What is the difference between groups collected by an Accounts collector and groups collected by an Entitlements collector for Active Directory ?
We wants to be sure to use the best way for catching AD groups in RSA.
I would recommend collecting Groups by the account collector for the following reason:
Groups collected by the entitlement collector are collected as App-Roles, which means they lose all the above Group related benefits. I can't think of a customer I know who does that. There is probably a use case for it but I don't see the point in doing that so far.
Any specific reason you do not want to collect Groups as normal Groups using an account collector?
Thank you for the clarification. We just wanted to understand the both situation and you have done the job, we will use group collector in the account collector.
I agree with you that the benefits lost with an EDC is too much and it's pretty weird to let an EDC possible for AD. It's creating a lot of confusion.
Wrt your point 3 - You can collect entitlements assigned to Groups from other entitlement collectors (imagine an application that uses AD groups for authorization) - does/would/could that somehow allow us to link entitlements to groups such that if a user is a group member then they also get the other entitlements? Specifically wrt Aveksa custom app-roles
Reason being we have a bunch of "actor" groups that we originally used to allow access to User Views (in Access Request). The groups also include an element of data scope, e.g. Group A would only give access to User View A which only listed users with attributex=A, Group B would give access to User View B, etc. When, however, we were able to create custom Aveksa app-roles we used that for other capability that the groups wouldn't necessarily give.
What we now have is the situation where users in Group A and Group B should also have app-role R. Is there any sensible way we could effect this without having to manage the groups AND app-roles explicitly? I've tried exploring this with Jamie in the past but wondered whether the application has changed under v7 upwards such that we could now manage this.
Retrieving data ...