NetIQ Access Governance (SailPoint IIQ 7) does not support aggregation of nested groups Out of the Box (OOTB). However, there is a way to process nested groups by writing custom bean-shell code (java based scripting language) in “Group Aggregation Refresh Rule”.
I have explained the steps to process nested groups using Active Directory Group Aggregation task.
2. Business Requirement / Use cases
Let’s assume you have following AD Group hierarchy:
Group1 has following members
(i) User1 (ii) User2 (iii) Group2 (iv) Group3
Group2 has following members
(i) User3 (ii) User4
Group3 has following members
(i) User5 (ii) User6
Now, business wants to look at Group1 and would like to see all users (User 1 to User6) as members of Group1.
3. Understand the Data Structure / SailPoint Object Model
NetIQ Access Governance stores Identity cube object as XML format. You can look for Identity cube XML by going to debug page or executing the get Identity <IdentityName> command from the console.
<Exceptions> element contains all entitlement related (i.e. group information in case of AD application) information under <EntitlementGroup> sub-element.
3.2 Link Object
Access Governance creates Link object for each application account for an Identity. Link Object contains all application-specific attribute values defined in schema section of the application definition.
3.3 ManagedAttribute Object
ManagedAttribute Object gets created for each and every entitlement. For example, there will be n number of ManagedAttribute objects for n number of AD groups.
ManagedAttribute objects are getting created and updated by group refresh task. In this solution, I have written an AccountGroupRefresh rule which will process nested groups and add member entry into <ManagedAttribute> element created for parent group (i.e. Group1 in my example).
4. Process Nested Group
4.1 Active Directory Application Schema
Add member attribute in the Active Directory group schema. This attribute will maintain the hierarchy of the Groups.
4.2 Develop AccountGroupRefresh Rule
An AccountGroupRefresh rule runs during an Account Group Aggregation task. It allows custom manipulation of account group attributes while the account group is being refreshed (on both create and update).
AccountGroupRefresh has following arguments available along with common arguments.