksa.com.

Trademarks

RSA, the RSA Logo, Aveksa, and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm#rsa.

License Agreement

This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person.

No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability.

This software is subject to change without notice and should not be construed as a commitment by EMC.

Third-Party Licenses

This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed by launching the RSA Aveksa product and selecting the About menu.

Note on Encryption Technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright © 2013 EMC Corporation. All Rights Reserved. Published in the USA.

December 2013

http://www.emc.com/domains/rsa/index.htm

http://www.emc.com/domains/rsa/index.htm

http://www.aveksa.com

http://www.aveksa.com

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

How This Guide Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 1: Onboarding with the Application Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Using the Create Application Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 2: Salesforce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Set Up Salesforce for Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Data Collection Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Create a Salesforce Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Define Additional Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Configure Salesforce Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . . 15

Salesforce Connection Configuration Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Configure the Salesforce Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Configure the Salesforce Entitlement Data Collector . . . . . . . . . . . . . . . . . . . . . . . . . 17

How Entitlements in Salesforce Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . . 18

Collected Account Data Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Collected Group Data Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Collected Entitlement Data Collector Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Set Up the AFX Salesforce Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Create the Salesforce Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Create an Account Request Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Create an Account Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Associate the Account Template to the Salesforce Application . . . . . . . . . . . . . . . . . . 24

Discover the Salesforce Connector in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . . 24

Bind the Connector to the Salesforce Application . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 3: Google Apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Set Up Google Apps for Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28


Configure Google Apps for Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Create a Google Apps Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29


Configure Google Apps Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . 30

Configure the Google Apps Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3

Contents

Configure the Google Apps Entitlement Data Collector . . . . . . . . . . . . . . . . . . . . . . . . 32

How Entitlements in Google Apps Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . 33

Set Up the AFX Google Apps Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Create the Google Apps Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34


Create an Account Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Associate the Account Template to the Google Apps Application . . . . . . . . . . . . . . . . . 36

Discover the Google Apps Connector in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . 36

Bind the Connector to the Google Apps Application . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 4: NetSuite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Set Up NetSuite for Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40


Create a NetSuite Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41


Configure NetSuite Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . . . . 42

Configure the NetSuite Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Configure the NetSuite Entitlement Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

How Entitlements in NetSuite Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . . . 44

Set Up the AFX NetSuite Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

How to Prepare NetSuite for AFX Automatic Fulfillment . . . . . . . . . . . . . . . . . . . . . . . 45

Create the NetSuite Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45



Associate the Account Template to the NetSuite Application . . . . . . . . . . . . . . . . . . . . 47

Discover and Map the NetSuite Connector in RSA IAM Platform . . . . . . . . . . . . . . . . . 47

Bind the Connector to the NetSuite Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 5: Amazon Web Services (AWS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Get Security Credentials from AWS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Create an AWS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Configure AWS Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . . . . . . . 52

Configure the AWS Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Configure the AWS Entitlement Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

How Entitlements in AWS Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Set Up the AFX AWS Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Create the AWS Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54


Associate the Account Template to the AWS Application . . . . . . . . . . . . . . . . . . . . . . 55

Discover and Map the AWS Connector in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . 56

Bind the Connector to the AWS Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

4 Onboarding Cloud Applications Guide

Contents

Chapter 6: ServiceNow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Set Up ServiceNow for Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Configure ServiceNow Properties for Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Enable WS Security on the ServiceNow Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . 60


Create a ServiceNow Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61


Configure ServiceNow Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . . 63

ServiceNow Connection Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Enabling WS Security for a ServiceNow Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Configure the ServiceNow Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Configure the ServiceNow Entitlement Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

How Entitlements in ServiceNow Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . 66

Account Data Collector Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Collected Group Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Entitlement Data Collector Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Application Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Data Collection Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Setup the AFX ServiceNow Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Create the ServiceNow Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72


Create an Account Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Associate the Account Template to the ServiceNow Application . . . . . . . . . . . . . . . . . 73

Discover and Map the ServiceNow Connector in RSA IAM Platform . . . . . . . . . . . . . . . 74

Bind the Connector to the ServiceNow Application . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Chapter 7: Zendesk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Set Up Zendesk for Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78


Create a Zendesk Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78


About Privileges for the Zendesk Service Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configure Zendesk Account and Entitlement Data Collectors . . . . . . . . . . . . . . . . . . . . . . 79

Configure the Zendesk Account Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configure the Zendesk Entitlement Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

How Entitlements in Zendesk Appear in RSA IAM Platform . . . . . . . . . . . . . . . . . . . . . . . 81

Account Data Collector Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Collected Group Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Entitlement Data Collector Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Setup the AFX Zendesk Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Onboarding Cloud Applications Guide 5

Contents

Create the Zendesk Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83



Associate the Account Template to the Zendesk Application . . . . . . . . . . . . . . . . . . . . 85

Discover and Map the Zendesk Connector in RSA IAM Platform . . . . . . . . . . . . . . . . . 86

Bind the Connector to the Zendesk Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89


Preface

Audience

This guide is intended for administrators authorized to create and manage data collectors and AFX connectors for cloud applications.

Note: You require an Access Fulfillment Express license to use AFX to create auto-fulfillment connectors. Contact an RSA sales representative for more information.

How This Guide Is Organized

Wizard-based onboarding is covered in:

Chapter 1, “Onboarding with the Application Wizard,” on page 9

Data collector and AFX auto-fulfillment connector configuration instructions are organized in this guide by cloud application as follows:

• Chapter 2, “Salesforce,” on page 13

• Chapter 3, “Google Apps,” on page 27

• Chapter 4, “NetSuite,” on page 39

• Chapter 5, “Amazon Web Services (AWS),” on page 51

• Chapter 6, “ServiceNow,” on page 59

• Chapter 7, “Zendesk,” on page 77

7

Preface

Text Conventions

This guide uses the following text conventions:

Related Documents

Other documents in the RSA Identity and Access Management Platform (RSA IAM Platform) document set include:

• Installation and Upgrade Guide

• Database Setup and Management Guide

• Installation and Upgrade on WebSphere Guide

• Installation and Upgrade on WebLogic Guide

• Administrators Guide

• User Tasks Guide

• Collectors Guide

• Business Role Manager Guide

• Access Request Manager Guide

• Data Access Governance Guide

• Access Fulfillment Express Guide

• Access Fulfillment Express Connector Configuration Guide

• Public Database Schema Reference

• Novell Identity Manager Integration Guide

• Sun Identity Manager Integration Guide

• IBM Tivoli Identity Manager Integration Guide

Element Convention Used Example

Variables

(The user supplies a value for the variable.)

Courier and Italic in angle brackets (<>)

Enter the following:

DISPLAY=<workstation name>:0.0 export display

On-screen text Courier The following line displays:

path=”/audit”

User-typed text Courier Enter the following path name:

/etc/init.d/

Cross-references Underlined and hypertext-blue

See “Related Documents” on page 8.

References to documents (title and number)

Italic Installation Guide


Chapter 1: Onboarding with the Application Wizard

Content

• “Introduction” on page 10

• “Using the Create Application Wizard” on page 10

9


Introduction

This guide describes how to manually onboard cloud applications (the “traditional” way) by creating the applications, any additional attributes required to be collected for the applications, the data collectors for the applications, and, if applicable, the AFX auto-fulfillment connectors. It also describes in this chapter how to complete the entire aforementioned onboarding process using the application wizards.

The wizard for each application creates a specific set of components (attributes, collectors, and, if applicable, AFX connectors) for an application using all of the specifications cited in the cloud application chapters in this guide. You may want to control what is created by creating an application and other application components manually in the way that is described in the others chapters in this manual. You may, for example, not want additional attributes created for an application or you may want to create and collect additional attributes the wizard does not create and the collectors it creates does not collect.

Using the Create Application Wizard

Note: See the cloud application chapters in this guide to review the application components (attributes, collectors, and so on) the applications wizards are designed to create.

Before you use a wizard to onboard a cloud application, you must get credentials required to access the application. You can modify all objects the wizards creates as necessary after the wizard creates the objects.

To use the application wizard to onboard an application:

1. Click the Resources tab and select Applications.

2. Click Create Application.

A list of cloud application names appears.

Note: The Other Applications option lets you create an application manually. See “Creating Applications” on page 150 in the Administrators Guide for more information. See the remaining chapters in this guide for information on how to manually onboard cloud applications.

3. Select the application you want to create, and then click Next.

The Remote Application Setup window appears.

4. Provide access credentials required to connect to the application, and then click Next.

The Connect window appears.

5. Enter a name for the application, enter connection and other required settings. If there are multiple AFX servers available, you can select a particular server from the Enter the AFX Server drop-down selection field. Otherwise, the single AFX server is displayed. See the Access Fulfillment Express Guide for more information on AFX servers.

6. Click the Test Connection button to confirm you have entered correct connection settings, and then click Next. (Correct connection settings if the test failed. You cannot proceed through the wizard if the connection settings are incorrect.)

The Confirm Changes window appears.



7. Review the components the wizard is designed to create, and, if no changes are required, then click Next.

The Change Summary window appears. It indicates the components the wizard created. Click Close to exit the wizard.


