Beginner’s Guide to Provisioning Server Object Associations (Inclusions)

Article By: Adarian Dunmeyer

The Provisioning Server is the LDAP server that manages additional accounts that are assigned to an Identity Manager user. The Provisioning Server also contains provisioning roles and account templates that create and manage global users across Identity Manager to endpoint accounts. There are two ways that the Provisioning Server creates and maintains relationships between these objects: 

  • Non-Inclusion Object Associations
  • Inclusion Object Associations

Needs to Know

  • Global Users are the Users that are stored in the Provisioning Manager that are associated to Identity Manager users in the corporate user store. 
  • Endpoints are the endpoint programs and applications that are managed by the provisioning server, such as Active Directory, Oracle, Amazon AWS, etc.
  • Account Templates are the objects that are given to global users to define the accounts that exist in managed endpoints. 
  • Provisioning Roles can be comprised of more than one Account Template and can be given to a global user to create and manage multiple endpoint accounts for the user. 
  • The relationship between Global Users, Provisioning Roles, Account Templates, and Endpoints can be expressed as by the diagram:

  • Every object in the Provisioning Server has a value called a UUID that is used as a reference to link objects together. These values are stored in the eTID attribute on the Provisioning Server, and as objects are deleted and re-created, new UUID values are generated and stored in the eTID attributes. Moving data from one installation to another is problematic since the eTID values may not be correct.
  • Non-Inclusion Object Associations have the relationship between objects store directly on the object, such as the following:
    • Global Users that have Provisioning Roles have the association stored in the eTRoleDN attribute.
    • Endpoints that have default account templates have the association stored in the eTDefaultPolicyDN attribute.
    • Endpoint accounts that have account templates have the associated stored in the eTPolicyDN attribute.
  • The view from an LDAP Browser is shown below. Here you can see that the eTRoleDN stores the Provisioning Role association on the Global User.
  • Inclusion Object Associations use a third object called an Inclusion Object that will link a parent object, known as SuperiorClass to its child object, known as SubordinateClass. Inside the Inclusion object are two values, eTPID and eTCID, that store the parent and child’s eTID value objects, respectively; The Inclusion object will be named in the format of [email protected] and also contain an eTID of its own. It can be expressed by the diagram below:
  • Some of inclusion object associations include:
    • Account Templates to Endpoints
    • Global users to Endpoint Accounts
    • Provisioning Roles to Account Templates
  • In the Provisioning Server, the Inclusions container branch stores those inclusions in a DIT structure as shown below:
  • The view from an LDAP Browser is shown below. Here you can see that the SubordinateClass is an Account Template, and the SuperiorClass is a Provisioning Role.

General FAQs

  1. Can I export data out of one system and import it into another?

It is not as simple as it sounds; UUIDs are randomly generated upon each association and stored in the eTID attribute. You may need to remove the eTID values from objects before sending them into the Provisioning Server so that it can create all new UUID values and re-build all the various associations. 

  1. What should I do when my endpoint is decommissioned?

It is recommended that to remove an endpoint, you must delete the acquired Endpoint object which will then handle the cleanup. If this is not done, you have to manually delete the endpoint from the Provisioning Repository, remove any reference of the Endpoint from Templates, and remove any “Global Users to Accounts” inclusions that point to that endpoint.

  1. Inside of Provisioning Manager, when I right-click on my Provisioning Global User to List Accounts I see accounts that cannot be accessed, now what?

If accounts cannot be accessed, it is possible they were moved/deleted on the native endpoint system. Try running an Explore/Correlate for the endpoint and hopefully that will clear up the data/inclusions. 

  1. Inside of Provisioning Manager, when I right-click on my Provisioning Global User to List Accounts, I see duplicate accounts or I still have accounts listed that the Explore/Correlate did not clear up, what does this mean?

It is possible that they are “orphaned” inclusions, where something has gone wrong and the inclusions reference invalid eTPID or eTCID values. This will require manual clean up to find and delete those inclusion objects.

Summary of Provisioning Server Object Associations (Inclusions)

Inclusion objects work behind the scenes to maintain dynamic relationships in the Provisioning Server. They are very tricky to deal with though when manually changing the UUIDs, and any mistakes can easily break the relationships. However, by understanding the way in which Provisioning Server shows the relationships, you will be able to have an idea on how to troubleshoot any correlation issues on the provisioning server.

Looking for additional help with provisioning inclusions? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including Symantec Identity Manager and general identity management. Take your interoperability to the next level, and contact an ISX consultant today.


ISXBeginner’s Guide to Provisioning Server Object Associations (Inclusions)

Leave a Reply

Your email address will not be published. Required fields are marked *