Create Endpoints
Create an endpoint to perform account-related actions directly on the endpoint accounts without using interim objects such as provisioning roles.
cis141
Create an endpoint to perform account-related actions directly on the endpoint accounts without using interim objects such as provisioning roles.
Example:
Active Directory groups can be assigned directly to an account without having to configure tasks/target permission/provisioning roles/entitlements catalog in CA Identity Portal and CA Identity Manager.Ensure that the following prerequisites are met before creating an endpoint:
- Configure an endpoint in CA Identity Manager.
- Validate that the Endpoint is supported.
This page contains the following sections:
Validate that Endpoint is Supported
The CA Identity Portal Endpoint Account Management enables you to add/remove endpoint entitlements. To validate that your endpoint is supported by this functionality, follow the following procedure:
Follow these steps:
- Validate that the Endpoint Roles and Tasks are installed in your CA Identity Manager environment.
- In the CA Identity Manager UI, locate the “Modify <endpoint type> Account” Task using the View Admin Task.
- ClickTabs.
- Locate the tab which represents the Endpoint entitlement that you want to expose.Example:In Active Directory, theGroupstab represents the Active Directory groups entitlement.
- Validate that the tab is of theRelationshiptype.
- ClickEditon the tab to view its definition.
- Validate that the search screen is ofEndpoint Capability SearchType.

Create an Endpoint in CA Identity Portal
Use the following procedure to create an endpoint in the CA Identity Portal Admin UI.
Follow these steps:
- Navigate to theAdmin UI.
- ClickElements,Endpoints,Create.
- In theDetailstab, specify the following values:This tab configuration lets the end user see the endpoint accounts.
- Select the connector in which the endpoint can be found (the CA Identity Manager connector)
- Select the endpoint type from the available endpoints that are configured in CA Identity ManagerPrerequisite:The admin user defined in the connector configuration has the rights to execute Modify Endpoint task.
- Specify a name for the endpoint configuration. The name is not displayed but is used to describe all endpoints that have this configuration.Example:Corporate Active Directories
- Click theEntitlementstab.This tab configuration lets the end user see and modify the entitlements for the endpoint account (Example:group membership in AD)
- ClickAdd Entitlement.
- Specify a name for the entitlement type. The entitlement name is the display name for the entitlements when an account is selected in the entitlements tree.
- Select a form to be displayed and triggered when adding/removing an entitlement. You must first configure a task which is used to add/remove that entitlement. The task that is used must be adequate to perform that operation. For example:task is suitable to add/remove AD groups butModify Active directory Accounttask is not.Modify UserAfter you have configured the task, link the form to that task. This version only supports empty form (form with no props) to be used for entitlements.
- Select a task to view/search the entitlements (you must first configure the task in CA Identity Portal, the already configured modify account task is sufficient).
- Select an entitlement type backend name – this is the entitlement object type in the connected system.Example:ActiveDirectoryAccountGroups when you want the entitlements that are in AD Groups.
- If search filter on the entitlements is required, then add search rules. Search rules enable you to define which entitlements a user can request.Example:You can configure that users from department IT are only able to request entitlements that contain the IT word in them.
- Name – a descriptive name for the search ruleExample:IT users
- Priority – lowest priority rule is evaluated first. This works in the first match first served.
- Expression – used to define the logic on which the search matches. You can define a logic on the requester or on the target user, that is, Requester Department Equals IT.
- Filters – the filter defines the population of entitlements that user can act upon. These are search rules that are encapsulating what the user is searching. If left empty, the user can search and request all entitlements under this category. The available filter attributes are fetched from the entitlement search screen search attributes. To add more search attributes, modify the search screen in CA Identity Manager.Example:If you want to filter available AD groups by the group description, go theModify Active Directory Accounttask, switch to theGroupstab, click on edit on the search screen and add more search attributes (ensure that you add the attribute to the searchable attributes, and the search results).Note:You must always define at least one search rule. That search rule can contain default configuration which enables all users with that task in scope to request access to all users. To perform that configuration, add a search rule, that has "true" in the expression and no search filters.
- Click theAccount Attributestab.This tab configuration lets the end user see additional account information when hovering over an account name in the entitlements section. The available attributes are fetched from theconfigured under theAccount Information Tasktab.General
- Click on Add Attribute.
- Specify a display name for the attribute and select an available account attribute from the list.
- Click theInstancestab.This tab configuration controls which endpoint instances CA Identity Portal applies this configuration on. This means that CA Identity Portal fetches the account, displays the account information, and enables requesting entitlements as configured in the previous steps on the endpoint instances that are configured in this tab.
- Select either All Instances or Select Instances
- ClickCreate.The Endpoint is created.