Chapter 2: Salesforce

Content

• “Set Up Salesforce for Onboarding” on page 14

• “Data Collection Prerequisites” on page 14

• “Configure Salesforce Account and Entitlement Data Collectors” on page 15

• “How Entitlements in Salesforce Appear in RSA IAM Platform” on page 18

• “Set Up the AFX Salesforce Connector” on page 21

13


Set Up Salesforce for Onboarding

You must create a Salesforce user to enable data collectors to gain access Salesforce data via the Salesforce API and to auto-fulfill approved change requests with AFX. Create a special user (integration user) solely for integration purposes. Assign this user a special profile with the following permissions selected:

• API Enabled

• Modify All Data (This is not mandatory if only collection is required.)

Data Collection Prerequisites

Complete the following tasks before you create Salesforce data collectors:

• Create a Salesforce application in RSA IAM Platform.

• Define additional attributes you require for Salesforce objects in RSA IAM Platform that you want to collect from Salesforce.

Create a Salesforce Application

You must create a “Salesforce” application object in RSA IAM Platform that you will associate Salesforce data collectors and an AFX auto-fulfillment connector.

To create the Salesforce application:

1. Select Resources > Applications > Create Application > Other Application.

2. Application Name: Salesforce.

See the Administrators Guide for more information on how to create and manage applications.

Define Additional Attributes

If you want to collect all available data from Salesforce, you can define a set of additional attributes for the following objects in RSA IAM Platform:

• Account

• Application Role

• Group

See the Administrators Guide for more information on how to create and manage attributes.

To define attributes:

1. Select Admin > Attributes.

2. Select the Account tab and add the following attributes:

Attribute Name

Data Type Database ID Data Source In Detail In Popup Mandatory

External Id String <use available> Collected No No No



3. Select the Group tab and add the following attributes:

4. Select the Application Role tab and add the following attributes:

Configure Salesforce Account and Entitlement Data Collectors

This section describes how to configure an account data collector and an entitlement data collector for the Salesforce application.

Note: This section’s configuration examples are based on the assumption that all of the attributes cited in “Define Additional Attributes” on page 14 were in fact defined.

Email String <use available> Collected Yes Yes No

Is Active String <use available> Collected Yes Yes No

User Role Id String <use available> Collected No No No

User Role

Name

String <use available> Collected Yes Yes No

Attribute Name




Type String <use available> Collected Yes Yes No

Attribute Name




User Type String <use available> Collected Yes Yes No

User License Id String <use available> Collected No No No

User License

Name

String <use available> Collected Yes Yes No

Attribute Name




Salesforce Connection Configuration Specifications

You require the following information to create Salesforce collectors:

Configure the Salesforce Account Collector

This section describes how to configure an account collector for the Salesforce application.

To configure the collector:

1. From the Salesforce application’s Collectors tab, click Create Account Collector.

2. Configure each page cited, click Next to proceed through the configuration pages (skip pages that do not require configuration), and then click Finish when you have completed your configurations.

Configuration Specifications:

• Collector Description Page

- Collector Name: <Name of Salesforce ADC>

- Data Source Type: Salesforce

• Configuration Information

- Salesforce Instance URL: <Enter the Salesforce Instance URL specified in WSDL under the node "soap:address.">

- Target Namespace: <Enter the target namespace specified in WSDL under node "definitions" attribute "targetNamespace.">

- Salesforce API URL:< Base URL of the Salesforce instance API Access. For example, https://ap1.salesforce.com>

- Username: <username>

- Password: <password>

- Security Token: <security token>

- Salesforce API version: <Salesforce API Version>

• Map Collector Attributes to Account Mapping Attributes

Parameter Name

URL Base URL of the Salesforce instance. For example: https://ap1.salesforce.com.

Username Username for the user created for integration.

Password Password for the user created for integration.

Security Token Security token for the user created for integration. A security token is an automatically

generated key required for log in to Salesforce from an untrusted network. If the network

is trusted by Salesforce, you are not required to provide this token.

Salesforce API Version The Salesforce API version supported by the Salesforce instance.



- User Reference: Email

• Map Collector Attributes to Account Attributes

- Last Login Date: LastLoginDate

- Email: Email

- External Id: ID

- Is Active: IsActive

- User role id: UserRoleId

- User role name: UserRoleName

• Map Collector Attributes to Group Attributes

- Email: GroupEmail

- External Id: GroupId

- Owner: GroupOwnerId

- Type: GroupType

• Edit User Resolution Rules

- Target Collector: <Name of the IDC the collects Salesforce users>

- User Attribute: Email Address

• Edit Member Account Resolution Rules

- Target collector: <Name of Salesforce ADC>

- Account Attribute: Account Name

• Edit Sub-Group Resolution Rules

- Target collector: <Name of Salesforce ADC>

- Group Attribute: Name

Configure the Salesforce Entitlement Data Collector

This section describes how to configure an entitlement collector for the Salesforce application.


1. From the Salesforce application’s Collectors tab, click Create Entitlement Collector.




- Collector Name: <Name of Salesforce EDC>

- Data Source Type: Salesforce




- Instance URL: <Enter the Salesforce Instance URL specified in WSDL under the node "soap:address.">

- Target Namespace: <Enter target namespace specified in WSDL under node "definitions" attribute "targetNamespace.">

- Salesforce API URL: <Salesforce API URL>

- Username: <username>

- Password: <password>

- Security Token: <security token>

- Salesforce API version: <Salesforce API Version>

• Map Collector Attributes to App Role Attributes

- External Id: ID

- Type: AppRoleType

- User license id: UserLicenseId

- User license name: UserLicenseName

- User type: UserType

• Account Evaluation

- Associated account collector: <Name of Salesforce ADC>

- Account value evaluated to: Account Name

How Entitlements in Salesforce Appear in RSA IAM Platform

This section describes how Salesforce attributes are mapped to RSA IAM Platform attributes.

Collected Account Data Mapping

The Salesforce account collector gathers account and group-related information from the "User," "Group," "GroupMember," and "UserRole" objects of the Salesforce instance. RSA IAM Platform stores this information in its “Account” and “Group” objects.

Account Name

The User.Username attribute is used as the account name in the account collector.



Account Attribute Mapping

The following table lists the mappings between Salesforce account attributes and RSA IAM Platform object attributes:

Account-User Resolution

One of the following attributes can be used for account to user mapping:

• Username (Preferred because it is unique for all users in the Salesforce instance)

• Email

Note: In most cases Username and Email are identical. Because, however, Salesforce includes both fields and each can have a different value, each is collected and available for mapping as an alternative to the other.

Collected Group Data Mapping

The Salesforce account collector gathers all the group data from Salesforce. It has different types of groups. "Regular" groups are the one which are created and managed by a Salesforce administrator. Other groups are created by Salesforce automatically. For example, Salesforce creates groups for each user role and uses it internally when any role-based group is created.

Group Name

The Group.Name attribute is used as the group name in the account collector. If the group name is not present (this happens in case of internal Salesforce groups of type "Role," "RoleAndSubordinates," and "Organization"), then the group name is generated as follows:

• For the "Role" and "RoleAndSubordinates" group types, the group name will be "GROUP.TYPE : ROLE.NAME."

• For the "Organization" group type, the group name will be "Organization" because only one such group having all employees of the organization as members of it exists.

Salesforce Attributes ACM Attributes Description

User.Id Account.External Id Unique ID provided by Salesforce to each user object.

User.Email Account.Email Email address of the Salesforce user.

User.LastLoginDate Account.Last Login Date Last login date of the Salesforce user

User.UserRoleId Account.UserRoleId User's role ID.

UserRole.Name Account.UserRoleName User's role name

User.IsActive Account.IsActive Indication of whether the user's account in Salesforce is

active or not.



Group Attribute Mapping

The following table lists the mapping between Salesforce group attributes and RSA IAM Platform object attributes:

Group-Account and Group-Subgroup Resolutions

Groups can have accounts and other groups as members. Group members for groups are added based on group member mapping present in Salesforce's GroupMember object. Moreover, the following additional members are added based on group type:

• The “Role” group type — All the users that have a specified role in that group are members of the containing group.

• The “RoleAndSubordinates” group type — All the users that have a specified role in the group and all the subordinates of that role are added as group members.

• The “Organization” group type — All the users in the organization are member of this group.

Group Membership Resolution

For Group-Account mapping, the account's Account Name should be used.

Subgroup Resolution

For Group-Subgroup mapping, the group Name should be used.

Collected Entitlement Data Collector Mapping

The Salesforce entitlement collector gathers entitlement data from the "Profile," "PermissionSet," "PermissionSetAssignment," and "User" objects of the Salesforce instance. RSA IAM Platform stores this information in its application role object. It also provides mapping of application roles with the accounts collected from the Salesforce account collector.

Application Role

Profiles and Permission Sets in Salesforce are defined as application roles in RSA IAM Platform.

Application Role Name

The Profile.Name and PermissionSet.Name attributes are used for the application role name.


Group.Id Group.External Id Unique ID provided by Salesforce to each Group object.

Group.Email Group.Email Group email Id.

Group.OwnerId Group.OwnerId Group owner. In Salesforce, Group.OwnerId is referred to

as User.Id field in Salesforce's user object. In RSA IAM

Platform, it will be converted to User.Username (which is

used as Account Name for account).

Group.Type Group.Type Group type: Role, RoleAndSubordinates, Regular, etc.



Application Role Attribute Mapping

The following table lists the mappings between Salesforce entitlement attributes and RSA IAM Platform object attributes:

Application Role – Account Resolution

Application roles are assigned to accounts using an account's “Account Name” attribute.

