Migrate from IDVault for Group objects to Active Directory

Hi,

We are having IDM 4.7 on Linux server. We have 1000 dynamic groups which will add members based on given condition/query. We have corresponding static groups that are associated to equivalent groups in Active Directory.

The members from dynamic groups are added to static group using a Loop back driver.

The process is described below:
1. Members are added to dynamic group based on the query condition.
2. Loop back driver detects the event and then it adds the newly added users from dynamic group to its equivalent static group.
3. The group member (in IDM) add event is then picked up by Active Directory driver and then adds the user to group in AD group which associated

By somehow, we see that the members in static group in IDM not matching to members in AD group.
Example. Group-abc in IDM has 10 members but the group Group-abc in AD the members are around 100 members.

It's happening not only for one group, for several groups.

Solution: we want to fix this issue where we want to keep the members same as IDM to AD

Question 1: How this can be fixed?

There is the Migrate from IDVault option on the subscriber driver to sync/resync an object to Application (in this case to AD).
Can we use this option and select a group in IDM, so that the member will be synched to AD to have equivalent members...

Does this option work in about mentioned manner?

Please let us know if there's any other option.

Question 2: Also, please let us know if we can track/identify from AD whether the members are added manually and by whom - using some driver policy/rule on publisher channel in AD driver.

Question 3: Similarly, can we use the option on filter "Merge authority" as IDVault to keep the members same as IDM to AD and resync again or remove if any members are added directly on AD group.


Thanks in advance.

best regards,
dk
  • On 04/12/2019 03:54 PM, dkdng wrote:
    >
    > We are having IDM 4.7 on Linux server. We have 1000 dynamic groups
    > which will add members based on given condition/query. We have
    > corresponding static groups that are associated to equivalent groups in
    > Active Directory.
    >
    > The members from dynamic groups are added to static group using a Loop
    > back driver.
    >
    > The process is described below:
    > 1. Members are added to dynamic group based on the query condition.
    > 2. Loop back driver detects the event and then it adds the newly added
    > users from dynamic group to its equivalent static group.
    > 3. The group member (in IDM) add event is then picked up by Active
    > Directory driver and then adds the user to group in AD group which
    > associated
    >
    > By somehow, we see that the members in static group in IDM not matching
    > to members in AD group.
    > Example. *Group-abc* in IDM has 10 members but the group *Group-abc* in
    > AD the members are around 100 members.
    >
    > It's happening not only for one group, for several groups.
    >
    > Solution: we want to fix this issue where we want to keep the members
    > same as IDM to AD
    >
    > *Question 1: *How this can be fixed?
    >
    > There is the Migrate from IDVault option on the subscriber driver to
    > sync/resync an object to Application (in this case to AD).
    > Can we use this option and select a group in IDM, so that the member
    > will be synched to AD to have equivalent members...
    >
    > Does this option work in about mentioned manner?


    This option does a good job of making sure what is in IDM make it to the
    application, but it does not necessarily clean out the application of more
    than that, so it is probably not what you want right now.

    > Please let us know if there's any other option.


    For a one-time fix you may want to check out Console 2, a program written
    by another IDM expert, and which I believe will let you compare groups
    even among other directories like microsoft active directory (MAD). For
    more, check out https://sneakycat.biz/

    > *Question 2: *Also, please let us know if we can track/identify from AD
    > whether the members are added manually and by whom - using some driver
    > policy/rule on publisher channel in AD driver.


    You can definitely use IDM to undo this kind of action, though I doubt
    that MAD will tell you who caused the action as much as that it happened,
    and approximately when. My bet, since you have more users on the MAD side
    than the IDM side, is that this is being done by somebody directly in MAD,
    and unless those users are then able to synchronize to IDM they will not
    end up in the IDM group.

    You could catch this right now, detecting these changes on the Publisher
    channel and then seeing if they are new or just the result of MAD's
    loopback. If new, e-mail yourself and investigate the trace, then track
    down how it came up in MAD and resolve the problem there.

    > *Question 3: *Similarly, can we use the option on filter "*Merge
    > authority*" as IDVault to keep the members same as IDM to AD and resync
    > again or remove if any members are added directly on AD group.


    Merge authority is great for merges, but this is likely not a merge (note
    that we do not know that, but it seems to be unlikely). You CAN use the
    Filter, though, and set the Publisher channel for this attribute to Reset.
    Hopefully that works like I hope it will, since MAD is not smart enough
    to know which user made which changes with the API microsoft provides for
    synchronization, and therefore all changes that go to MAD from IDM loop
    back on the Publisher channel (into IDM) usually to be optimized out as
    redundant; if the IDM engine resets this attribute value there, and that
    then loops back, you can see a loop may result, though I do not think that
    is how it will work. For cleanup, though, see Console 2 (mentioned above).

