permission collection and reconciliation service
TRANSCRIPT
![Page 1: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/1.jpg)
Permission Collection and Reconciliation Service (PCRS)November 2014
Kamal NarayanSenior Product [email protected]
Rajiv KumarAssociate Senior [email protected]
#BrainShare #NetIQ7130
![Page 2: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/2.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.2
Agenda
• Entitlements and Resources
• Current limitations
• PCRS
• PCRS components
• PCRS flow
• Troubleshooting tips
![Page 3: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/3.jpg)
Entitlements and Resources
![Page 4: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/4.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.4
Entitlements
Model application permission
IDM Drivers have sample entitlements
Primarily managed by Designer
Sample entitlements may not be readily useful (AD vs JDBC)
Often application integration requires creating entitlements
Primarily used on subscriber channel with IDV as the source of truth
No out of the box solution for onboarding application assignments
![Page 5: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/5.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.5
Resources
Introduced during RBPM 3.7
Abstraction layer between driver entitlements and Roles.
Curatable, thus people friendly names unlike entitlements, approval workflow
Enables granular assignment status
Management via Designer/UserApplication interface
Bound to one entitlement only, static & dynamic assignments
No out of the box solution for onboarding application assignment
![Page 6: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/6.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.6
Resource model
![Page 7: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/7.jpg)
Current limitations
![Page 8: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/8.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.8
Current Limitations
• Application on boarding requires custom
implementation to on-board existing permission
assignments
• Assignment state may quickly get out of sync unless
all permission changes are done from IDM
• Catalogue does not reflect the actual state
• Creating new entitlements is tedious
![Page 9: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/9.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.9
Current limitations
• Requires changes in multiple locations : resource
objects/policies
• Multiple tools/steps required to create a resource
associated with an entitlement
• Resource/Entitlement assignments are uni-
directional(subscriber only)
![Page 10: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/10.jpg)
PCRS
![Page 11: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/11.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.11
PCRS – What's new
• Easily create new Entitlements
• Seamless out of the box support for implementing
resource model for IDM drivers
• On-board application permissions and assignments
• Update assignment status changes on both channels
(publisher & subscriber)
• Simplified and quicker application integration
• Comprehensive permission catalogue
• Catalogue shows the actual state
• A common package for use with custom drivers
![Page 12: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/12.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.12
PCRS - Overview
![Page 13: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/13.jpg)
PCRS components
![Page 14: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/14.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.14
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
![Page 15: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/15.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.15
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
![Page 16: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/16.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.16
Engine changesStartup/Shutdown policy containers
• Two new policy containers
• Startup container has policies for performing
initialization tasks
• All run-once policies required at startup can be added
here
• Policies are executed after driver start by the engine.
• Shutdown container can have policies for performing
finalization tasks
• Polcies to save state/info that may be needed at driver
shutdown
• Policies are executed before stopping the driver.
![Page 17: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/17.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.17
Engine changesStartup/Shutdown policy containers
![Page 18: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/18.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.18
Engine changesStartup/Shutdown policy containers - Benefits
• Cleaner implementation, easier to debug
• No need to perform checks in content to verify if the driver is up before executing initialization policies
• Run-once policies are outside of normal event-flow containers, reduced tracing
• Shutdown tasks can be performed, which is not possible otherwise.
![Page 19: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/19.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.19
Engine changesResource management API's
xmlns:ps=“http://www.novell.com/nxsl/java/com.netiq.resources.ProvisioningSchedu
ler”
// Provisions users to IDM resources in RBPM and reconciles the permissions of
// the user.
String ReconcilePermissions(String uaUrl, String uaUser, String uaPwd, String
recipient, int delay, String payload, boolean debugOn)
// Performs CodeMap Refresh of the Group Entitlement in RBPM
String RefreshCodeMapforGroupEntitlement(String uaUrl, String uaUser, String
uaPwd, String recipient, int delay, String payload, boolean debugOn)
// Reconciles resource assignments for groups in RBPM
String ReconcileGroupMemberPermissions(String uaUrl, String uaUser, String
uaPwd, String group, int delay, String payload, boolean debugOn)
// Check timestamp and allow grant or revoke if current timestamp is greater
// than or equal to that of the last update in the nrfResource history.
