IBM Security Verify Access Connector
EmpowerID IBM Security Verify Access connector allows organizations to bring the user data (user accounts, groups, group membership, and organizational units in their IBM Security Verify Access system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories.
Connector Architecture Overview
The connector is a bi-directional connector that uses the SCIM 2.0 protocol to communicate with a microservice known as the “TAM SCIM Microservice” for inventory and write-back functionality of IBM Security Verify Access users, groups, group memberships, and organizational units. The connector authenticates to the microservice using one of the below options:
Azure Authentication – This option should be used when the SCIM Microservice is deployed to Azure.
EmpowerID Authentication
Communications model
The microservice makes the first call to LDAP to get the LDAP entries using the filter provided by the connector. The call to LDAP is made to support incremental inventory and custom LDAP filters. Once the LDAP entries are returned to the microservice, it uses Registry Direct API to get entries common to LDAP and IBM systems.
Inventory
The connector supports both full and incremental inventory. When inventory is first enabled, the connector completes a full inventory of IBM Security Verify Access to sync all accounts, groups, group memberships, and OUs. On subsequent runs, inventory brings in modified objects only.
Account Inventory
Inventory IBM Security Verify Access accounts as EmpowerID accounts. All user accounts are added to the account table in the EmpowerID Identity Warehouse.
The connector supports both full and incremental inventory for accounts.
Each time full inventory runs, the connector syncs all accounts in the external system to EmpowerID.
Full Inventory uses an LDAP filter with attribute
uidto get all the accounts from IBM Security Verify Access. This attribute value is configurable and can be modified by modifying the setting 'FilterParameterForAccount' on the Configuration Parameters tab on Resource System page.Incremental inventory uses an LDAP filter with attributes
createTimestampandmodifyTimestampto bring only the accounts modified after the last run.Any updates made to the user on the external system are synced to the corresponding EmpowerID account.
If a user is disabled on the external system, EmpowerID marks the account as deleted and sets the deleted date on the account. The account is only marked as deleted when the CheckForDeletedObjectsEnabled setting is turned on.
‘principalname’ attribute of the external system is used as the primary key and is synched to systemIdentifier column in the Account table.
The connector runs a full inventory after a configurable number of times for accounts. This allows the connector to be in sync with the external system even if something was missed during an incremental inventory. The name of the setting is ‘RunFullInventoryAfterXRuns’ and can be found on the Configuration Parameters tab on Resource System page. The default value is set to 20 meaning after 20 incremental inventory the connector will trigger a full inventory.
Inventoried User Account Attributes
The below table lists the LDAP/TAM attributes that are inventoried out of the box by the connector. Attributes in LDAP/TAM map to SCIM attributes, which then map to EmpowerID Person attributes.
LDAP/TAM Attributes | SCIM Atrributes | EmpowerID Attributes |
carLicense | carLicense | carLicense |
departmentNumber | departmentNumber | departmentNumber |
description | description | description |
displayName | displayName | Displayname |
employeeNumber | ['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['EmployeeNumber'] | EmployeeId |
employeeType | userType | Usertype |
facsimileTelephoneNumber | phoneNumbers [ Type : “fax”, value] | Fax |
givenName | name.givenName | First Name |
homePhone | phoneNumbers [ Type : “home”, value] | HomePhone |
initials | initials | initials |
l | city | City |
emails[?(@.type=='work')].value | ||
manager | ['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['manager'].['value'] | MANAGER DISTINGUISHED NAME |
mobile | phoneNumbers [ Type : “mobile”, value] | MobileNumber |
pager | pager | Pager |
physicalDeliveryOfficeName | addresses[?(@.type=='other')].formatted [street address] | Street address |
postalCode | addresses[?(@.type=='work')].postalCode | PostalCode |
preferredLanguage | preferredLanguage | preferredLanguage |
roomNumber | roomNumber | Room number |
state | State | |
street | street | street address2 |
streetAddress | addresses[?(@.type=='work')].streetAddress | Street addess |
telephoneNumber | phoneNumbers [ Type : “telephone”, value] | telephoneNumber |
title | title | JobTilte |
sn | name. familyName | Lastname |
principleName | userName | LogonName |
ObjectClass | ObjectClass | ObjectClass |
principleName | Id | SystemIdentifier |
Group Inventory
The IBM Security Verify Access groups are inventoried in the EmpowerID Group table by the inventory job.
