Unstructured Target Collector

Unstructured target information is used to define unstructured data sources from which the connector is to extract data. Unstructured data is any data that is stored in a format that is not easily readable by a machine. For example, information contained in an Excel spread sheet, the body of an email, a Microsoft Word document, or an HTML file is considered unstructured data. Unstructured targets pose a number of challenges for connectors, because not only is the data stored in a format that is hard to extract from, the systems and directory structures in which the files reside are often difficult to access.

The unstructured target collector that can be configured with Active Directory application is Windows file share.

Note
Active Directory Connector supports automated revocation of the Target Permissions.

Windows File Share

Windows file share target collector can be configured on Active Directory application to read and correlate file share permissions on Active Directory entities. To correlate the aggregated permissions, ensure that the following attribute is marked as Correlation Key in respective schema:

objectSid for Accounts and Groups

This target collector requires a the IQService to be installed on a machine that has visibility to the directory or share to include in the target scan. Refer to the Installation Guide for information on installing and registering the IQService.

The unstructured targets defined on this tab are used by the Target Aggregation task to correlate targets with permissions assigned to identities and account groups for use in certifications.

The Unstructured Targets tab contains the following information:

Field	Description
Attributes: The required settings for connecting to the IQService.
IQService Host	The host on which the IQService resides.
IQService Port	The TCP/IP port where the IQService is listening for requests.
IQService User	User registered with IQService for Client Authentication.
IQService Password	Password of registered user for Client Authentication.
Use TLS for IQService	Indicates whether this is a TLS communication between IdentityIQ and IQService. If Use TLS is enabled, the `IQService User` and `IQService Password` attributes are mandatory.
Number of targets per block	Number or targets (files) to include in each block of data returned.
File Shares: The required information for each share.
Path	UNC Style path to a share or local directory. You can target a specific file or a directory and its sub-directories containing multiple files from which to extract the required data. If you target a directory, use the Wildcard and Directory Depth fields to narrow the query if possible.
Directories Only	Use to instruct to the collector to ignore files and just report back directory permission information.
Directory Depth	The sub-directory depth from which to extract data. The Directory Depth field enables you to extend your query up to ten (10) sub-directories below the one specified in the Path field.
Wildcard	Use wild cards to target a particular file type of naming scheme. For example, to search only Excel spread sheets, use `.xls` or to search only files with names beginning with `finance_`, use `finance_.*`
Include Inherited Permissions	Use to instruct the collector to not report permissions unless they are directly assigned. Only directly assigned permissions will be returned
Administrator	The administrator that has access to this share so you can collect permissions. This value should be the users principal user@xyz.com name or a fully qualified domain user name in the `domain\\user` format.
Password	The password associated with the specified administrator. The service will be running as System or can be configured to be run as any user, so the Administrator/Password fields may not be required in all cases.
Rules: Specify the rules used to transform and correlate the targets. Note Select the "..." icon to launch the Rule Editor to make changes to your rules if needed.
Creation Rule	The rule used to determine how the unstructured data extracted from data source is transformed into data that can be read by IdentityIQ.
Correlation Rule	The rule used to determine how to correlate accounts (users and contacts) information from the application with identity cubes in IdentityIQ.
Provisioning related attributes: Select the settings for provisioning to the share.
Override Default Provisioning	Select it to override the default provisioning action for the collector.
Provisioning Action	The overriding provisioning action for the collector.

To revoke permissions for Active Directory users and/or groups using Windows File Share Target Collector, perform the following:

Add the following attributes under target source configuration:

Copy

<entry key="searchAttrForAcct" value="msDS-PrincipalName"/> 
<entry key="searchAttrForGrp" value="msDS-PrincipalName"/>

Remove the NO_PERMISSIONS_PROVISIONING feature string from the application configuration.

Feedback is provided as an informational resource only and does not form part of SailPoint's official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.

Unstructured Target Collector

Windows File Share

Documentation Feedback