Onboarding Technical Guide

Overview

This guide describes the technical steps to onboard a new user into Irancell IAM.
Onboarding ensures that the user’s identity, roles, and entitlements are created and synchronized across Irancell IAM and connected systems (e.g., Active Directory, LDAP, HRMS, or application databases).

Key objectives:

• Define attribute mappings for users and groups.
• Apply validation and transformation rules.
• Test user creation and synchronization.
• Verify expected results and troubleshoot common issues.

Input:

• Managed system connection details (host, port, credentials, protocol).
• Attribute mapping rules (Irancell IAM ↔ target system).
• Business rules (validation & transformation scripts).
• User data (HR feed or manual entry).
• Provisioning configuration (roles, entitlements, policies).

Output:

• User accounts created and synchronized in the target system.
• Groups and entitlements mapped and provisioned correctly.
• Validation rules enforced (e.g., unique email).
• Transformation rules applied (e.g., generated login ID).
• Logs and audit trails confirming provisioning events.

The audience is Irancell IAM administrators, system integrators, and support engineers.

---

Table of Contents

• Overview
• 1. Managed System Configuration
  • Steps to configure a managed system
  • Checklist
• 2. Attribute Mapping
  • Example – User Attribute Mapping (Active Directory)
  • Example – Group Mapping
  • Example – Entitlement Mapping
  • Configuration Steps
  • Checklist
• 3. Validation & Transformation Scripts
  • Validation Example – Ensure Email Exists
  • Transformation Example – Generate Login ID
  • Checklist
• 4. Test User Creation
  • Checklist
• 5. Expected Results
• 6. Troubleshooting
  • Checklist
• Frequently Asked Questions (FAQ)
• Appendix

---

1. Managed System Configuration

Steps to configure a managed system:

1.Login as Irancell IAM Administrator in Irancell IAM Web Console.
2.Navigate to Administration → Provisioning → Managed Systems.
3.Click New to create a managed system.

• Name: Unique identifier (e.g., AD_Prod).

  • Connector Type: AD, LDAP, DB, etc.
  • Connection Details: Host/URL, Port, Protocol (LDAPS/JDBC), Credentials.
  • Synchronization: Enable reconciliation or scheduled sync.
  • Protocol (LDAPS, JDBC, etc.)
  • Credentials / Bind DN
  • Synchronization Options: Enable reconciliation or scheduled sync.

4.Save the configuration and test connection.

Best Practice: Use a service account with minimum privileges required for provisioning.

Checklist

• Irancell IAM Administrator access verified.
• Managed system created in Irancell IAM Web Console.
• Connection details (host, port, protocol, credentials) configured.
• Connection test successful.
• Reconciliation or scheduled sync enabled.

---

2. Attribute Mapping

Define how Irancell IAM attributes map to target system attributes.

Mappings ensure that user, group, and entitlement data are consistent across systems.

Example – User Attribute Mapping (Active Directory)

Irancell IAM Attribute	AD Attribute	Rule / Note
firstName	givenName	Direct mapping
lastName	sn	Direct mapping
displayName	displayName	First + Last Name
email	mail	Must be unique
employeeId	employeeID	From HR feed
status	userAccountControl	Controlled via enable/disable
phone	telephoneNumber	Optional mapping
department	department	From HR or organizational feed
title	title	From HR or application attribute
login	sAMAccountName	Generated by transformation script

---

Example – Group Mapping

Irancell IAM Attribute	AD Attribute	Rule / Note
groupName	cn	Direct mapping
description	description	Optional
members	member	Multi-valued, contains user DNs
status	groupType	Used to enable/disable groups

---

Example – Entitlement Mapping

Irancell IAM Attribute	Target System Attribute	Rule / Note
roleName	AD Group / LDAP Role	Maps Irancell IAM role to AD security group
entitlementId	objectGUID	Unique system identifier
assignment	memberOf	Links users to roles/groups

---

Configuration Steps:

1. Go to Administration → Provisioning → Policy Map.
2. Select the managed system created earlier.
3. Define mappings for:
   • User attributes
   • Group attributes
   • Entitlement/role attributes
4. Save and validate configuration.

Best Practice: Always test attribute mapping with a sample user before enabling large-scale synchronization.

Checklist

• User attribute mappings defined.
• Group attribute mappings defined.
• Entitlement/role mappings defined.
• Sample user tested for mapping accuracy.

---

3. Validation & Transformation Scripts

Irancell IAM allows validation scripts to enforce business rules. For example, to ensure that every user has an email address:

Validation Example – Ensure Email Exists

attrVal = columnMap.get("mail")
if (attrVal) {
    println("mail from ad: " + attrVal.value)
    def emailAddress = new EmailAddress()
    emailAddress.name = "PRIMARY_EMAIL"
    emailAddress.default = true
    emailAddress.active = true
    emailAddress.emailAddress = attrVal.value
    emailAddress.mdTypeId = "PRIMARY_EMAIL"
    addUserEmailAddress(pUser, emailAddress)
} else {
    println("mail attribute was not found")
}

Steps:

• Checks if the mail attribute exists in the input record.
• Creates a primary email for the user if present.
• Logs a warning if the email is missing.

Checklist

• Validation scripts created and attached.
• Transformation scripts created and attached.
• Sample input tested for correct output.

---

4. Test User Creation

1. Navigate to Administration → User Management → New User.
2. Fill in required attributes (First Name, Last Name, Email, Login ID).
3. Assign a role (e.g., Employee_Default).
4. Save the user.
5. Monitor provisioning logs:

• Audit Log Viewer → search for user events.
• Check connector response for success/failure.

Checklist

• Test user created in Irancell IAM.
• Role and entitlements assigned.
• Provisioning logs verified for success.

---

5. Expected Results

• User is created in Irancell IAM.
• User account is provisioned in the target system.
• Attributes match mapping rules.
• Business rules (scripts) are applied.
• Audit logs confirm provisioning success.

---

6. Troubleshooting

Issue	Cause	Resolution
User not created in target system	Connector error / mapping missing	Check policy map, connector config, logs
Duplicate email error	Validation script failure	Correct input data or adjust script
Account created but disabled	Status attribute misconfigured	Verify status mapping
Provisioning delayed	Scheduler not triggered	Restart scheduler service
Script errors	Groovy syntax issue	Review logs, fix, redeploy script

Logs to Check:

• Audit Log Viewer (Web Console).
• Connector logs (RabbitMQ messages).
• Application logs: /opt/openiam/logs/.

Checklist

• Audit logs checked for user events.
• Connector logs reviewed for errors.
• Any script errors corrected and redeployed.

---

Frequently Asked Questions (FAQ)

Q1: What credentials should I use for the managed system?
A: Use a service account with minimum privileges required for provisioning (read/write where needed).

Q2: How do I handle duplicate email errors?
A: Check the validation scripts and correct input data. Ensure uniqueness in the source system.

Q3: Why is my user account disabled after provisioning?
A: Verify the status attribute mapping. The target system may disable accounts by default if misconfigured.

Q4: Can I test mappings without affecting real users?
A: Yes, always test with a sample user before enabling full-scale synchronization.

Q5: Where can I find provisioning logs?
A:

• Audit Log Viewer (Web Console)
• Connector logs (RabbitMQ messages)
• Application logs: /opt/openiam/logs/

Q6: How do I apply transformation rules like login ID generation?
A: Use Groovy scripts under Administration → Scripts → Transformation, attach them to the policy map, and test with sample input.

Q7: What if the scheduled synchronization does not trigger?
A: Check that the scheduler service is running and restart if needed. Also verify the synchronization schedule in the managed system configuration.

---

Appendix