• State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 98 subscribers
  • Views 7007 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How can AD Group Membership be Managed?

ds_walters
over 7 years ago

I'm playing around with group management in Manager and different ways to achieve a similar thing but are running into some troubles. These are my scenarios:

Added AD Group to the IT Shop (service item and onto a shelf)
Requested service item with group
approved service item with group
ran sync
Not added to group

Added AD Group to business role
assigned user to business role
ran sync
not added to group

selected a users AD account in hyperview
assigned AD Group to AD account
ran sync
added to group

It seems I can only directly AD Groups to AD Accounts via Manager while the indirect assignment either through a Business Role or a Service Item doesn't work. Is there some configuration I'm missing here?

  • 0 over 7 years ago
    Hi ds,

    is your account marked for inheritance of permissions from the identity (flag labeled "Groups can be inherited", ADSAccount.IsGroupAccount)?

    BTW, if you have provisioning process operations for your sync project, there is no need to run a sync after such activities.

    HTH,
    Oliver
  • 0 over 7 years ago

    If would be a lot easier to answer if you post the version of OneIM you are using.

    Until then, I'll talk about 7.1.1

    Check, that at the AD account the checkbox is set for Groups can be inherited. By default this flag is not set for linked accounts which are account, that you have synced into your DB and linked to a identity (person), but do not have an account definition assigned.

  • 0 over 7 years ago
    You beat me on that one Oliver :-)
  • 0 over 7 years ago
    Hi - I'm seeing a very similar issue to this one in my own test VMs (v7.1.1). I think the issue is with indirect assignment configuration steps but I haven't been able to isolate what causes it.

    In my labs, I have ADS accounts provisioned through account definitions. Direct (manual) assignment through the UI works. Indirect assignment through business roles or dynamic roles doesn't seem to trigger account creation.

    If I go onto the Person object and look at one of my test users in a dummy IT department, I can see two account definitions are already assigned. If I go to the “assign to employees” section of either account definition, I can see a tick against the user already, and I can also see the user's qualified for the account via indirect assignment of a business role. If I go to the Business Roles view, the "additionally assigned employees" box shows the user has the qualifying role.

    So, everything seems right but neither AD account is created.

    If I manually assign the account definitions to a different user through the UI, they get the account definitions AND on the next sync I see the accounts getting created.

    Anecdotally, I know someone else who has also read the documentation thoroughly, configured everything right (as far as I can tell) but ALSO doesn't see anything happen when they use a business role for indirect assignment.

    I'll review the config at my end and if I figure out what the issue is, I'll post it here as it's quite possible the issues are related.
  • 0 over 7 years ago
    Hi,

    Please consult the power of the checklist below. If you find that the reason is not on the list please let us know and we will update the list.

    support.oneidentity.com/.../229618

    hth,
    Rob.