Note: Because Salesforce grants entitlements to resources via Profiles and PermissionSets, granular entitlements that specify exact access to each resource are not collected. There is no direct way to assign a particular entitlement directly to user. Therefore, only Profiles and PermissionSets are collected as entitlements, as they provide access to all resources.

Set Up the AFX Salesforce Connector

This section describes how to configure the Salesforce connector in AFX. The Salesforce Connector can complete the following tasks:

• Add Account To Group

• Add App RoleTo Account

• Add GroupTo Group

• Create Account

• Create Group

• Delete Group

• Disable Account

• Enable Account

• Remove Account From Group


Profile.Id/PermissionSet.Id AppRole.External Id Unique ID provided by Salesforce for each

Profile/PermissionSet object.

Profile.UserType AppRole.UserType User Type associated with this Profile.

Profile.UserLicenseId /

PermissionSet.UserLicenseId

AppRole.UserLicenseId User License ID associated with this

Profile/PermissionSet. Each Profile and PermissionSet

is associated with one of the user licenses. A user

license entitles a user to specific functionality and

determines the profiles and permission sets available

to the user.

UserLicense.Name AppRole.UserLicenseName User license name.

AppRole.Type This attribute is used by RSA IAM Platform to identify

whether the application role is created from the Profile

or PermisssionSet object of Salesforce.



• Remove App Role From Account

• Remove Group From Group

• Update Account

See the Access Fulfillment Express Guide for more information on working with AFX.

See the Access Request Manager Guide for more information on working with request forms and account templates.

Create the Salesforce Connector

The Salesforce connector fulfills access request commands in the Salesforce system.

To create the connector:

1. Select AFX > Connectors > Create Connector.

2. Click the General tab and configure the following settings:

• Name: <Name of the Salesforce connector>

• Connector Template: Salesforce Connector

• Status: Active

3. Click the Settings tab and configure the following settings:

• Username: <Username>

• Password: <username password>

• Security Token: <Security Token>

• Salesforce API: <Salesforce API version>

4. Click the Capabilities tab and select all check-boxes, and then click OK.

Create an Account Request Form

The request form enables users to request creation of an account.

To create the form:

1. Select Requests > Configuration > Request Forms.

2. Click Create Form.

3. Select Create a new Form, click Next, and then configure as follows:

• General Properties

- Form Name: <Form Name>

- Enabled: True

- FormType: Create Account

- Changes Apply to: One user with the following attributes: All

- Fulfillment Workflow: Default AFX Fulfillment



• Fields

Click New.

- Variable Name: <Profile Var Name>

- Control Type: Drop Down Select

- Question: “Enter the Profile Name”

- Options: Enter the Salesforce profile names:

Value:- <Profile Name>

Display:- <Profile Name>

Click Add. Repeat for each profile.

Click OK.

Click New.

- Variable Name: <Password Var Name>

- Control Type: Password Field

- Question: Enter Password

Click OK.

To retrieve Salesforce profile names:

1. Log into the Salesforce account.

2. Choose setup from your account menu.

3. Select Administration Set up > Manage Users > Profiles.

Create an Account Template

The account templates provides account input parameters.

To create a template:

1. Select Requests > Configuration > Account Templates.

2. Click Create Account Template, and then configure as follows:

• Name: <Account Template Name>

• Account Creation Form: Select the form previously created.

Click OK.

3. Click the name of the account template you just created. Configure as follows:

• Click Add Pending Account Parameter, and enter settings:

- Name: Name

- Value: ${User.Email_Address}

Click OK.



• Click Add Parameter, and enter settings:

- Name: Password

- Form Field: <Password Var Name>

Click OK.


- Name: Profile

- Form Field: <Profile Var Name>

Click OK.

Associate the Account Template to the Salesforce Application

You must associate the account template you just created to the Salesforce application so the template can be used for requests for accounts from the application.

To associate the template to the application:

1. Select Resources > Applications.

2. Click <Salesforce App Name>

3. Click Requests.

4. Click Edit Account Template Associations.

5. Select the <The account template you just created>.

6. Click OK.

7. Set Entitlements Require Account to Yes.

8. Select the Fulfillment Workflow: Default AFX Fulfillment.

Discover the Salesforce Connector in RSA IAM Platform

After you create the Salesforce connector in AFX, you must discover the connector in RSA IAM Platform and map Salesforce attributes to connector command parameters.

Note: The user attributes used in the AFX command mappings must be collected before the commands are executed or the mappings must be modified with other available attributes.

To discover the connector and map attributes:

1. Select AFX > Map Connectors.

2. Click Discover Connectors From AFX Server.

3. Click Apply Changes.

4. From the AFX Connector Summary window, click <Name of Salesforce connector>.

5. Click the Commands tab.

6. Map command attributes as follows:



• AddAccountToGroup

- AccountName: ${Account.Name}

- GroupName: ${Group.Name}

• AddAppRoleToAccount


- PermissionSetName: ${ApplicationRole.Name}

• AddGroupToGroup


- SubGroupName: ${Group.Name}

• CreateAccount

- Alias: ${User.First_Name}

- Email: ${User.Email_Address}

- EmailEncodingKey: ISO-8859-1 (for example)

- Firstname: ${User.First_Name}

- LanguageLocaleKey: en_US (for example)

- Lastname: ${User.Last_Name}

- LocaleSidKey: en_US (for example)

- Password: ${AccountTemplate.Password}

- ProfileName: ${AccountTemplate.Profile}

- TimeZoneSidKey: America/Los_Angeles (for example)

- Username: ${User.Email_Address}

• ResetPassword



• CreateGroup

- Not available in v6.5

• DeleteGroup


• DisableAccount


• EnableAccount




• RemoveAccountFromGroup



• RemoveAppRoleFromAccount


- PermissionSetName: ${ApplicationRole.Name}

• RemoveGroupFromGroup


- SubGroupName: ${Group.Name}

• UpdateAccount

- AccountName:${User.Email_Address}



- Alias: ${User.First_Name}

- EmailEncodingKey: ISO-8859-1 (for example)

- LanguageLocaleKey: en_US (for example)

- LocaleSidKey: en_US (for example)

- TimeZoneSidKey: America/Los_Angeles (for example)

7. From the AFX Connector Summary window, click Enable for each command (to enable each command).

8. Click the General tab, and then click Enable (to enable the connector).

Bind the Connector to the Salesforce Application

You must associate, or bind, the Salesforce connector to the Salesforce application to implement auto-fulfillment of access request tasks you want completed in the Salesforce system.

To bind the connector:

1. Select Resources > Applications > Salesforce > AFX Connector Binding.

2. Click Edit Connector Binding.

3. Select the Salesforce connector from the drop-down list, and then click OK.

Note: Ensure that the application is associated with either the default AFX fulfillment workflow or a custom version of it.


Chapter 3: Google Apps

Content

• “Set Up Google Apps for Onboarding” on page 28


• “Configure Google Apps Account and Entitlement Data Collectors” on page 30

• “How Entitlements in Google Apps Appear in RSA IAM Platform” on page 33

• “Set Up the AFX Google Apps Connector” on page 33

27


Set Up Google Apps for Onboarding

To use the Google Apps collectors and to auto-fulfill change requests with AFX, the client domain has to be registered with Google Apps For Business.

Do the following:

• Get a test domain and test the Google Apps accounts:

1. Go to the following URL:

http://www.google.com/enterprise/apps/business/pricing.html?utm_expid=59436268-7

2. Select the type of account you want to use.

On the next page, you are asked for a domain. If you have one, register it, or you can buy a domain by clicking the Find Domain button.

• Enable the Google Apps provisioning API:


https://www.google.com/a/cpanel/<Your Domain>/Dashboard

You are redirected to a log in page.

2. Enter domain admin credentials.

The control panel page is loaded.

3. Click the Domain settings tab, and then click the User Settings sub-tab.

4. Select Enable provisioning API.

5. Save the changes.

• Create a project for use by the collector:


https://code.google.com/apis/console/

2. Create a new project with the name of your choice.

Enable Calendar and Drive APIs.


Complete the following tasks before you create Google Apps data collectors:

• Configure Google Apps for collection.

• Create a Google Apps application in RSA IAM Platform.

• Define additional attributes you require for Google Apps objects in RSA IAM Platform that you want to collect from Google Apps.



Configure Google Apps for Collection

To use the Google Apps collector, the client domain has to be registered with Google Apps For Business.

• Get a test domain and test the Google Apps accounts:


http://www.google.com/enterprise/apps/business/pricing.html?utm_expid=59436268-7

2. Select the type of account you want to use.

On the next page, you are asked for a domain. If you have one, register it, or you can buy a domain by clicking the Find Domain button.

• Enable the Google Apps provisioning API:


https://www.google.com/a/cpanel/<Your Domain>/Dashboard

You are redirected to a log in page.

2. Enter domain admin credentials.

The control panel page is loaded.

3. Click the Domain settings tab, and then click the User Settings sub-tab.

4. Select Enable provisioning API.

5. Save the changes.

• Create a project for use by the collector:


https://code.google.com/apis/console/

2. Create a new project with the name of your choice.

Enable Calendar and Drive APIs.

