This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Identity Governance & Lifecycle Discussions

Discussions about RSA Identity Governance & Lifecycle.
DonCrask
Beginner
Beginner
‎2016-10-12 11:18 AM

Group Collection Strategy

What is the best strategy for creating group collectors so they can dynamically handle group moves?  We currently set the distinguishedname as the "Group ID/Name" attribute.  We are in the middle of a domain consolidation project which requires every Role needs to get updated when the group moves.  Before we create the new group collectors I wanted to check and see if there is a better approach with group collectors than using the distinguishedname so we don't have to update Roles every time a group changes, even within the same domain.

 

---Don

Labels (1)
Labels
Reply
5 Replies
BorisLekumovich
Frequent Contributor Frequent Contributor
Frequent Contributor
‎2016-10-12 10:50 PM

In a multi domains env the DN is unique but can change and you will need perform changes in your roles (as you mentioned).

So you need a unique and a non changing value to identify your groups.

How about GUID?

The disadvantage is that it's not very human friendly...

Would be nice to hear from others.

0 Likes
Reply
FrankSchubert
Beginner
Beginner
In response to BorisLekumovich
‎2016-10-13 01:53 AM

From what I've read the GUID is unique across domains, so collecting that as the group name seems the only way. Is the objectGUID an attribute that the AD collector can reach?

 

Anyways, for the rather unpleasant display of the GUID: you can fix that with a business description. You can use a custom workflow (like... "totally supported") to go through all collected AD groups after each collection and use their DN or name as part of the business description. If the group has a descriptions field filled in AD, use that as well. Then use the web services to upload that description file.  

Reply
DonCrask
Beginner
Beginner
‎2016-10-13 09:57 AM

Thanks for the responses.  Besides being human unreadable the GUID is unique to a domain so it changes when you consolidate domains.  Best we can come up with now is use the CN for the group and make sure they are Unique. 

0 Likes
Reply
FrankSchubert
Beginner
Beginner
In response to DonCrask
‎2016-10-13 02:32 PM

would that be a forrest with two domains? If so, the GUID should stay unchanged. https://social.technet.microsoft.com/Forums/windowsserver/en-US/a5c0a863-cad1-4df8-a194-cb58f24ab1e6... 

0 Likes
Reply
StevenPapaleo1
Beginner
Beginner
In response to DonCrask
‎2016-10-13 05:04 PM

Hi Don,

 

For similar scenarios, I have used the CN or sAMAccountName as the identifier. They are not ideal but generally the only option you have for the situation you are in. As you mention, making sure they are unique is the key thing.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.