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • On 12.04.19 23:54, dkdng wrote:
    >
    > Hi,
    >
    > We are having IDM 4.7 on Linux server. We have 1000 dynamic groups
    > which will add members based on given condition/query. We have
    > corresponding static groups that are associated to equivalent groups in
    > Active Directory.
    >
    > The members from dynamic groups are added to static group using a Loop
    > back driver.
    >
    > The process is described below:
    > 1. Members are added to dynamic group based on the query condition.
    > 2. Loop back driver detects the event and then it adds the newly added
    > users from dynamic group to its equivalent static group.
    > 3. The group member (in IDM) add event is then picked up by Active
    > Directory driver and then adds the user to group in AD group which
    > associated
    >
    > By somehow, we see that the members in static group in IDM not matching
    > to members in AD group.
    > Example. *Group-abc* in IDM has 10 members but the group *Group-abc* in
    > AD the members are around 100 members.
    >
    > It's happening not only for one group, for several groups.
    >
    > Solution: we want to fix this issue where we want to keep the members
    > same as IDM to AD
    >
    > *Question 1: *How this can be fixed?
    >
    > There is the Migrate from IDVault option on the subscriber driver to
    > sync/resync an object to Application (in this case to AD).
    > Can we use this option and select a group in IDM, so that the member
    > will be synched to AD to have equivalent members...
    >
    > Does this option work in about mentioned manner?
    >
    > Please let us know if there's any other option.
    >
    > *Question 2: *Also, please let us know if we can track/identify from AD
    > whether the members are added manually and by whom - using some driver
    > policy/rule on publisher channel in AD driver.
    >
    > *Question 3: *Similarly, can we use the option on filter "*Merge
    > authority*" as IDVault to keep the members same as IDM to AD and resync
    > again or remove if any members are added directly on AD group.
    >
    >
    > Thanks in advance.
    >
    > best regards,
    > dk
    >
    >


    Many years ago we looked at a similar problem, not quit the same; we
    needed the Groupmember Ship to be on the users instead of a static group
    (membership as pointing to the dynamic group).

    The construct was different, but in general terms the loopback driver
    which was responsible of assigning group membership (dynamic --> static)
    used the ldap query in the dynamic group to verify if the user should be
    a member of the group.

    As a possible one off, you can could build a construct which runs
    through all the users, and and verify if they need to be a member or
    not. Or you can run through all the groups read out all the members and
    assign/remove members from the static groups.


    Casper

  • dkdng;2498302 wrote:
    Hi,

    We are having IDM 4.7 on Linux server. We have 1000 dynamic groups which will add members based on given condition/query. We have corresponding static groups that are associated to equivalent groups in Active Directory.

    The members from dynamic groups are added to static group using a Loop back driver.

    The process is described below:
    1. Members are added to dynamic group based on the query condition.
    2. Loop back driver detects the event and then it adds the newly added users from dynamic group to its equivalent static group.
    3. The group member (in IDM) add event is then picked up by Active Directory driver and then adds the user to group in AD group which associated

    By somehow, we see that the members in static group in IDM not matching to members in AD group.
    Example. Group-abc in IDM has 10 members but the group Group-abc in AD the members are around 100 members.

    It's happening not only for one group, for several groups.

    Solution: we want to fix this issue where we want to keep the members same as IDM to AD

    Question 1: How this can be fixed?

    There is the Migrate from IDVault option on the subscriber driver to sync/resync an object to Application (in this case to AD).
    Can we use this option and select a group in IDM, so that the member will be synched to AD to have equivalent members...

    Does this option work in about mentioned manner?

    Please let us know if there's any other option.

    Question 2: Also, please let us know if we can track/identify from AD whether the members are added manually and by whom - using some driver policy/rule on publisher channel in AD driver.

    Question 3: Similarly, can we use the option on filter "Merge authority" as IDVault to keep the members same as IDM to AD and resync again or remove if any members are added directly on AD group.


    Thanks in advance.

    best regards,
    dk


    I suspect there is more than one problem here. There may be technical problems, but I have to first question the stated design.


    1. Members are added to dynamic group based on the query condition.


    Members are not, ever, added to a dynamic group based on the group's query condition. The dynamic group functions as a canned LDAP query, returning "members" whenever you ask it what the membership is, based on the query.


    2. Loop back driver detects the event and then it adds the newly added users from dynamic group to its equivalent static group.


    Since #1 is not the case, there is no event here to act on. This makes me suspect that your problem is one of design. Your dynamic group membership isn't changing, so your static group membership no longer matches, because this driver sees no events to process. You'd have to have it configured to run from a scheduled polling job or something similar.


    3. The group member (in IDM) add event is then picked up by Active Directory driver and then adds the user to group in AD group which associated


    This part is straightforward and probably working fine.


    I'd start here with the first item. Get your dynamic / static group memberships in the Vault working correctly. If not working, get a trace of the loopback driver and figure out why not.

    Then look at the vault to MAD events. Again, get a trace, see what's changing or not changing, and whether or not it should be.