Group Collection Strategy
What is the best strategy for creating group collectors so they can dynamically handle group moves? We currently set the distinguishedname as the "Group ID/Name" attribute. We are in the middle of a domain consolidation project which requires every Role needs to get updated when the group moves. Before we create the new group collectors I wanted to check and see if there is a better approach with group collectors than using the distinguishedname so we don't have to update Roles every time a group changes, even within the same domain.
- Community Thread
- Forum Thread
- Identity G&L
- Identity Governance & Lifecycle
- RSA Identity
- RSA Identity G&L
- RSA Identity Governance & Lifecycle
- RSA Identity Governance and Lifecycle
- RSA IGL
In a multi domains env the DN is unique but can change and you will need perform changes in your roles (as you mentioned).
So you need a unique and a non changing value to identify your groups.
How about GUID?
The disadvantage is that it's not very human friendly...
Would be nice to hear from others.
From what I've read the GUID is unique across domains, so collecting that as the group name seems the only way. Is the objectGUID an attribute that the AD collector can reach?
Anyways, for the rather unpleasant display of the GUID: you can fix that with a business description. You can use a custom workflow (like... "totally supported") to go through all collected AD groups after each collection and use their DN or name as part of the business description. If the group has a descriptions field filled in AD, use that as well. Then use the web services to upload that description file.
Thanks for the responses. Besides being human unreadable the GUID is unique to a domain so it changes when you consolidate domains. Best we can come up with now is use the CN for the group and make sure they are Unique.
For similar scenarios, I have used the CN or sAMAccountName as the identifier. They are not ideal but generally the only option you have for the situation you are in. As you mention, making sure they are unique is the key thing.