String AllowEntitlementGrantOrRevoke(String uaUser, String recvdEntTimeStamp,
String historyPayload, boolean debugOn)
![Page 20: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/20.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.20
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
![Page 21: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/21.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.21
Administrative accounts
• Following administrative accounts are used
– IDV Administrator
– PCRS Administrator
• Password Policy should be assigned to both the
admin users.
• Distribution password for these users are utilized for
creating/updating various objects
![Page 22: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/22.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.22
Administrative accountsPassword policy assignment
![Page 23: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/23.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.23
Administrative AccountsIDV administrator/PCRS Administrator - Tasks
IDV administrator
Job execution
PCRS Administrator
Resource creation
Code-map refresh
Cache flush
Assign/revoke resources
Queries to user app
![Page 24: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/24.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.24
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
![Page 25: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/25.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.25
ResourcesDynamic
• Default Configuration – resources created by PCRS
have dynamic values
• Requires creating fewer resources
• Simplifies resource management
• Easy to add/remove values instead of
creating/deleting resources.
![Page 26: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/26.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.26
ResourcesStatic
• Access to some resources/permissions may need to
be tightly controlled for e.g. financial, business, etc.
• Manually configured
• Catalog administrator can be used for creating static
resources.
• Existing static resources may be added to the
StaticValueEntitlementMap
![Page 27: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/27.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.27
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
![Page 28: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/28.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.28
PackagesDriverset
• New driverset package(NOVLACOMSET) introduced
to specify
– User application URL
– Administrative user for performing PCRS actions
![Page 29: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/29.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.29
PackagesDriverset - screenshot
![Page 30: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/30.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.30
PackagesDriver
Specialized package
Active Directory Entitlements and Exchange Mailbox Support
Package
LDAP Entitlements Package
Delimited Text Entitlements Package
Loopback Entitlements Package
Common package
Permission Collection and Reconciliation Service
Package
[Validated for SOAP driver]
![Page 31: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/31.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.31
PackagesDriver
• Common Package - NOVLCOMPCRS
![Page 32: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/32.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.32
PackagesMapping Table - PermissionNameToFile
• Contains entitlement configuration data specified
during package installation in designer.
![Page 33: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/33.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.33
Driver objectsPost deployment
![Page 34: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/34.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.34
Driver objectsPost driver start
![Page 35: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/35.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.35
PackagesMapping Table - PermissionEntMapping
• Contains mapping of entitlement and the respective
resource objects.
• Mapping table is empty at deploy time.
![Page 36: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/36.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.36
PackagesMapping Table – PermissionEntMapping
• The specified entitlement is created by the driver
startup policies.
![Page 37: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/37.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.37
PackagesEntitlement object
![Page 38: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/38.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.38
PackagesMapping Table - PermissionEntMapping
• The resource object is created by the Job object.
![Page 39: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/39.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.39
PackagesMapping Table - StaticValueEntitlementMap
• Contains configuration data for static valued resources
• Mapping table is empty at deploy time.
• Manually populated
• Used for granular control.
![Page 40: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/40.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.40
PackagesMapping Table - <Entitlement>_Values
• Contains values for an entitlement if values are
specified by a csv file
#
#CSV File containing entitlement values
#
Building A, Engineering, The engineering building
Building B, Accounting, The accounting building
Building C, Facilities, The facilities building
Building D, Warehouse, The warehouse
![Page 41: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/41.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.41
PackagesMapping Table - <Entitlement>_Values
• Created by startup policies to store the entitlement
values.
![Page 42: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/42.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.42
PackagesMapping Table - <Entitlement>_Values
• Contains entitlement values read from csv file
providing the entitlement values.
![Page 43: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/43.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.43
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
![Page 44: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/44.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.44
JobPermission onboarding
• IDM Job object.
• Configured during driver start-up.
• Admin user account and password automatically
configured by the start-up policies.
