Configuring and Scheduling the Active Directory Permission Collection
To configure the permission collection:
- Go to Admin > Applications.
- Scroll through the list or use the filter to find the application.
- Select the Edit icon on the application row.
- Select Next until you reach the Crawler & Permission Collection settings page.
Resource Collection Cluster - Select an existing virtual appliance cluster to associate with this application. Select the + to create a new cluster.
Permission Collection Cluster - Select an existing virtual appliance cluster to associate with this application. Select the + to create a new cluster.
Scheduling a Task
To create a schedule:
- Select Create a Schedule.
- The system will provide a Schedule Task Name in the format
{appName} - {type} Scheduler
. Choose to keep or override this suggestion. -
Select a scheduling frequency from the dropdown list.
Schedule Frequency Options
- Run After - Create dependency of tasks. The task starts running only upon successful completion of the first task.
- Hourly - Set the start time.
- Daily - Set the start date and time.
- Weekly - Set the day(s) of the week on which to run.
- Monthly - Set the day of the month on which to run a task.
- Quarterly - Set a monthly schedule with an interval of 3 months.
- Half Yearly - Set a monthly schedule with an interval of 6 months.
- Yearly - Set a monthly schedule with an interval of 12 months.
-
Fill the Date and Time field with scheduling times. These fields differ depending upon the scheduling frequency selected.
- Select the Active checkbox to activate the schedule.
- Select Next.
Setting the Crawl Scope
There are several options to set the crawl scope:
Note
When the crawl is performed, two resources will display but neither are added by the crawl. These two resources also cannot be removed from the scope. Configuration Resource:for all activities that occur in the Configuration schema of the domain, which is shared across the forest. This means that in a multi-domain forest, you will still see it under the forest node rather than under the domain node. _Audit Policy: specifically for changes to the domain's audit policy, which are not really associated with any part of the domain tree, thus are given their own resource.
- Setting explicit list of resources to include and / or exclude from the scan.
- Creating a regex to define resources to exclude.
Including and Excluding Paths by List
To set the paths to include or exclude in the crawl process for an application:
- Go to Admin > Applications.
- Scroll through the list or use the filter to find the application.
- Select the Edit icon on the application row.
-
Select Next until you reach the Crawler settings page.
Note
The entry fields vary by application type.
-
Scroll down to the Crawl configuration settings.
- Select Advanced Crawl Scope Configuration to open the scope configuration panel.
- Select Include / Exclude Resources to open the input fields.
- To add a resource to a list, enter the full path to include or exclude in the top field and select + to add it to the list.
- To remove a resource from a list, find the resource from the list, and select the x icon on the resource row.
Note
When creating exclusion lists, excludes take precedence over includes.
Excluding Paths by Regex
To set filters of paths to exclude in the crawl process for an application using regex:
- Go to Admin > Applications.
- Scroll through the list or use the filter to find the application.
- Select the Edit icon on the application row.
-
Select Next until you reach the Crawler settings page.
Note
The entry fields vary by application type.
-
Select Exclude Paths by Regex to open the configuration panel.
- Enter the paths to exclude by regex. Since the system does not collect BRs that match this regex, it also does not analyze them for permissions.
Crawler Regex Exclusion Example
The following are examples of crawler Regex exclusions:
Exclude all users (CNs) under specific department (OU)
Example: All under Finance OU Regex: ^CN=.+,OU=finance,DC=office,DC=mydomain,DC=com$ |
Example: All under Finance and Accounting OU Regex: ^CN=.+,OU=(finance|accounting),DC=office,DC=mydomain,DC=com$ |
Include ONLY users (CNs) under specific department (OU)
Example: Only under Finance OURegex: ^(?! CN=.+,OU=finance,DC=office,DC=mydomain,DC=com)$ |
Excluding Top-Level Resources
Use the top-level exclusion screen to select top-level roots to exclude from the crawl. This setting is done per application.
To exclude top-level resources from the crawl process:
- Go to Admin > Applications.
- Find the application to configure and select the dropdown list menu on the application line. Select Exclude Top Level Resources to open the configuration panel.
- Select the Run Task button to trigger a task that runs a short detection scan to detect the current top-level resources. If the top-level resource list has changed in the application while you are on this screen, select the Run Task button to retrieve the updated structure.
- Once triggered, you can view the task status in Settings > Task Management > Tasks, depending on your access to the task page.
- When the task has completed, select Refresh to update the page with the list of top-level resources.
-
Select the top-level resource list and choose top-level resources to exclude. If all resources need to be selected, select Select All.
Note
If all resources are selected and you wish for them to be deselected, select Deselect All. You can also select individual resources.
-
Select Save to save the change.
- To refresh the list of top-level resources, run the task again. Running the task will not clear the list of top-level resources to exclude.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.