Create a Google Apps Application

You must create a “Google Apps” application object in RSA IAM Platform with which you will associate Google Apps data collectors and an AFX auto-fulfillment connector.

To create the Google Apps application:


2. Application Name: Google Apps.

See the RSA IAM Platform Administrators Guide for more information on how to create and manage applications.




If you want to collect all available data from Google Apps, you can define a set of additional attributes for the following objects in RSA IAM Platform:

• Account


• Group

See the RSA IAM Platform Administrators Guide for more information on how to create and manage attributes.

To define Google Apps application attributes:




4. Select the Resources tab and add the following attributes:

Configure Google Apps Account and Entitlement Data Collectors

This section describes how to configure the following data collector for the Google Apps application:

• Account Collector — Collects account and group related information from Google Apps. It also provides the mapping between RSA IAM Platform users and the accounts collected from Google Apps. The account collector uses two services provided by the user for this purpose: UserService, AppsGroupsService. User email is used for mapping RSA IAM Platform users to Google accounts.

Attribute Name


FamilyName String <use available> Collected No No No

GivenName String <use available> Collected Yes Yes No



Attribute Name


Other Owners String <use available> Collected No No No

Attribute Name


OwnerName String <use available> Collected No No No



• Entitlement Collectors — Collects the information about the permissions users/groups have on Google documents/calendars.


About Resource Action – Account Resolution

Permissions on different documents/ calendars are assigned to accounts/groups using the account email id. Thus calendars and documents are treated as Resources. Roles are considered as Actions. The entitlement relationship captures whether the resource is entitled to a group or an account and the name of the corresponding group/account.

Configure the Google Apps Account Collector

This section describes how to configure an account collector for the Google Apps application.

To configure the Google Apps Account Collector:

1. From the Google Apps application’s Collectors tab, click Create Account Collector.




- Collector Name: <Name of Google Apps ADC>

- Data Source Type: Google Apps


- Admin Email Address: <Email Address of the admin of the domain registered with Google>

- Password: <Password of the admin of the domain registered with Google>

- Application Name: <Name of the project created on the Google Apps API Console>

- Domain Name: <Name of the domain registered with Google Apps>




- Admin Email Address: <Email Address of the admin of the domain registered with Google>

- Password: <Password of the admin of the domain registered with Google>

- Application Name: <Name of the project created on the Google Apps API Console>

- Domain Name: <Name of the domain registered with Google Apps>

- Family Name: familyName

- Given Name: givenName



- Is Active: status


- Name: groupName

- Backup Owner: backupOwner

- Owner: groupOwner

- Other Owners: otherOwners


- Target Collector: <Name of the IDC that collects Google Apps users> or Users



- Target collector: <Name of Google Apps ADC>


• Edit Sub-group Resolution Rules

- Associated collector: <Name of Google Apps ADC>


Configure the Google Apps Entitlement Data Collector

This section describes how to configure an entitlement collector for the Google Apps application.

To configure the Google Apps Entitlement Collector:

1. From the Google Apps application’s Collectors tab, click Create Account Collector.



• Collector Description

- Collector Name: <Name of Google Apps EDC>

- Data Source Type: Google Apps


- Admin Email Address: Email Address of the admin of the domain registered with Google.

- Password: Password of the admin of the domain registered with Google.

- Application Name: Name of the project created on the Google Apps API Console.

- Domain Name: Name of the domain registered with Google Apps.

• Group Evaluation

- Associated collector: <Name of Google Apps ADC>



- Group value evaluates to: Name


- Associated account collector: <Name of Google Apps ADC>

- Account value evaluates to: Name

How Entitlements in Google Apps Appear in RSA IAM Platform

The following table illustrates mapping between RSA IAM Platform attributes and Google Apps attributes.

Set Up the AFX Google Apps Connector

This section describes how to configure Google Apps connector configuration in AFX, discover and map connector attributes in RSA IAM Platform, and associate the connector with the Google Apps application in RSA IAM Platform. The Google Apps Connector completes the following tasks:

• Create Account

• Delete Account

• Disable Account

• Enable Account

• Create Group

• Delete Group

• Add Account to Group


• Add Entitlement to Account

• Remove Entitlement from Account

• Remove Entitlement from Group



Application Name ACM Attribute Name Google Apps Attribute Name

Remark

Google Docs

Resource Name Document Name

Resource Action Role Reader/ Writer/ Owner

Google Calendar

Resource Name Calendar Name Name of default calendar is

the user's email id.

Resource Action Role FreeBusy/ Read/ Editor/

Owner



Create the Google Apps Connector

The Google Apps connector fulfills access request commands in the Google Apps system.




• Name: <Name of the Google Apps connector>

• Connector Template: Google Apps Connector

• Status: Active



• Password: <Password>

• Application Name: <Project Name>

• Domain: <Domain>




To create the form:






- Enabled: True




• Fields

Click New.

- Variable Name: <Username Var Name>

- Control Type: Text Field

- Question: “Enter the user login name you want to set”

Click OK.



Click New.

- Variable Name: <Password Var Name>


- Question: “Enter Password”

Click OK.



To create a template:





Click OK.



- Name: Name


Click OK.


- Name: User

- Form Field: <User Var Name>

Click OK.


- Name: Password

- Form Field: <Password Var Name>

Click OK.



Associate the Account Template to the Google Apps Application

You must associate the account template you just created to the Google Apps application so the template can be used for requests for accounts from the application.

To associate the template with the application:


2. Click <Google Apps App Name>

3. Click Requests.



6. Click OK.



Discover the Google Apps Connector in RSA IAM Platform

After you create the Google Apps connector in AFX, you must discover the connector in RSA IAM Platform and map Google Apps attributes to connector command parameters.






4. From the AFX Connector Summary window, click <Name of Google Apps connector>.

5. Click the Capabilities tab.

Map command attributes as follows:

• CreateAccount

- FamilyName: ${User.First_Name}

- GivenName: ${User.Last_Name}

- User: ${User.First_Name}${User.Last_Name}


• DeleteAccount

- User: ${$Account.Name}

• DisableAccount




• EnableAccount


• ResetPassword


• CreateGroup

- Group: ${Group.Name}

• DeleteGroup





• AddGroupToGroup






• RemoveGroupFromGroup



• AddEntToAccount

- ResourceName: ${Resource.Name}


- Role: ${Action.Name}

• RemoveEntFromAccount




• RemoveEntFromGroup








Bind the Connector to the Google Apps Application

You must associate, or bind, the Google Apps connector to the Google Apps application to implement auto-fulfillment of access request tasks you want completed in the Google Apps system.

To bind the connector:

1. Select Resources > Applications > Google Apps > AFX Connector Binding.


3. Select the Google Apps connector from the drop-down list, and then click OK.



Chapter 4: NetSuite

Content

• “Set Up NetSuite for Onboarding” on page 40


• “Configure NetSuite Account and Entitlement Data Collectors” on page 42

• “How Entitlements in NetSuite Appear in RSA IAM Platform” on page 44

• “Set Up the AFX NetSuite Connector” on page 45

39

Chapter 4: NetSuite

Set Up NetSuite for Onboarding

To use the NetSuite collector, the client domain must be registered with NetSuite For Business. Log in to NetSuite as “Administrator” to complete the role and employee searches.

• Create a role search and get the search results:

1. Go to List > Search > Saved Searches > New.

2. Click Role.

3. Provide a search title and click the Results tab.

4. In the Sort By drop down select Name.

5. In the columns sub-tab select Internal ID and click Add.

6. Add the following columns:

- Level

- Permission

- Name

- Permission Change

- Permission Change Date

- Permission Change Level

- Inactive

- Center Type

- Custom/Standard

7. Click Save & Run.

8. Click Email to e-mail the search results to yourself. Please make sure you select send as csv option when you send the e-mail.

9. Save the attachment as a Role Search.csv file.

• Create an employee search and get the search results:

1. Go to List > Search > Saved Searches > New.

2. Click Employee.

3. Provide a search title and click the Results tab.

4. In the Sort By drop down select Email.

5. In the columns sub-tab select Email and click Add.

6. Add the following columns:

- Internal ID

- Date Created

- Department


Chapter 4: NetSuite

- Employee Status

- First Name

- Last Name

- Middle Name

- Gender

- Inactive

- Login Access

- Role

- Supervisor

- Type

7. Click Save & Run to save and run the search.

8. Click Email to e-mail the search results to yourself. Please make sure you select send as csv option when you send the e-mail.

9. Save the attachment as a Employee Search.csv file.


Complete the following tasks before you create NetSuite data collectors:

• Create a NetSuite application in RSA IAM Platform.

• Define additional attributes you require for NetSuite objects in RSA IAM Platform that you want to collect from NetSuite.

Create a NetSuite Application

You must create a “NetSuite” application object in RSA IAM Platform with which you will associate NetSuite data collectors and an AFX auto-fulfillment connector.

To create the NetSuite application:


2. Application Name: NetSuite.



Chapter 4: NetSuite


You must define attributes cited as mandatory in this section. If you want to collect all available data from NetSuite, you can define a set of additional attributes for the following objects in RSA IAM Platform:

• Account


• Group





The “Email” attribute represents the user name in NetSuite.


