AnsweredAssumed Answered

Group membership resolution failing

Question asked by Padmalochan Mohanty on Apr 2, 2020
Latest reply on Apr 3, 2020 by Andy Cheek

Like • Show 0 Likes0
Comment • 6

We have an application which collects entitlements from database and groups specific Active directory groups . The application accounts are collected from account collector where source type is database. Account id is same value as samAccountName . So setting up samAccountName as Account ID. While collecting AD group membership, members are having distinguishedName value. Group membership is failing and rejecting all member account resolutions.

Any thoughts how to collect group membership with successful account resolutions.

Craig Ramsay

Apr 2, 2020 12:16 PM

Correct Answer

I would not recommend collecting permissions from different sources under one application or directory, particularly when AFX is involved. My concerns here are:

You are duplicating data for AD groups by collecting them under Active Directory and this other application. This complicates things when requesting or reviewing access.

From an AFX perspective, each business source can only be bound to one AFX Connector. In this case that can only be the database or the Active Directory. If it is the database, any attempt to fulfill a change in AFX that relates to an AD group will fail and vice versa.

My recommendation would be to separate these out into separate business source. One for the database accounts and the related application roles and another that utilises the AD accounts and group memberships. This post around AD Managed Applications explains how to do this giving you the visibility of the group memberships from an application perspective without duplicating data or causing any issues with AFX: Active Directory (AD) Managed Applications

See the reply in context

No one else had this question

Outcomes

Pradeep Kadambar

Apr 2, 2020 10:28 AM

I suggest you should put little more effort in asking your questions by giving the sample data from each source.

Actions

Craig Ramsay

Apr 2, 2020 10:29 AM

I'd like to understand more about this use case and your configuration as this raises a few concerns around data duplication and limitations with AFX.

- Do you already collect the AD group and the membership in a separate application/directory?

- Are you considering using AFX to fulfill changes in this application in the future?

- What version of IGL are you using?

Actions

Padmalochan Mohanty @ Craig Ramsay on Apr 2, 2020 11:42 AM

Do you already collect the AD group and the membership in a separate application/directory?

- AD collector has collected the groups in AD directory. The application is also having the group collector.

Are you considering using AFX to fulfill changes in this application in the future?

- AFX fulfill the changes in this application.

What version of IGL are you using?

7.1.0 P6

FYR. Below are screen shot from configuration of group collector

Collectors

Account Mapping

Group Config

Member Account Resolution Rule

Thank you !!!..

Actions

Ahmed Nofal

@ Padmalochan Mohanty on Apr 2, 2020 12:01 PM

Are you able anyhow to map the Member Account resolution rule to an account attribute that contains the distinguishedName of the account?

Actions

Craig Ramsay

@ Padmalochan Mohanty on Apr 2, 2020 12:16 PM

I would not recommend collecting permissions from different sources under one application or directory, particularly when AFX is involved. My concerns here are:

You are duplicating data for AD groups by collecting them under Active Directory and this other application. This complicates things when requesting or reviewing access.

2 people found this helpful

Actions

Andy Cheek Apr 3, 2020 3:42 AM

Also - I don't understand why you're collecting accounts from a database if those accounts are actually AD accounts, which given the groups are in AD would seem to be the case.

I'm with Craig - only collect something from one source. We have nearly 30 applications that use AD groups for their access control, so each application has an ADC that collects the groups & group memberships but NOT the accounts. The AD accounts are all collected separately by a single ADC linked to a directory. The applications are then configured to use that as their Directory for Accounts. This then allows us to use AFX to manage the group memberships as entitlements for each application separately.

Actions

6 Replies

Pradeep Kadambar Apr 2, 2020 10:28 AM
Mark Correct
Correct Answer
I suggest you should put little more effort in asking your questions by giving the sample data from each source.
Like • Show 0 Likes0
Actions
Craig Ramsay Apr 2, 2020 10:29 AM
Mark Correct
Correct Answer
I'd like to understand more about this use case and your configuration as this raises a few concerns around data duplication and limitations with AFX.

- Do you already collect the AD group and the membership in a separate application/directory?
- Are you considering using AFX to fulfill changes in this application in the future?
- What version of IGL are you using?
Like • Show 0 Likes0
Actions
- Padmalochan Mohanty @ Craig Ramsay on Apr 2, 2020 11:42 AM
  Mark Correct
  Correct Answer
  Do you already collect the AD group and the membership in a separate application/directory?
  - AD collector has collected the groups in AD directory. The application is also having the group collector.
  Are you considering using AFX to fulfill changes in this application in the future?
  - AFX fulfill the changes in this application.
  What version of IGL are you using?
  7.1.0 P6
  
  FYR. Below are screen shot from configuration of group collector
  Collectors
  
  Account Mapping
  
  Group Config
  Member Account Resolution Rule
  
  Thank you !!!..
  Like • Show 0 Likes0
  Actions
  - Ahmed Nofal @ Padmalochan Mohanty on Apr 2, 2020 12:01 PM
    Mark Correct
    Correct Answer
    Are you able anyhow to map the Member Account resolution rule to an account attribute that contains the distinguishedName of the account?
    Like • Show 0 Likes0
    Actions
  - Craig Ramsay @ Padmalochan Mohanty on Apr 2, 2020 12:16 PM
    Unmark Correct
    Correct Answer
    I would not recommend collecting permissions from different sources under one application or directory, particularly when AFX is involved. My concerns here are:
    
    You are duplicating data for AD groups by collecting them under Active Directory and this other application. This complicates things when requesting or reviewing access.
    
    From an AFX perspective, each business source can only be bound to one AFX Connector. In this case that can only be the database or the Active Directory. If it is the database, any attempt to fulfill a change in AFX that relates to an AD group will fail and vice versa.
    
    My recommendation would be to separate these out into separate business source. One for the database accounts and the related application roles and another that utilises the AD accounts and group memberships. This post around AD Managed Applications explains how to do this giving you the visibility of the group memberships from an application perspective without duplicating data or causing any issues with AFX: Active Directory (AD) Managed Applications
    2 people found this helpful
    Like • Show 3 Likes3
    Actions
Andy Cheek Apr 3, 2020 3:42 AM
Mark Correct
Correct Answer
Also - I don't understand why you're collecting accounts from a database if those accounts are actually AD accounts, which given the groups are in AD would seem to be the case.

I'm with Craig - only collect something from one source. We have nearly 30 applications that use AD groups for their access control, so each application has an ADC that collects the groups & group memberships but NOT the accounts. The AD accounts are all collected separately by a single ADC linked to a directory. The applications are then configured to use that as their Directory for Accounts. This then allows us to use AFX to manage the group memberships as entitlements for each application separately.
Like • Show 1 Like1
Actions

Group membership resolution failing

Outcomes

Related Content

Recommended Content