This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Identity Governance & Lifecycle Discussions

Discussions about RSA Identity Governance & Lifecycle.
DannyBissett
New Contributor
New Contributor
‎2016-09-19 08:55 AM

Group membership not updated after ADC ran

The cn in AD has been updated for all user objects from a format "surname,forename" to "username" and is causing issues with group membership changes.

 

We collect the user object DNs into our identity data and then link our identities back to AD user and group objects using the DNs. Following the change to the DNs within AD the identities and group memberships show the DNs as expected but the memberships now don't update.  

 

If I check the Raw data for the ADC it clearly shows that one group membership is missing as expected but when you view an identities access the membership has not changed.

 

There are no errors so I'm at a bit of a loss where to start troubleshooting

 

Any help would be greatly appreciated

0 Likes
Reply
3 Replies
VenkataRamanaR1
Moderator Moderator
Moderator
‎2016-09-20 07:43 AM

Is this version 7.0 or higher? There could probably be a bug with delta processing. You can try to run the collector once after setting it to full refresh. See below thread for instructions to set a collector to full refresh

 

https://community.rsa.com/message/874466 

Reply
CraigRamsay1
Beginner
Beginner
In response to VenkataRamanaR1
‎2016-09-23 08:01 AM

Full refresh didn't work but the following did in test:

 

  • Remove mapping attribute from the Member Account Resolution Rules for AD ADC
  • Re-run collector – shows all users with no AD entitlements
  • Add mapping attribute back in to Member Account Resolution Rules for AD ADC
  • Re-run collector – shows all users with AD entitlements and updated correct Entitlement Path

 

Can you think of any impact this would have to ongoing reviews or outstanding requests to remediate access?

 

We are only utilising the Reviews within Via at present so considerations to other functionality would not impact us at present.

0 Likes
Reply
VenkataRamanaR1
Moderator Moderator
Moderator
In response to CraigRamsay1
‎2016-09-23 11:36 AM

That would not have any impact directly on reviews but would have impact on the change requests that exist for the removal of those AD entitlements for users.

If there are any pending activities that were waiting for AD entitlements to be removed from users, they would have got completed. Better to check if any such activities got closed and if you need to generate change requests again to revoke them..

Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.