Groupmembership & nested group in null service Driver


Hi,

we use a null service driver to calculate and fill a custom attribute
when the groupmembership of a user change.

The trouble is that the changes in nested group is not detected by the
driver, and our rule aren't run.

The "User1" is member of "GroupA". When i add the "GroupA" in "GroupZ",
is see in iManager that groupmembership of User1 containt "GroupA" and
"GroupZ". But the Null service driver don't see that change (the filter
is configure to notify the change of groupmembership for the user).

I try the "Revert to calculated membership value behavior" option, but
no succes.

What can i do to make this work right?

Thanks for your support.


--
it_contrats_at_evam_ch
------------------------------------------------------------------------
it_contrats_at_evam_ch's Profile: https://forums.netiq.com/member.php?userid=9850
View this thread: https://forums.netiq.com/showthread.php?t=55374

  • it contrats at evam ch wrote:

    > we use a null service driver to calculate and fill a custom attribute
    > when the groupmembership of a user change.
    >
    > The trouble is that the changes in nested group is not detected by the
    > driver, and our rule aren't run.
    >
    > I try the "Revert to calculated membership value behavior" option, but
    > no succes.


    This setting onyl affects reading group memberships off a group/user from
    policy. It does not trigger event creation from nested memberships as you
    already found out.

    > What can i do to make this work right?


    You ned to move from an event triggered to a scheduled sync appriach, e.g. add
    atrigger job to your null driver that produces one trigger operation per
    group/user you need to update and check their members/memberships from policy.
    To detect membership changes you could assign the group's member attribute to a
    nodeset variable, serialize it as XML, then calculate a hash value. Store it on
    the group object and compare subsequent runs against the stored value: if it is
    different, update your cutom attribute.

    --
    http://www.is4it.de/en/solution/identity-access-management/
  • lhaeger;2420060 wrote:
    it contrats at evam ch wrote:

    > we use a null service driver to calculate and fill a custom attribute
    > when the groupmembership of a user change.
    >
    > The trouble is that the changes in nested group is not detected by the
    > driver, and our rule aren't run.
    >
    > I try the "Revert to calculated membership value behavior" option, but
    > no succes.


    This setting onyl affects reading group memberships off a group/user from
    policy. It does not trigger event creation from nested memberships as you
    already found out.

    > What can i do to make this work right?


    You ned to move from an event triggered to a scheduled sync appriach, e.g. add
    atrigger job to your null driver that produces one trigger operation per
    group/user you need to update and check their members/memberships from policy.
    To detect membership changes you could assign the group's member attribute to a
    nodeset variable, serialize it as XML, then calculate a hash value. Store it on
    the group object and compare subsequent runs against the stored value: if it is
    different, update your cutom attribute.

    --
    http://www.is4it.de/en/solution/identity-access-management/


    Lothar approach will work, but potentially you will have "grey period" between scheduled sync, when group membership will be wrong (Real time VS Scheduler, IDM VS FIM)
    If you have any attributes that involved in your group recalculation logic - you can set Notify filter on these attributes.
    In this way you will never miss time for group membership recalculation. :)

    Alex