ITIM中支持数据对账的是什么?
[英]What is supporting data reconciliation in ITIM?
问题描述
While studying Reconciliation I had one doubt related to 'supporting data reconciliation'. 
在学习对帐时,我对“支持数据对帐”存在疑问。
-> I want to know what is supporting data reconciliation and how is it different from performing normal reconciliation ? ->我想知道什么支持数据协调,与执行常规协调有什么不同?
-> Why is it advised to perform supporting data reconciliation separately ?? ->为什么建议单独执行支持数据对帐?
Also, in the manual it says "It includes group configuration information which contains key information about access privileges on the resource. Bringing back the group data ahead of time allows policies to be configured promptly before accounts are reconciled, so that the policies can be enforced." 另外,在手册中说:“其中包括组配置信息,其中包含有关资源访问权限的关键信息。提前返回组数据可以在对帐之前迅速配置策略,以便可以执行策略”。
-> what exactly does above lines mean ? ->以上几行到底是什么意思?
1 个解决方案
解决方案1
0 已采纳 2014-11-06 15:46:50
Supporting Data reconciliation does not bring back / evaluate accounts from the managed resource. 支持数据对帐不会从托管资源取回/评估帐户。 It only brings back group information. 它只带回组信息。 Since most of the times your accesses will be basically group memberships, having this information will allow you to define accesses in ITIM. 由于大多数情况下,您的访问基本上都是组成员身份,因此拥有此信息将使您可以在ITIM中定义访问。 A normal reconciliation brings back both groups information and accounts from the target system and possible enforces policy evaluation for each account. 正常对帐会从目标系统中带回组信息和帐户,并可能对每个帐户执行策略评估。
The reason that it is advised to do the group reconciliation seperately is that since it can possibly affect the access definitions you have, you would want to have this in place before you actually reconcile the accounts and evaluate the policies that apply to them. 建议单独进行组对帐的原因是,由于它可能会影响您拥有的访问定义,因此您希望在实际对帐并评估适用于它们的策略之前先进行设置。
To give you a solid example, you might have an ldap service, where an ldap server is your managed system. 为了给您一个可靠的例子,您可能有一个ldap服务,其中ldap服务器是您的受管系统。 In this ldap server you have configured 2 groups GrpA, and GrpB and you wnat to control membership to these groups. 在此ldap服务器中,您配置了2个组GrpA和GrpB,并且您拥有控制这些组的成员资格的权限。 First you will do a Supporting Data reconciliation for your ldap service and those groups will become known to ISIM. 首先,您将为ldap服务进行支持数据核对,这些组将为ISIM所了解。 You can now go to Manage Groups in the ITIM console and enable these groups as accesses in ITIM. 现在,您可以转到ITIM控制台中的“管理组”并在ITIM中启用这些组作为访问权限。 ( if you haven't done the reconciliation of supporting data before, then ISIM would not be aware of the groups in the target system). (如果您以前没有对支持数据进行对帐,则ISIM将不会知道目标系统中的组)。
Another example is when you want to have these group memberships as entitlemtns in Provisioning Policies. 另一个示例是当您希望将这些组成员身份作为置备策略中的权限时。 After you have reconciled supporting data, you can go and create a new Provisioning Policy with the group membership as entitlement. 协调支持数据后,您可以创建一个新的预配置策略,以组成员身份作为权利。 Then depending on if the entitlement is automatic or manual the users will get provisioned this access. 然后,根据权利是自动还是手动,用户将获得此访问权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.