This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Weird or Wrong AD Permission Collection


I am running a fresh installed Identity Governance 3.7

I had also configured the AD Account Collector (3.6.2) and Permission Collector. The AD Permission is using the default "Collect Permission", change the Permission-User Mapping to Account ID from Source

Identity Collector is based on CSV File.

I can collect the AD Accounts and view the Permissions

From the Identity Perspective, it listed all the Direct AD Memberships and Accounts

AD Account : Keng

AD Permission : AllStaff, InternetBrowsing, ITSupport

ITSupport Group is a member of  Domain Admins.

The weird thing is when I access Domain Admins Permission (Catalog > Permission > Domain Admins)

It only show 1 Holder and 1 Permission Relationship (ITSecurity).

In AD, when I check the Domain Admins, it had 10+ Direct Members, and 5 Groups whereby ITSupport and ITSecurity are part of the Groups.

(i) The Holders is showing the Identity, not Accounts (Is it supposed so). From the 10+, I would say 7 members are mapped to the Identities, and the rest are not

(ii) What could went wrong here? 

(iii) Is default "Collect Permission" is not enough ?



  • Greetings,
    A bit more information is need to investigate

    1) In the AD permission Collector
    a) Are you only utilizing the Collect Permission View? None of the other views (Collect Permission to Holder, Collect Holder to Permission, Collect Permission hierarchy based on parent to child, or Collect Permission hierarchy based on child to parent) are configured and enabled.

    2) You outline that there are 10+ users directly assigned to Domain Admins, but you only see 1 in the ID Gov catalog. If you look at any of the other 9+ users not listed on this permission in ID Gov, do they have the permissions (groups) assigned that you see in AD?

    It could be that either the Account-to-User mapping is not right for these others and so from the Permission View we only show "Identities". We do not show Accounts as holders here. You would need to look at the accounts

    Another possibility is that the Accounts are not within scope of your Account collector. Without the Account, it is not possible to make the necessary holder relationship Permission -> Account -> Identity base upon your configuration (Permission-User Mapping to Account ID from Source)

    Or, the missing holders of the permission were not provided by the Identity Collector. 

    Steven Williams
    Principal Enterprise Architect
    Micro Focus