Group membership not updated after ADC ran
The cn in AD has been updated for all user objects from a format "surname,forename" to "username" and is causing issues with group membership changes.
We collect the user object DNs into our identity data and then link our identities back to AD user and group objects using the DNs. Following the change to the DNs within AD the identities and group memberships show the DNs as expected but the memberships now don't update.
If I check the Raw data for the ADC it clearly shows that one group membership is missing as expected but when you view an identities access the membership has not changed.
There are no errors so I'm at a bit of a loss where to start troubleshooting
Any help would be greatly appreciated
- Community Thread
- Forum Thread
- Identity G&L
- Identity Governance & Lifecycle
- member of group
- RSA Identity
- RSA Identity G&L
- RSA Identity Governance & Lifecycle
- RSA Identity Governance and Lifecycle
- RSA IGL
Is this version 7.0 or higher? There could probably be a bug with delta processing. You can try to run the collector once after setting it to full refresh. See below thread for instructions to set a collector to full refresh
Full refresh didn't work but the following did in test:
- Remove mapping attribute from the Member Account Resolution Rules for AD ADC
- Re-run collector – shows all users with no AD entitlements
- Add mapping attribute back in to Member Account Resolution Rules for AD ADC
- Re-run collector – shows all users with AD entitlements and updated correct Entitlement Path
Can you think of any impact this would have to ongoing reviews or outstanding requests to remediate access?
We are only utilising the Reviews within Via at present so considerations to other functionality would not impact us at present.
That would not have any impact directly on reviews but would have impact on the change requests that exist for the removal of those AD entitlements for users.
If there are any pending activities that were waiting for AD entitlements to be removed from users, they would have got completed. Better to check if any such activities got closed and if you need to generate change requests again to revoke them..