• Not scheduled by default
• Executed during driver startup – invoked by startup
policies
Requires appropriate rights on PCRS objects
![Page 45: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/45.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.45
JobPermission Onboarding - Tasks
• Reading CSV files containing Entitlement Values and populating <name>_Values objects
• Creating a Dynamic Resource for assigning Entitlement Values to Users
• Populating PermissionEntMapping object with the Resource DN
• Triggering RBPM code-map refresh to recognize the new entitlements and values
![Page 46: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/46.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.46
JobPermission onboarding
![Page 47: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/47.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.47
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
![Page 48: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/48.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.48
Access Control ListPCRS Objects
Permission Onboarding Job
[Trustee]
[Entry Rights] → Browse
[All Attributes] → Supervisor
PermissionEntMapping
<ENTITLEMENT>_Values
<ENTITLEMENT>
![Page 49: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/49.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.49
PCRS components
Engine changes
Administrative accounts
Dynamic and Static
Resources
Packages JobAccess
Control List
GCV Controls
![Page 50: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/50.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.50
GCV controls
• PCRS package – reconcile all entitlements
• PCRS package – reconcile select entitlement
![Page 51: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/51.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.51
GCV controls
• Specialized PCRS entitlement package
![Page 52: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/52.jpg)
PCRS flow
![Page 53: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/53.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.53
Publisher Channel update
![Page 54: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/54.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.54
Subscriber channel Attribute assignment
![Page 55: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/55.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.55
Subscriber channel RBPM assignment
![Page 56: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/56.jpg)
Troubleshooting tips
![Page 57: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/57.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.57
Troubleshooting tips
• Use the PCRS admin user for PCRS automation only
– Do not perform any modification from the
UserApplication/Aqua UI using this user
– Changes performed by the PCRS admin are vetoed out by the
policy as a part of loopback detection.
• The entitlement attribute name in the entitlement-to-
file mapping table should be in Identity manager
namespace.
![Page 58: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/58.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.58
Troubleshooting tips
• Job does not executes at driver startup
– Verify that password policies are enabled and the Identity
vault administrator has an assignment.
– Check Identity vault administrator’s password has been set
after enabling the password policy.
• Resource assignment not working
– Check the status of the “User Application” and “Role and
Resource” service drivers. The drivers should be in running
state.
![Page 59: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/59.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.59
Troubleshooting tips
• Permission on boarding job does not update the
catalogue for assignment changes
– Verify that password policy is enabled and the PCRS
administrator has an assignment.
– Verify that the correct connection values are provided in the
driverset advanced common settings package.
– Verify that the PCRS administrator has resource management
rights.
Is Permission Collection and Reconciliation GCV Enabled ?
![Page 60: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/60.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.60
Troubleshooting tips
• Steps to clean-up PCRS objects and resources
– Stop the driver
– Using User Application UI, delete all the resources specified in
the “PermissionEntMapping” mapping table under the
“resourceDn” column
– Delete all the “<entitlement>_values” objects under the driver
objects
– Delete the entitlements specified in the “entitlementDn”
column of the “PermissionEntMapping” mapping table
– Delete the entries of the “PermissionEntMapping” mapping
table
![Page 61: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/61.jpg)
© 2014 NetIQ Corporation. All rights reserved.61
Thank you.
Don’t miss the Identity-Powered Experience in IT Central.
![Page 62: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/62.jpg)
© 2014 NetIQ Corporation and its affiliates. All Rights Reserved.62
+1 713.548.1700 (Worldwide)888.323.6768 (Toll-free)[email protected]
Worldwide Headquarters515 Post Oak Blvd., Suite 1200Houston, TX 77027 USA
www.netiq.com/communities
![Page 63: Permission collection and reconciliation service](https://reader031.vdocuments.site/reader031/viewer/2022020717/58a6fcaf1a28abc6318b5487/html5/thumbnails/63.jpg)
This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein. These changes may be incorporated in new
editions of this document. NetIQ Corporation may make improvements in or changes to the
software described in this document at any time.
Copyright © 2014 NetIQ Corporation and its affiliates. All Rights Reserved.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the
cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration
Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy
Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit,
PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite,
Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ
Corporation or its subsidiaries in the United States.