The “External Id” attribute must be collected for NetSuite roles because when you configure the NetSuite connector's CreateAccount command, you are required to provide the role id. NetSuite does not provide the role search feature through web services. Thus you must collect this attribute so it can be referenced during connector configuration.

Configure NetSuite Account and Entitlement Data Collectors

This section describes how to configure an account data collector and an entitlement data collector for the NetSuite application.


Attribute Name


Email String <use available> Collected Yes Yes Yes

Acct Date Date <use available> Collected Yes Yes No

Login Access String <use available> Collected Yes Yes No


Attribute Name


External Id String <use available> Collected No No Yes


Chapter 4: NetSuite

Configure the NetSuite Account Collector

This section describes how to configure an account collector for the NetSuite application.


1. From the NetSuite application’s Collectors tab, click Create Account Collector.




- Collector Name: <Name of NetSuite ADC>

- Data Source Type: NetSuite


- Employees search result file: Enter the absolute path of the csv file that includes employee search results.

- The employee search result csv file must be formatted as follows:

• The first row should have the attribute/column names.

• The file must have Email, Internal ID, Date Created, Department, Employee Status, First Name, Last Name, Middle Name, Gender, Inactive, Login Access, Role, Supervisor, Type attributes/columns.

• The search results must be sorted by the Email attribute/column.




- Email: Email


- Target collector: <Name of the IDC that collects NetSuite users> or Users


Configure the NetSuite Entitlement Collector

This section describes how to configure an entitlement collector for the NetSuite application.


1. From the NetSuite application’s Collectors tab, click Create Entitlement Collector.



Chapter 4: NetSuite



- Collector Name: <Name of NetSuite EDC>

- Data Source Type: NetSuite

• Configuration Information (See “Configure the NetSuite Account Collector” on page 43 for more information on connection settings.)

- Role search result file: Enter the absolute path of the csv file that includes role search results.


• The file must have Name, Internal ID, Permission, and Level attributes/columns

• The search results must be sorted by the Name attribute/column.

- Employees search result file: Enter the absolute path of the csv file that includes employee search results.

The employee search result csv file must be formatted as follows:


• The file must have Email, Internal ID, Date Created, Department, Employee Status, First Name, Last Name, Middle Name, Gender, Inactive, Login Access, Role, Supervisor, Type attributes/columns.

• The search results must be sorted by the Email attribute/column

• App Role Attribute Mapping Information

- External Id: Internal_ID


- Associated collector: <Name of NetSuite ADC>

- Account value evaluates to: AccountName

How Entitlements in NetSuite Appear in RSA IAM Platform

NetSuite entitlements are of the Resource:Action type. A NetSuite Role is a bag which contains these entitlements and has member accounts. The NetSuite roles are represented in RSA IAM Platform by application roles. The Id and name attribute of an application role together uniquely identifies the corresponding NetSuite role. The entitlements in NetSuite are provided to an account through NetSuite roles. The account entity in RSA IAM Platform represents the NetSuite account. The Email and Id of an RSA IAM Platform account together uniquely identifies its corresponding NetSuite account.


Chapter 4: NetSuite

Set Up the AFX NetSuite Connector

This document provides information regarding NetSuite connector configuration in AFX. The NetSuite Connector completes the following tasks:

• Create Account

• Delete Account

• Disable Account

• Enable Account

• Reset Password

• Update Account



How to Prepare NetSuite for AFX Automatic Fulfillment

To enable web services on NetSuite:

1. Log in to NetSuite as “Administrator.”

2. Click Setup > Company > Enable Features.

3. Click the SuiteFlex tab.

4. Select Web Services, and then click Save.

Create the NetSuite Connector




• Name: <Name of NetSuite connector>

• Connector Template: NetSuite Connector

• Status: Active


• Username: <NetSuite Admin username>

• Password: <NetSuite Admin password>

• Account: <NetSuite Admin Account>

• Role Id: <NetSuite Admin role id>



Chapter 4: NetSuite



To create the form:






- Enabled: True




• Fields

Click New.

- Variable Name: <Var1 Name>

- Control Type: Text Field

- Question: “Enter the Internal ID”

Click OK.

Click New.




Click OK.



To create the template:





Click OK.



Chapter 4: NetSuite


- Name: Name


Click OK.


- Name: User

- Form Field: <Var1 Name>

Click OK.


- Name: Password


Click OK.

Associate the Account Template to the NetSuite Application

You must associate the account template you just created to the NetSuite application so the template can be used for requests for accounts from the application.

To associate the template with the application:


2. Click <NetSuite App Name>

3. Click Requests.



6. Click OK.



Discover and Map the NetSuite Connector in RSA IAM Platform

After you create the NetSuite connector in AFX, you must discover the connector in RSA IAM Platform and map NetSuite attributes to connector command parameters.


To discover the connector and map the attributes:




Chapter 4: NetSuite


4. From the AFX Connector Summary window, click <Name of NetSuite connector>.



• CreateAccount




- InternalId: ${AccountTemplate.InternalId}


• DisableAccount

- Email: ${Account.Email}

• EnableAccount


• DeleteAccount


• ResetPassword


- Password: ${AccountPassword}

• UpdateAccount

- Email: ${User.Name}

- FirstName: <First name attribute for user>

- LastName: <Last name attribute for user>

- MiddleName: <Middle name attribute for user>

- Gender: <Gender attribute for user>




Chapter 4: NetSuite

Bind the Connector to the NetSuite Application

You must associate, or bind, the NetSuite connector to the NetSuite application to implement auto-fulfillment of access request tasks you want completed in the NetSuite system.

To bind the connector to the application:

1. Select Resources > Applications > NetSuite > AFX Connector Binding.


3. Select the NetSuite connector from the drop-down list, and then click OK.



Chapter 4: NetSuite


Chapter 5: Amazon Web Services (AWS)

Content

• “Get Security Credentials from AWS” on page 52

• “Create an AWS Application” on page 52

• “Configure AWS Account and Entitlement Data Collectors” on page 52

• “How Entitlements in AWS Appear in RSA IAM Platform” on page 54

• “Set Up the AFX AWS Connector” on page 54

51


Get Security Credentials from AWS

You are required to provide AWS security credentials in the collector configuration settings and AFX connector configuration settings.

To get the credentials:

1. Log in to the following URL:

https://portal.aws.amazon.com/gp/aws/securityCredentials

2. From the Access Keys tab on the AWS Access Credential page, note the following credentials:

• Access Key ID

• Secret Access Key

Create an AWS Application

You must create a “AWS” application object in RSA IAM Platform with which you will associate AWS data collectors and an AFX auto-fulfillment connector.

To create the AWS application:


2. Application Name: AWS.


Configure AWS Account and Entitlement Data Collectors

This section describes how to configure an account data collector and an entitlement data collector for the AWS application.

Configure the AWS Account Collector

This section describes how to configure an account collector for the AWS application.


1. From the AWS application’s Collectors tab, click Create Account Collector.




- Collector Name: <Name of AWS ADC>

- Data Source Type: AmazonAWS




- Access Key: <AmazonAWS Access Key>

- Secret Key: <AmazonAWS Secret Access Key>


- User Reference: AccountName


- Name: AccountName


- Target collector: Users

- User Attribute: User Id


- Target collector: <Name of the AWS ADC>

- User Attribute: AccountName

Configure the AWS Entitlement Collector

This section describes how to configure an entitlement collector for the AWS application.


1. From the AWS application’s Collectors tab, click Create Entitlement Collector.




- Collector Name: <Name of AWS EDC>

- Data Source Type: AmazonAWS


- Access Key: <AmazonAWS Access Key>

- Secret Key: <AmazonAWS Secret Access Key>


- Associated collector: <Name of AWS ADC>



- Associated account collector: <Name of AWS ADC>

- Account value evaluates to: Account Name



How Entitlements in AWS Appear in RSA IAM Platform

AWS entitlements are of the Resource:Action type. The AmazonAWS policy is considered as the Resource and the Action is null. The AmazonAWS user policy is assigned to users directly, and the AmazonAWS group policy can be assigned to users through groups. The policy name is prepended to either the username or group name. Therefore the resource is policy name + user/group name.

Set Up the AFX AWS Connector

This section describes how to set up the AWS connector in AFX. The AWS Connector completes the following tasks:

• Create Account

• Delete Account

• Remove Entitlement From Account

• Add Account To Group


• Create Group

• Delete Group

• Remove Entitlement From Group


See the Access Request Manager Guide for more information on working with account templates.

Create the AWS Connector

This section describes how to create the connector.




• Name: <Name of AWS connector>

• Connector Template: AWS Connector

• Status: Active


• Access Key: <AmazonAWS Access Key>

• Secret Key: <AmazonAWS Secret Access Key>

See “Get Security Credentials from AWS” on page 52 if you require information on how to get security credentials.






To create the account template:





Click OK.



- Name: Name

- Value: ${User.User_Id}

Click OK.

Associate the Account Template to the AWS Application

You must associate the account template you just created to the AWS application so the template can be used for requests for accounts from the application.

To associate the account template to the application:


2. Click <AWS App Name>

3. Click Requests.



6. Click OK.





Discover and Map the AWS Connector in RSA IAM Platform

After you create the AWS connector in AFX, you must discover the connector in RSA IAM Platform and map AWS attributes to connector command parameters.


