• State Not Answered
  • Replies 3 replies
  • Subscribers 95 subscribers
  • Views 475 views
  • Users 0 members are here
Options
Related

Removal of AD group ends up removing the Location of user in Attestation

pavithra
11 months ago

Hello,

V8.2.1

Location has AD groups(multiple) assigned to it and whenever user has that Location then the respective AD groups gets assigned to user accordingly. I have created a location manager attestation where the AD groups will be attested by the respective location manager. So here denying a AD group(which was assigned by a location) also removes the location of the user along with some of the AD groups which were not denied.

For Ex: Us Location has 3 AD groups (AD group1,AD group2,AD group3) here when I deny AD group1 it should remove only AD group1 but its removing US location and also AD group2 & AD group3 of the user.  

So how can I remove only the group which was denied and retain the location & other AD group2,3 in attestation process.

Thanks,

Parents Reply Children
  • 0 11 months ago in reply to Markus Weiss-Ehlers

    I'm using System entitlement membership attestation (attestation procedure) in my custom attestation policy.

    Thanks,

  • 0 11 months ago in reply to pavithra

    That means, you do not attest the assignment of the group to the location but the assignment of the group to the user account. And to remove that membership the system can only remove the membership of the identity (employee) of the location (Your system is configured to remove this type of assignment. Please check the documentation about the auto removal to learn more about the configuration options).

    If you want to attest the assignments of groups to locations, you need to use the "Attestation of system entitlement assignments to locations" attestation policy.