What is the difference between groups collected by an Accounts collector and groups collected by an Entitlements collector for Active Directory ?
We wants to be sure to use the best way for catching AD groups in RSA.
I would recommend collecting Groups by the account collector for the following reason:
Groups collected by the entitlement collector are collected as App-Roles, which means they lose all the above Group related benefits. I can't think of a customer I know who does that. There is probably a use case for it but I don't see the point in doing that so far.
Any specific reason you do not want to collect Groups as normal Groups using an account collector?
Thank you for the clarification. We just wanted to understand the both situation and you have done the job, we will use group collector in the account collector.
I agree with you that the benefits lost with an EDC is too much and it's pretty weird to let an EDC possible for AD. It's creating a lot of confusion.
Retrieving data ...