To discover the connector and the map attributes:




4. From the AFX Connector Summary window, click <Name of AWS connector>.



• CreateAccount

- User Name: ${User.User_Id}

• CreateGroup


• DeleteGroup


• DeleteAccount

- UserName: ${Account.Name}







• RemoveEntFromAccount

- PolicyName: ${Entitlement.Resource_Name}


• RemoveEntFromGroup


- PolicyName: ${Entitlement.Resource_Name}





Bind the Connector to the AWS Application

You must associate, or bind, the AWS connector to the AWS application to implement auto-fulfillment of access request tasks you want completed in the AWS system.


1. Select Resources > Applications > AWS > AFX Connector Binding.


3. Select the AWS connector from the drop-down list, and then click OK.

Note: Ensure that the application is associated with the default AFX fulfillment workflow or a custom version of it.


Chapter 6: ServiceNow

Content

• “Set Up ServiceNow for Onboarding” on page 60


• “Configure ServiceNow Account and Entitlement Data Collectors” on page 63

• “How Entitlements in ServiceNow Appear in RSA IAM Platform” on page 66

• “Setup the AFX ServiceNow Connector” on page 71

59


Set Up ServiceNow for Onboarding

Before you create ServiceNow data collectors and collect ServiceNow data and auto-fulfill requests for entitlements from ServiceNow with AFX, you must do the following:

• Configure ServiceNow properties for collection.

• (Optional) Enable WS security on the ServiceNow instance.

Configure ServiceNow Properties for Collection

This section describes how to configure the ServiceNow instance for data collection.

To configure ServiceNow for collection:

1. Activate elevated privileges for the current session: click the Lock icon (left top corner), select Security Admin, and then click OK.

2. Go to System Web Services > Properties, and configure properties as follows:

• Require WS-Security header verification for all incoming SOAP requests — Deselect.

• This property sets the elementFormDefault attribute of the embedded XML schema to the value of unqualified, if set to true. This attribute indicates whether or not locally declared elements must be qualified by the target namespace in an instance document. If the value of this attribute is 'unqualified', then locally declared elements should not be qualified by the target namespace. If the value of this attribute is 'qualified', then locally declared elements must be qualified by the target namespace. For compatibility with Clients generated from WSDL (.NET Web Reference, Axis2 stub, webMethods, and so on), set this value to false. This value defaults to true. — Deselect.

• Require basic authorization for incoming SOAP requests — Select.

Enable WS Security on the ServiceNow Instance

Enabling WS security on the ServiceNow instance is optional. The ServiceNow administrator enables WS security.

To enable WS security:

1. Go to the Certificates module (System Definition > Certificates).

2. Create a new X.509 Certificate. Configure the following fields:

• Name: SoapTest (for example)

• Format: PEM

• Type: Trust Store Cert

• Active: true

3. Paste the PEM certificate in the PEM certificate text area.

4. Click Submit.

Your certificate record should be listed with any other certificates you may have loaded into your instance. A WS-Security profile in ServiceNow to accept and validate x509 signed SOAP requests must now be set up.



5. Go to the WS Security Profiles module inside of the System Web Services application. Create a new profile by clicking New.

6. Select the x509 profile and select the user you would like this profile to execute as with the SOAP action. You will also need to select the certificate record we created in Step 1 (SoapTest) so that you can validate the signature.

7. Enable WS security for all inbound SOAP requests by selecting the following properties in System Web Services -> Properties:

• Require WS-Security header verification for all incoming SOAP requests

• Require basic authorization for incoming SOAP requests

8. Ensure that the following property is deselected:

This property sets the elementFormDefault attribute of the embedded XML schema to the value of unqualified, if set to true. This attribute indicates whether or not locally declared elements must be qualified by the target namespace in an instance document. If the value of this attribute is 'unqualified', then locally declared elements should not be qualified by the target namespace. If the value of this attribute is 'qualified', then locally declared elements must be qualified by the target namespace. For compatibility with Clients generated from WSDL (.NET Web Reference, Axis2 stub, webMethods, and so on), set this value to false. This value defaults to true.

Note: ServiceNow collectors and ServiceNow AFX connectors are both developed and tested against X.509 Certificate and Private keys generated using the RSA algorithm.


Complete the following tasks before you create ServiceNow data collectors:

• Create a ServiceNow application in RSA IAM Platform.

• Define additional attributes you require for ServiceNow objects in RSA IAM Platform that you want to collect from ServiceNow.

Create a ServiceNow Application

You must create a “ServiceNow” application object in RSA IAM Platform with which you will associate ServiceNow data collectors and an AFX auto-fulfillment connector.

To create the ServiceNow application:


2. Application Name: ServiceNow.





You must define attributes cited as mandatory in this section. If you want to collect all available data from ServiceNow, you can define a set of additional attributes for the following objects in RSA IAM Platform:

• Account


• Group







Attribute Name




Name String <use available> Collected Yes Yes No

Active String <use available> Collected Yes Yes No

Attribute Name




Name String <use available> Collected Yes Yes No

Active String <use available> Collected Yes Yes No


Manager String <use available> Collected Yes Yes No

Attribute Name



Role Name String <use available> Collected Yes Yes No

Description String <use available> Collected Yes Yes No



Configure ServiceNow Account and Entitlement Data Collectors

This section describes how to configure an account data collector and an entitlement data collector for the ServiceNow application.


ServiceNow Connection Configuration

The following information is required to configure ServiceNow data collectors:

• URL: Base URL of ServiceNow Instance

• Username: Admin User Name

• Password: Admin Password

Enabling WS Security for a ServiceNow Collector

This procedure applies to the ServiceNow account and entitlement collector configuration.

To enable WS security for a collector:

1. Select Enable WS Security.

2. Enter the Private Key Password.

3. Enter the Private Key in the PEM format (private key of the certificate that is uploaded on the ServiceNow instance) in the text area.

4. Enter the X.509 PEM format of the certificate (that is uploaded on the ServiceNow instance) in the X.509 Certificate uploaded on ServiceNow in the text area.

Configure the ServiceNow Account Collector

This section describes how to configure an account collector for the ServiceNow application.


1. From the ServiceNow application’s Collectors tab, click Create Account Collector.




- Collector Name: <Name of ServiceNow ADC>

- Data Source Type: ServiceNow


- URL: <Base URL of the ServiceNow instance>



- Username: <Admin user name>

- Password: <Admin user password>

- Enable WS Security: Select if WS Security is enabled.

- Private Key Password: <PrivateKeyPassword> if WS Security is enabled.

- Private key: <PrivateKey> if WS Security is enabled.

- X.509 Certificate uploaded on ServiceNow: <Certificate> if WS Security is enabled


- User Reference: User name


- Last Login Date: last_login_time

- Email: email

- External Id: sys_id

- Active: active

- Name: name


- Email: Email

- Manager: manager


- Active: active

- Name: name

- Type: Type


- Target Collector: <Name of the identity collector the collects Salesforce users> or Users

- User Attribute: <Attribute to which ServiceNow Accounts will be mapped, User Id for example>


- Target collector: <Name of ServiceNow ADC>



- Target collector: <Name of ServiceNow ADC>




Configure the ServiceNow Entitlement Collector

This section describes how to configure an entitlement collector for the ServiceNow application.


1. From the ServiceNow application’s Collectors tab, click Create Entitlement Collector.




- Collector Name: <Name of the ServiceNow EDC>

- Data Source Type: ServiceNow


- URL: <Base URL of the ServiceNow instance>

- Username: <Admin user name>

- Password: <Admin user password>

- Enable WS Security: Select if WS Security is enabled.

- Private Key Password: <PrivateKeyPassword> if WS Security is enabled.

- Private key: <PrivateKey> if WS Security is enabled.

- X.509 Certificate uploaded on ServiceNow: <Certificate> if WS Security is enabled

• Map Collector Attributes to App Role Attributes


- Role Name: role_name

- Description: description


- Associated collector: <Name of the ServiceNow ADC>



- Associated account collector: <Name of the ServiceNow ADC>

- Account value evaluates to: Account Name

Note: The following views are created on the ServiceNow instance after the collector is executed for the first time: AveksaGroupHasRoleView, AveksaGroupView, AveksaRoleView, AveksaUserGrMemberView, AveksaUserHasRoleView, AveksaUserRoleContainsView, and AveksaUserView. Maintain these view definitions as is; otherwise, the collector will not work. You can see these views on ServiceNow under System UI -> Views.



How Entitlements in ServiceNow Appear in RSA IAM Platform

This section provides information regarding how particular ServiceNow attributes are mapped to RSA IAM Platform attributes.

Account Data Collector Mapping

The account collector gathers account and group-related information from following ServiceNow instance web services:

• http://<instance_name>.service-now.com/sys_user.do?WSDL

• http://<instance_name>.service-now.com/sys_user_group.do?WSDL

• http://<instance_name>.service-now.com/sys_user_grmember.do?WSDL

It store this information in account and group objects in RSA IAM Platform.

Account Name

The ''user_name'' field that is retrieved from the following web service is used as the account name in the account collector:

http://<instance_name>.service-now.com/sys_user.do?WSDL


The following table lists the mapping of ServiceNow account-related attributes to RSA IAM Platform object attributes:

Account - User Resolution


• user_name — This is preferred because it is unique for all users in the Servicenow instance.

• email — This is not unique in the ServiceNow instance.

