Configure NetIQ Access Governance to process AD nested group
NetIQ Access Governance (SailPoint IIQ 7) does not support aggregation of nested groups Out of the Box (OOTB). However, there is a way to process nested groups by writing custom bean-shell code (java based scripting language) in “Group Aggregation Refresh Rule”.
I have explained the steps to process nested groups using Active Directory Group Aggregation task.
2. Business Requirement / Use cases
Let’s assume you have following AD Group hierarchy:
- Group1 has following members
- Group2 has following members
- Group3 has following members
Now, business wants to look at Group1 and would like to see all users (User 1 to User6) as members of Group1.
3. Understand the Data Structure / SailPoint Object Model
Download a copy of IdentityIQ Object Model and Usage PDF file from the following link:
3.1 Identity Cube Object
NetIQ Access Governance stores Identity cube object as XML format. You can look for Identity cube XML by going to debug page or executing the get Identity <IdentityName> command from the console.
<Exceptions> element contains all entitlement related (i.e. group information in case of AD application) information under <EntitlementGroup> sub-element.
3.2 Link Object
Access Governance creates Link object for each application account for an Identity. Link Object contains all application-specific attribute values defined in schema section of the application definition.
3.3 ManagedAttribute Object
ManagedAttribute Object gets created for each and every entitlement. For example, there will be n number of ManagedAttribute objects for n number of AD groups.
ManagedAttribute objects are getting created and updated by group refresh task. In this solution, I have written an AccountGroupRefresh rule which will process nested groups and add member entry into <ManagedAttribute> element created for parent group (i.e. Group1 in my example).
4. Process Nested Group
4.1 Active Directory Application Schema
Add member attribute in the Active Directory group schema. This attribute will maintain the hierarchy of the Groups.
4.2 Develop AccountGroupRefresh Rule
An AccountGroupRefresh rule runs during an Account Group Aggregation task. It allows custom manipulation of account group attributes while the account group is being refreshed (on both create and update).
AccountGroupRefresh has following arguments available along with common arguments.
Download the Rule from here: AccountGroupRefreshRule-ProcessNestedGroup
The given rule will execute following steps:
(i) Process each group and find get the members of the group
(ii) If all the members of the group is a group object, process further, otherwise ignore
(iii) Get the ManagedAttribute object of the member group identified in step (ii)
(iv) Find all members from ManagedAttribute (i.e. all members of group identified in step (ii) )
(v) Loop through all members (identified in step (iv)) and get the Link Object created for Active Directory Application for the User/Member
(vi) Extract the Link Object and get the memberOf attribute and add the Processing Group (if it is not already added)
(vii) Save the Link Object
(viii) Add group members (identified in step (iv)) into accountGroup object and this rule these will add these members into ManagedAttribute object automatically.
Here is the logical flow of the code: