Create Endpoints

Create an endpoint to perform account-related actions directly on the endpoint accounts without using interim objects such as provisioning roles.
cis141
Create an endpoint to perform account-related actions directly on the endpoint accounts without using interim objects such as provisioning roles.
Example:
Active Directory groups can be assigned directly to an account without having to configure tasks/target permission/provisioning roles/entitlements catalog in CA Identity Portal and CA Identity Manager.
Ensure that the following prerequisites are met before creating an endpoint:
  1. Configure an endpoint in CA Identity Manager.
  2. Validate that the Endpoint is supported.
This page contains the following sections:
Validate that Endpoint is Supported
The CA Identity Portal Endpoint Account Management enables you to add/remove endpoint entitlements. To validate that your endpoint is supported by this functionality, follow the following procedure:
Follow these steps:
  1. Validate that the Endpoint Roles and Tasks are installed in your CA Identity Manager environment.
  2. In the CA Identity Manager UI, locate the “Modify <endpoint type> Account” Task using the View Admin Task.
  3. Click
    Tabs
    .
  4. Locate the tab which represents the Endpoint entitlement that you want to expose.
    Example:
    In Active Directory, the
    Groups
    tab represents the Active Directory groups entitlement.
     image2015-7-27 14-6-54.png
  5. Validate that the tab is of the
    Relationship
    type.
  6. Click
    Edit
    on the tab to view its definition.
  7. Validate that the search screen is of
    Endpoint Capability Search
    Type.
    image2015-7-27 14-6-21.png
Create an Endpoint in CA Identity Portal
Use the following procedure to create an endpoint in the CA Identity Portal Admin UI.
Follow these steps:
  1. Navigate to the
    Admin UI
    .
  2. Click
    Elements
    ,
    Endpoints
    ,
    Create
    .
  3. In the
    Details
    tab, specify the following values:
    This tab configuration lets the end user see the endpoint accounts.
    1. Select the connector in which the endpoint can be found (the CA Identity Manager connector)
    2. Select the endpoint type from the available endpoints that are configured in CA Identity Manager
      Prerequisite:
       The admin user defined in the connector configuration has the rights to execute Modify Endpoint task.
    3. Specify a name for the endpoint configuration. The name is not displayed but is used to describe all endpoints that have this configuration.
      Example:
      Corporate Active Directories
  4. Click the
    Entitlements
    tab.
    This tab configuration lets the end user see and modify the entitlements for the endpoint account (
    Example:
    group membership in AD)
    1. Click 
      Add Entitlement
      .
    2. Specify a name for the entitlement type. The entitlement name is the display name for the entitlements when an account is selected in the entitlements tree.
    3. Select a form to be displayed and triggered when adding/removing an entitlement. You must first configure a task which is used to add/remove that entitlement. The task that is used must be adequate to perform that operation. For example: 
      Modify Active directory Account
       task is suitable to add/remove AD groups but 
      Modify User
       task is not.
      After you have configured the task, link the form to that task. This version only supports empty form (form with no props) to be used for entitlements.
    4. Select a task to view/search the entitlements (you must first configure the task in CA Identity Portal, the already configured modify account task is sufficient).
    5. Select an entitlement type backend name – this is the entitlement object type in the connected system.
      Example:
      ActiveDirectoryAccountGroups when you want the entitlements that are in AD Groups.
    6. If search filter on the entitlements is required, then add search rules. Search rules enable you to define which entitlements a user can request.
      Example:
      You can configure that users from department IT are only able to request entitlements that contain the IT word in them.
      1. Name – a descriptive name for the search rule
        Example:
        IT users
      2. Priority – lowest priority rule is evaluated first. This works in the first match first served.
      3. Expression – used to define the logic on which the search matches. You can define a logic on the requester or on the target user, that is, Requester Department Equals IT.
      4. Filters – the filter defines the population of entitlements that user can act upon. These are search rules that are encapsulating what the user is searching. If left empty, the user can search and request all entitlements under this category. The available filter attributes are fetched from the entitlement search screen search attributes. To add more search attributes, modify the search screen in CA Identity Manager.
        Example:
        If you want to filter available AD groups by the group description, go the 
        Modify Active Directory Account
         task, switch to the 
        Groups
         tab, click on edit on the search screen and add more search attributes (ensure that you add the attribute to the searchable attributes, and the search results).
        Note:
         You must always define at least one search rule. That search rule can contain default configuration which enables all users with that task in scope to request access to all users. To perform that configuration, add a search rule, that has "true" in the expression and no search filters.
  5. Click the
    Account Attributes
    tab.
    This tab configuration lets the end user see additional account information when hovering over an account name in the entitlements section. The available attributes are fetched from the 
    Account Information Task
     configured under the 
    General
     tab.
    1. Click on Add Attribute.
    2. Specify a display name for the attribute and select an available account attribute from the list.
  6. Click the
    Instances
    tab.
    This tab configuration controls which endpoint instances CA Identity Portal applies this configuration on. This means that CA Identity Portal fetches the account, displays the account information, and enables requesting entitlements as configured in the previous steps on the endpoint instances that are configured in this tab.
    1. Select either All Instances or Select Instances
  7. Click
    Create
    .
    The Endpoint is created.