Configure NetIQ Access Governance to process AD nested group


1. Introduction

NetIQ Access Governance (SailPoint IIQ 7) does not support aggregation of nested groups Out of the Box (OOTB). However, there is a way to process nested groups by writing custom bean-shell code (java based scripting language) in “Group Aggregation Refresh Rule”.

I have explained the steps to process nested groups using Active Directory Group Aggregation task.

2. Business Requirement / Use cases

Let’s assume you have following AD Group hierarchy:

  1. Group1 has following members

(i) User1
(ii) User2
(iii) Group2
(iv) Group3

  • Group2 has following members

(i) User3
(ii) User4

  • Group3 has following members

(i) User5
(ii) User6

Now, business wants to look at Group1 and would like to see all users (User 1 to User6) as members of Group1.

3. Understand the Data Structure / SailPoint Object Model

Download a copy of IdentityIQ Object Model and Usage PDF file from the following link:

3.1  Identity Cube Object

NetIQ Access Governance stores Identity cube object as XML format. You can look for Identity cube XML by going to debug page or executing the get Identity <IdentityName> command from the console.

<Exceptions> element contains all entitlement related (i.e. group information in case of AD application) information under <EntitlementGroup> sub-element.

3.2  Link Object

Access Governance creates Link object for each application account for an Identity. Link Object contains all application-specific attribute values defined in schema section of the application definition.

3.3  ManagedAttribute Object

ManagedAttribute Object gets created for each and every entitlement. For example, there will be n number of ManagedAttribute objects for n number of AD groups.

ManagedAttribute objects are getting created and updated by group refresh task. In this solution, I have written an AccountGroupRefresh rule which will process nested groups and add member entry into <ManagedAttribute> element created for parent group (i.e. Group1 in my example).

4. Process Nested Group

4.1  Active Directory Application Schema

Add member attribute in the Active Directory group schema. This attribute will maintain the hierarchy of the Groups.

4.2  Develop AccountGroupRefresh Rule

An AccountGroupRefresh rule runs during an Account Group Aggregation task. It allows custom manipulation of account group attributes while the account group is being refreshed (on both create and update).

AccountGroupRefresh has following arguments available along with common arguments.

Download the Rule from here: AccountGroupRefreshRule-ProcessNestedGroup

The given rule will execute following steps:

    (i) Process each group and find get the members of the group

    (ii) If all the members of the group is a group object, process further, otherwise ignore

    (iii) Get the ManagedAttribute object of the member group identified in step (ii)

    (iv) Find all members from ManagedAttribute (i.e. all members of group identified in step (ii) )

    (v) Loop through all members (identified in step (iv)) and get the Link Object created for Active Directory Application for the User/Member

    (vi) Extract the Link Object and get the memberOf attribute and add the Processing Group (if it is not already added)

    (vii) Save the Link Object

    (viii) Add group members (identified in step (iv)) into accountGroup object and this rule these will add these members into ManagedAttribute object automatically.

Here is the logical flow of the code:


New Release-Feature
Comment List
Related Discussions