Idea ID: 2872644

AD Access Reviews using the AD group owner as the Reviewer

Status : New Idea

Review AD Groups using the Group owner as of the reviewer:

Allow a review to use a custom attribute; in this case, it will be the managedBy as a reviewer.

In this Use Case, we will need to review AD Groups permissions, and the reviewers should be the AD group owners that are represented by the managedBy attribute.

Could you please provide a review that allows performing the use case above?

Labels:

Access Review and Certification
Parents
  • This is supported by the product.  When you collect data from AD, specifically using a permission collector, you will configure it to collect those groups and use the managedBy attribute mapped into the permission owner field in IG.    When you use the permission owner field, then you are able to configure the reviewer to be dynamically based on the permission owner.

    Note that with managedBy, in its mapping to permission owner, you need to help IG translate the AD DN value that AD uses to store managedBy into one of the values on the Identity Objects in IG.   That is to say, in your identity collector where you build identities, you will need to ensure you are including an attribute that is the AD DN of that identity.  This will facilitate mapping back to AD group's managedBy.      This is easy if your identity source is AD.  This is pretty easy if you have NetIQ IDM in place and sync to AD.  This might be more difficult if your Identity source doesn't have those AD DN's.    Another option might be to transform the DN to reduce it to just the user's shortname, perhaps your identities have a field that maps to that.

    --Jim

Comment
  • This is supported by the product.  When you collect data from AD, specifically using a permission collector, you will configure it to collect those groups and use the managedBy attribute mapped into the permission owner field in IG.    When you use the permission owner field, then you are able to configure the reviewer to be dynamically based on the permission owner.

    Note that with managedBy, in its mapping to permission owner, you need to help IG translate the AD DN value that AD uses to store managedBy into one of the values on the Identity Objects in IG.   That is to say, in your identity collector where you build identities, you will need to ensure you are including an attribute that is the AD DN of that identity.  This will facilitate mapping back to AD group's managedBy.      This is easy if your identity source is AD.  This is pretty easy if you have NetIQ IDM in place and sync to AD.  This might be more difficult if your Identity source doesn't have those AD DN's.    Another option might be to transform the DN to reduce it to just the user's shortname, perhaps your identities have a field that maps to that.

    --Jim

Children
No Data