Note: ServiceNow allows creation of empty accounts, those with no user name for instance. Aveksa, however, does not collect such entities.

ServiceNow Attributes ACM Attributes Description

active Account.active Status of the ServiceNow user (active or inactive).

name Account.name Name of the ServiceNow user.

user_name Account.Account_name User name of the ServiceNow user.

email Account.email Email Id of the ServiceNow user.

Last_Login_Time Account.Last Login Date Last login date of the ServiceNow user.

sys_id Account.sys_id Unique Id provided by ServiceNow.



Collected Group Data

Groups are collected by the account collector.

Group Name

The ''user_name'' field that is retrieved from the following web service is used as the group name in group collection:

http://<instance_name>.service-now.com/sys_user_group.do?WSDL


The following table lists the mapping of ServiceNow group-related attributes to RSA IAM Platform object attributes:

Group Account and Group Subgroup Resolutions

Groups can include accounts or other groups as members.


For group-account mapping, the account's account name should be used.

Mapping between users and groups is retrieved from the following web service:

http://<instace_name>.service-now.com/sys_user_grmember.do?WSDL

Subgroup Resolution

For group-subgroup mapping, the group name should be used. The 'parent' field is fetched from the web service. This parent field will have parent group's name. That’s how mapping of group and sub group is maintained.


active Group.active Status of the group (active or inactive).

Name Group.Group_Name Name of the group.

email Group.email Email address of the group.

manager Group.manager Manager of the group.

type Group.type The group type.

sys_id Group.sys_id The unique Id provided by ServiceNow.

ServiceNow Attributes ACM Attributes

group Group.Group_Name

user Account.Account_Name



Entitlement Data Collector Mapping

The entitlement collector gathers entitlement-related data in the form of application roles from the ServiceNow instance. It also provides the mapping of application roles with the accounts and groups collected by the ServiceNow account collector.

The entitlement collector collects information from following ServiceNow web services:

• http://<instance_name>.service-now.com/sys_user_role.do?WSDL

• http://<instance_name>.service-now.com/sys_user_has_role.do?WSDL

• http://<instance_name>.service-now.com/sys_group_has_role.do?WSDL

• http://<instance_name>.service-now.com/sys_user_role_contains.do?WSDL

Application Role

Roles in ServiceNow are defined as application roles in RSA IAM Platform.


The "name" attribute is used as the application role name.

Application Role Attribute Mapping

All roles are collected from the following web service:

http://<instance_name>.service-now.com/sys_user_role.do?WSDL

ServiceNow attributes are mapped to RSA IAM Platform object attributes as follows:

Note: ServiceNow allows creation of empty roles, those with no names for instance. Aveksa, however, does not collect such entities.


User and role mapping information is retrieved from the following web service:

http://<instance_name>.service-now.com/sys_user_has_role.do?WSDL

Application roles are assigned to accounts using an account's account name attribute.

Application Role – Group Resolution

Group and role mapping information is retrieved from the following web service:

http://<instance_name>.service-now.com/sys_group_has_role.do?WSDL web service. Application roles are assigned to groups using a group's Group Name attribute.


name AppRole.Name The ServiceNow role name.

description AppRole.description The ServiceNow role description.

sys_id AppRole.sys_id The unique role Id provided by ServiceNow.



Application Role – Sub Role Resolution

Role and sub-role mapping information is retrieved from the following web service:

http://<instance_name>.service-now.com/sys_user_role_contains.do?WSDL

Application sub-roles are assigned to application roles using an application role's role name attribute.

Data Collection Limitations

To deal with WSDL changes across different ServiceNow instances, Aveksa collects data using "System UI Views." Aveksa creates these System UI views programatically using following web services.

• http://<instance_name>.service-now.com/sys_ui_view.do?WSDL

• http://<instance_name>.service-now.com/sys_ui_element.do?WSDL

• http://<instance_name>.service-now.com/sys_ui_section.do?WSDL

If these WSDLs change and extra fields are present in a WSDL for a particular ServiceNow instance, then creation of the views would fail.

System UI View WSDL Description

http://<instance_name>.service-now.com/sys_ui_view.do?WSDL

The following fields are supported in View WSDL. For each field, the minimum occurrence is zero and maximum occurrence is one.

• group

• hidden

• name

• roles

• sys_created_by

• sys_created_on

• sys_id

• sys_mod_count

• sys_updated_by

• sys_updated_on

• title

• user



System UI Section WSDL Description

http://<instance_name>.service-now.com/sys_ui_section.do?WSDL

The following fields are supported in UI Section WSDL. For each field the minimum occurrence is zero and the maximum occurrence is one.

• caption

• header

• name

• roles

• sys_created_by

• sys_created_on

• sys_domain

• sys_id

• sys_mod_count

• sys_overrides

• sys_updated_by

• sys_updated_on

• sys_user

• title

• view

• view_name

System UI Element WSDL Description

http://<instance_name>.service-now.com/sys_ui_element.do?WSDL

The following fields are supported in UI Element WSDL. For each field the minimum occurrence is zero and the maximum occurrence is one.

• element

• position

• sys_created_by

• sys_created_on

• sys_id

• sys_mod_count

• sys_ui_section

• sys_updated_by

• sys_updated_on



• sys_user

• type

Setup the AFX ServiceNow Connector

Note: If the ServiceNow instance is already configured for collection, no any additional configuration is required. AFX uses the same configuration as the ServiceNow collectors with or without WS security. Because System UI Views created during collection process are used for AFX commands, collectors must be run first before auto-fulfilling requests with AFX.

This document provides information regarding ServiceNow connector configuration in AFX. The ServiceNow Connector completes the following tasks:



• AddAppRoleToGroup

• AddGroupToGroup

• AddAppRoleToAppRole

• CreateAccount

• CreateGroup

• DeleteAccount

• DeleteGroup

• DisableAccount

• EnableAccount

• ResetPassword



• RemoveAppRoleFromGroup

• RmoveAppRoleFromAppRole

• UpdateAccount





Create the ServiceNow Connector




• Name: <Name of ServiceNow connector>

• Connector Template: ServiceNow Connector

• Status: Active


• InstanceName: <InstanceName>



• Select Enable WS Security (if WS Security is enabled on the ServiceNow instance).

• Enter the Private Key Password (if WS Security is enabled).

• Enter the Private Key of the certificate (which is uploaded on the ServiceNow instance) in the text area in PEM format (if WS Security is enabled).

• Enter the X.509 PEM format of the certificate in (which is uploaded on the ServiceNow instance) in the X.509 Certificate uploaded on ServiceNow text area.




To create the form:






- Enabled: True




• Fields

Click New.






Click OK.








Click OK.



- Name: Name

- Value: ${User.User_Id}

Click OK.


- Name: User


Click OK.


- Name: Password


Click OK.

Associate the Account Template to the ServiceNow Application

You must associate the account template you just created to the ServiceNow application so the template can be used for requests for accounts from the application.



2. Click <ServiceNow App Name>

3. Click Requests.





6. Click OK.



Discover and Map the ServiceNow Connector in RSA IAM Platform

After you create the ServiceNow connector in AFX, you must discover the connector in RSA IAM Platform and map ServiceNow attributes to connector command parameters.






4. From the AFX Connector Summary window, click <Name of ServiceNow connector>.



• AddAccoutToGroup





- Role: ${ApplicationRole.Name}

• AddAppRoleToAppRole


- SubAppRoleName: ${ApplicationRole.Name}

• AddAppRoleToGroup

- GroupName:${Group.Name}


• AddGroupToGroup


- ParentGroupName: ${Group.Name}



• CreateAccount





- Username: ${User.User_Id}

• CreateGroup

- Not available in v6.5

• DeleteAccount


• DeleteGroup


• DisableAccount


• EnableAccount








• RemoveAppRoleFromAppRole


- SubAppRoleName: ${ApplicationRole.Name}

• RemoveAppRoleFromGroup



• ResetPassword

- Password: <Any password>


• UpdateAccount

- UserName: ${User.User_Id}



- FirstName: ${User.First_Name}

- LastName: ${User.Last_Name}




Bind the Connector to the ServiceNow Application

You must associate, or bind, the ServiceNow connector to the ServiceNow application to implement auto-fulfillment of access request tasks you want completed in the ServiceNow system.

1. Select Resources > Applications > ServiceNow > AFX Connector Binding.


3. Select the ServiceNow connector from the drop-down list, and then click OK.



Chapter 7: Zendesk

Content

• “Set Up Zendesk for Onboarding” on page 78


• “About Privileges for the Zendesk Service Account” on page 79

• “Configure Zendesk Account and Entitlement Data Collectors” on page 79

• “How Entitlements in Zendesk Appear in RSA IAM Platform” on page 81

• “Setup the AFX Zendesk Connector” on page 83

77

Chapter 7: Zendesk

Set Up Zendesk for Onboarding

Before you create Zendesk data collectors and collect Zendesk data and auto-fulfill requests for entitlements from Zendesk with AFX, you must obtain administrator or owner credentials to Zendesk.


Complete the following tasks before you create Zendesk data collectors:

• Create a Zendesk application in RSA IAM Platform.

• Define additional attributes you require for Zendesk objects in RSA IAM Platform that you want to collect from Zendesk.

