Idea ID: 2872644

AD Access Reviews using the AD group owner as the Reviewer

Status : New Idea

Review AD Groups using the Group owner as of the reviewer:

Allow a review to use a custom attribute; in this case, it will be the managedBy as a reviewer.

In this Use Case, we will need to review AD Groups permissions, and the reviewers should be the AD group owners that are represented by the managedBy attribute.

Could you please provide a review that allows performing the use case above?


Access Review and Certification
  • We use this mapping and ECMA script to populate the permission owner from the AD managedBy attribute.  

    We have AD groups that do not have an owner defined, so we had to put the input attribute in the collector attribute mapping in quotes and brackets, otherwise null value input would not be processed by ECMA script.  For AD groups without an owner, we decided to assign a default owner.

    It uses the 'AD Account DN' attribute (the  'distinguishedName', which is also used in the ECMA script to assign the default owner)

    Script Name:
    Populate Permission Owner from AD ManagedBy
    collects AD group owner as permission owner, and uses dedicated user when source is blank/null value

    /* start of generated script to extract variables from inputValue */
    /* NOTE: any code inserted within this block will get overridden if inputs are regenerated */

    var vals = {};

    // inputValue is string, we need to parse it to convert it into a javascript object
    var inputValueParsed = JSON.parse(inputValue);

    vals.managedBy = inputValueParsed.managedBy ? inputValueParsed.managedBy : 'CN=John Doe,OU=Accounts,DC=corp,DC=net'; /* value for managedBy */

    // enable debug by uncommenting lines below

    //var logger = org.slf4j.LoggerFactory.getLogger("debug");
    //"inputValue is: " + JSON.stringify(inputValue));
    //"extracted vals are " + JSON.stringify(vals));

    /* NOTE: any code inserted within this block will get overridden if inputs are regenerated */
    /* end of generated script */
    outputValue = vals.managedBy;

  • This is supported by the product.  When you collect data from AD, specifically using a permission collector, you will configure it to collect those groups and use the managedBy attribute mapped into the permission owner field in IG.    When you use the permission owner field, then you are able to configure the reviewer to be dynamically based on the permission owner.

    Note that with managedBy, in its mapping to permission owner, you need to help IG translate the AD DN value that AD uses to store managedBy into one of the values on the Identity Objects in IG.   That is to say, in your identity collector where you build identities, you will need to ensure you are including an attribute that is the AD DN of that identity.  This will facilitate mapping back to AD group's managedBy.      This is easy if your identity source is AD.  This is pretty easy if you have NetIQ IDM in place and sync to AD.  This might be more difficult if your Identity source doesn't have those AD DN's.    Another option might be to transform the DN to reduce it to just the user's shortname, perhaps your identities have a field that maps to that.