The connector supports both full and incremental inventory for Groups.
Every time the full inventory runs, the connector syncs all the groups and group membership from the external system to EmpowerID.
Full Inventory uses an LDAP filter with attribute ‘cn’ to get all the groups and group membership from IBM Security Verify Access. This attribute value is configurable and can be modified by modifying the setting ‘FilterParameterForGroup’ on the Configuration Parameters tab on Resource System page
Incremental inventory uses an LDAP filter with attributes ‘createTimestamp’ and ‘modifyTimestamp’ to bring only the groups and memberships of those groups modified after the last run.
Any updates made to the group on the external system will be synced to EmpowerID group.
If a group is disabled on the external system, EmpowerID will mark the group as deleted and set the deleted date on the group. This group will only be marked as deleted if the CheckForDeletedObjectsEnabled setting is turned on.
‘principalname’ attribute of the external system is used as the primary key and is synched to systemIdentifier column in the Group table.
The members attribute of each group is inventoried in the EmpowerID GroupAccount table. The group membership is always a full inventory i.e., all the members for a group will be synched when a group is inventoried. To view the membership on the UI, Navigate to Identity Administration -> Group. Click on the IBM group -> Scroll down and click on Group Members tab.
Inventoried Group Attributes
The below table lists the group attributes that are inventoried out of the box by the connector. Attributes in LDAP/TAM map to SCIM attributes, which then map to EmpowerID group attributes.
LDAP/TAM Group Attributes | SCIM Atrributes | EmpowerID Group Attributes |
groupNativeId | groupNativeId | DistinguishedName |
groupId | Id | SystemIdentifier |
cn | cn | FriendlyName |
description | description | Description |
ObjectClass | ObjectClass | ObjectClass |
members | members | Group Account Table |
Organizational Unit Inventory
The IBM Security Verify Access Ous are inventoried in the EmpowerID ExternalOrgZone table by the inventory job.
The connector supports both full and incremental inventory for Organizational units.
Every time the full inventory runs, the connector syncs all the organizational units from the external system to EmpowerID. Internally the connector creates corresponding EmpowerID orgzones if ‘InventoryAutoProvisionOrgZones’ setting on the resource system is turned on.
Full Inventory uses an LDAP filter with attribute ‘cn’ to get all the organizational units from IBM Security Verify Access. This attribute value is configurable and can be modified by modifying the setting ‘FilterParameterForOU’ on the Configuration Parameters tab on Resource System page.
Incremental inventory uses an LDAP filter with attributes ‘createTimestamp’ and ‘modifyTimestamp’ to bring only the organizational units modified after the last run.
Any updates made to the ou on the external system will be synced to EmpowerID external org zone.
If an ou is disabled on the external system, EmpowerID will mark the external Org Zone as deleted and set the deleted date on the group. This ou will only be marked as deleted if the CheckForDeletedObjectsEnabled setting is turned on.
The full ou path of the external system is used as the primary key and is synched to systemIdentifier column in the External OrgZone table.
Inventoried OU Attributes
The below table lists the OU attributes that are inventoried out of the box by the connector. Attributes in LDAP/TAM map to SCIM attributes, which then map to EmpowerID OU attributes.
LDAP/TAM Attributes | SCIM Atrributes | EmpowerID Attributes |
OU Path | Id | SystemIdentifier |
ObjectClass | ObjectClass | ObjectClass |
description | description | Description |
l | city | City |
st | state | StateProvince |
postalCode | addresses[?(@.type=='work')].postalCode | PostalCode |
postOfficeBox | postOfficeBox | ExtensionAttribute2 |
facsimileTelephoneNumber | phoneNumbers [ Type : “fax”, value] | ExtensionAttribute6 |
postalAddress | postalAddress | ExtensionAttribute4 |
postalCode | addresses[?(@.type=='work')].postalCode | PostalCode |
registeredAddress | registeredAddress | ExtensionAttribute3 |
street | street | AddressLine1 |
streetAddress | addresses[?(@.type=='work')].streetAddress | ExtensionAttribute1 |
telephoneNumber | phoneNumbers[?(@.type=='telephone')].value | PhoneNumber |
telexNumber | telexNumber | ExtensionAttribute5 |
ou | ou | Name |
OU Path | dn | Path |
Next Steps
Connect to IBM Security Verify Access