Create a Zendesk Application

You must create a “Zendesk” application object in RSA IAM Platform with which you will associate Zendesk data collectors and an AFX auto-fulfillment connector.

To create the Zendesk application:


2. Application Name: Zendesk.



You must define attributes cited as mandatory in this section. If you want to collect all available data from Zendesk, you can define a set of additional attributes for the following objects in RSA IAM Platform:

• Account


• Group




2. Select the Account tab and add following attributes:

Attribute Name


GivenName String <use available> Collected Yes Yes No


Date Date <use available> Collected Yes Yes No


Chapter 7: Zendesk


About Privileges for the Zendesk Service Account

The service account must be an administrator for the particular subscription. This is a requirement for the Zendesk (AFX) connector as RSA IAM Platform provisions agent accounts into Zendesk. Only administrator users have the privileges to create agents. For Enterprise subscriptions, Zendesk allows you to customize the roles; however, the agent creation fails under the administrator role.

Configure Zendesk Account and Entitlement Data Collectors

This section describes how to configure an account data collector and an entitlement data collector for the Zendesk application.


Configure the Zendesk Account Collector

This section describes how to configure an account collector for the Zendesk application.


1. From the Zendesk application’s Collectors tab, click Create Account Collector.




- Collector Name: <Name of Zendesk ADC>

- Data Source Type: Zendesk


- Admin Email Address: <Email Address of the admin of the domain registered on Zendesk>

- Admin Password: <Password of the admin of the domain registered with Zendesk>

- Company Name: <Company URL>


- Email: <Email Address of the admin of the domain registered on Zendesk>

Attribute Name


CreatedAt String <use available> Collected Yes Yes No


Chapter 7: Zendesk


- User Reference: email

- Type: type

- GivenName: name

- Date: created_at


- Name: groupName

- CreatedAt: created_at


- Target Collector: <Name of the identity collector the collects Zendesk users> or Users



- Target collector: <Name of Zendesk ADC>

- Account Attribute: Name


- Target collector: <Name of Zendesk ADC>


Configure the Zendesk Entitlement Collector

This section describes how to configure an entitlement collector for the Zendesk application.


1. From the Zendesk application’s Collectors tab, click Create Entitlement Collector.




- Collector Name: <Name of the Zendesk EDC>

- Data Source Type: Zendesk


- Associated Collector: <Name of Zendesk ADC>

- Group Value Evaluates to: Account Name


Chapter 7: Zendesk


- Associated Account Collector: <Name of Zendesk ADC>

- Account Value Evaluates to: Account Name

How Entitlements in Zendesk Appear in RSA IAM Platform

This section provides information regarding how particular Zendesk attributes are mapped to RSA IAM Platform attributes.

Account Data Collector Mapping

Account collector gathers account and group related information from "User", "Group", and "GroupMember" objects of the Zendesk instance. It store these information in the 'Account' and 'Group' objects of RSA IAM Platform:

Account Name

User.Username is used as Account name in Account Collector.:


The following table lists the mapping of Zendesk account-related attributes to RSA IAM Platform object attributes:

Account - User Resolution


• user_name — User Id.

• email — This is preferred because it is unique for all users in the Zendesk instance.

Collected Group Data

Groups are collected by the account collector.

Group Name

Group.Name is used as Group name in the account collector.

Zendesk Attributes ACM Attributes Description

User.Id Account.External Id Unique ID provided by Zendesk to each user object.

User.IsActive Account.Status Whether the user's account in Zendesk is active or not.

User. Email Account.email Email address of the Zendesk user.


Chapter 7: Zendesk


The following table lists the mapping of Zendesk group-related attributes to RSA IAM Platform object attributes:

Group Account and Group Subgroup Resolutions

Groups can have accounts as members.

Group members for groups are added based on group member mapping present in Zendesk's GroupMember object.


For Group-Account mapping, an account's Account Name should be used.

Entitlement Data Collector Mapping

The entitlement collector gathers entitlement-related data in the form of application roles from the Zendesk instance. It also provides the mapping of application roles with the accounts collected by the Zendesk account collector.

Application Roles

This collector collects information from users on the roles they belong to. It stores this data as application roles in RSA IAM Platform.


The Role.Name attribute is used as the application role name.

Application Role Attribute Mapping:


Application Roles will be assigned to accounts using account's Account Email Address attribute.


Group.Id Group.Id Unique ID provided by Zendesk to each group object.

Group.Name Group.Name Name of the group.

Group.Created_at Group.Created_at Date the group was created.


Role.name AppRole.Name Role specified for each user in Zendesk is the user’s app

role in RSA IAM Platform.


Chapter 7: Zendesk

Setup the AFX Zendesk Connector

This document provides information regarding Zendesk connector configuration in AFX. The Zendesk Connector completes the following tasks:

• Create Account

• Delete Account

• Disable Account

• Enable Account

• Create Group

• Delete Group

• Add Account to Group


• Update Account



Create the Zendesk Connector

When you create the Zendesk connector, enter the same credentials required to create the Zendesk account and entitlement collectors.




• Name: <Name of Zendesk connector>

• Connector Template: Zendesk Connector

• Status: Active




• Company Name: <Company URL>



Chapter 7: Zendesk



To create the form:






- Enabled: True




• Fields

Click New.


- Control Type: Drop Down Select

- Question: “Enter the Role”

- Options: Enter the following:

Value:- Admin

Display:- Admin

Click Add.

Value:- Agent

Display:- Agent

Click Add.

Click OK.


Chapter 7: Zendesk








Click OK.



- Name: Name


Click OK.


- Name: Role


Click OK.

Associate the Account Template to the Zendesk Application

You must associate the account template you just created to the Zendesk application so the template can be used for requests for accounts from the application.



2. Click <Zendesk App Name>

3. Click Requests.



6. Click OK.




Chapter 7: Zendesk

Discover and Map the Zendesk Connector in RSA IAM Platform

After you create the Zendesk connector in AFX, you must discover the connector in RSA IAM Platform and map Zendesk attributes to connector command parameters.


To discover the connector and map the attributes:




4. From the AFX Connector Summary window, click <Name of Zendesk connector>.



• AddAccoutToGroup


- Email: ${Account.Name}

• AddGroupToGroup


- ParentGroupName: ${Group.Name}

• CreateAccount

- GivenName: ${User.Name}


- Verified: true or false

- Role: ${AccountTemplate.Role}

• CreateGroup


• DeleteAccount

- User: ${Account.Name}

• DeleteGroup


• DisableAccount


• EnableAccount



Chapter 7: Zendesk




• Update Account


- GivenName: ${User.Name}



Bind the Connector to the Zendesk Application

You must associate, or bind, the Zendesk connector to the Zendesk application to implement auto-fulfillment of access request tasks you want completed in the Zendesk system.


1. Select Resources > Applications > Zendesk > AFX Connector Binding.


3. Select the Zendesk connector from the drop-down list, and then click OK.



Chapter 7: Zendesk


Index

Aaccount request forms

Google Apps 34NetSuite 46Salesforce 22ServiceNow 72Zendesk 84

account templateAmazon Web Services 55Google Apps 35NetSuite 46Salesforce 23ServiceNow 73Zendesk 85

account template associationAmazon Web Services 55Google Apps 36NetSuite 47Salesforce 24ServiceNow 73Zendesk 85

AFX auto-fulfillment connectorsAmazon Web Services 54Google Apps 33NetSuite 45Salesforce 21ServiceNow 71Zendesk 83

Amazon Web Servicesaccount template 55application 52associate account template to application 55bind connector to application 56data collectors 52entitlement mapping 54onboarding with the application wizard 10security credentials 52

set up request fulfillment connector 54application onboarding wizard 9

Ddata collectors

Amazon Web Services 52Google Apps 28, 30NetSuite 42Salesforce 15ServiceNow 63Zendesk 79

GGoogle Apps

account request form 34account template 35application 29associate account template to application 36attributes 30bind connector to application 38data collectors 28, 30entitlement mapping 33onboarding with the application wizard 10set up for onboarding 28set up request fulfillment connector 33

NNetSuite

account request form 46account template 46application 41associate account template to application 47attributes 42

89

Index

bind connector to application 49data collectors 42enable web services for AFX auto-

fulfillment 45onboarding with the application wizard 10set up for onboarding 40set up request fulfillment connector 45

SSalesforce

account request form 22account template 23application 14associate account template to application 24attributes 14bind connector to application 26collected account data mapping 18collected group data mapping 19data collectors 15onboarding with the application wizard 10request auto-fulfillment connector 21set up for onboarding 14

ServiceNowaccount data mapping 66account request form 72account template 73application 61associate account template to application 73attributes 62bind connector to application 76collected group data 67data collection limitations 69data collectors 63entitlement data mapping 68onboarding with the application wizard 10set up for onboarding 60set up request fulfillment connector 71system UI views 69WS security for a ServiceNow collector 63WS security for the ServiceNow instance 60

ZZendesk

account data mapping 81account request form 84account template 85application 78associate account template to application 85attributes 78bind connector to application 87

collected group data 81data collectors 79entitlement data mapping 82onboarding with the application wizard 10set up for onboarding 78set up request fulfillment connector 83


RSA Identity and Access Management Platform Onboarding Cloud ...

Documents

Transcript of RSA Identity and Access Management Platform Onboarding Cloud ...