Configure NetIQ Access Governance to process AD nested group

Configure NetIQ Access Governance to process AD nested group

1. Introduction



NetIQ Access Governance (SailPoint IIQ 7) does not support aggregation of nested groups Out of the Box (OOTB). However, there is a way to process nested groups by writing custom bean-shell code (java based scripting language) in “Group Aggregation Refresh Rule”.

I have explained the steps to process nested groups using Active Directory Group Aggregation task.

2. Business Requirement / Use cases



Let’s assume you have following AD Group hierarchy:

  1. Group1 has following members


  2. (i) User1
    (ii) User2
    (iii) Group2
    (iv) Group3

  3. Group2 has following members


  4. (i) User3
    (ii) User4

  5. Group3 has following members


  6. (i) User5
    (ii) User6


Now, business wants to look at Group1 and would like to see all users (User 1 to User6) as members of Group1.

3. Understand the Data Structure / SailPoint Object Model



Download a copy of IdentityIQ Object Model and Usage PDF file from the following link:
https://community.sailpoint.com/docs/DOC-7780

3.1  Identity Cube Object



NetIQ Access Governance stores Identity cube object as XML format. You can look for Identity cube XML by going to debug page or executing the get Identity <IdentityName> command from the console.

<Exceptions> element contains all entitlement related (i.e. group information in case of AD application) information under <EntitlementGroup> sub-element.

3.2  Link Object



Access Governance creates Link object for each application account for an Identity. Link Object contains all application-specific attribute values defined in schema section of the application definition.

3.3  ManagedAttribute Object



ManagedAttribute Object gets created for each and every entitlement. For example, there will be n number of ManagedAttribute objects for n number of AD groups.

ManagedAttribute objects are getting created and updated by group refresh task. In this solution, I have written an AccountGroupRefresh rule which will process nested groups and add member entry into <ManagedAttribute> element created for parent group (i.e. Group1 in my example).

4. Process Nested Group



4.1  Active Directory Application Schema



Add member attribute in the Active Directory group schema. This attribute will maintain the hierarchy of the Groups.



4.2  Develop AccountGroupRefresh Rule



An AccountGroupRefresh rule runs during an Account Group Aggregation task. It allows custom manipulation of account group attributes while the account group is being refreshed (on both create and update).

AccountGroupRefresh has following arguments available along with common arguments.



Download the Rule from here: AccountGroupRefreshRule-ProcessNestedGroup

The given rule will execute following steps:


    (i) Process each group and find get the members of the group

    (ii) If all the members of the group is a group object, process further, otherwise ignore

    (iii) Get the ManagedAttribute object of the member group identified in step (ii)

    (iv) Find all members from ManagedAttribute (i.e. all members of group identified in step (ii) )

    (v) Loop through all members (identified in step (iv)) and get the Link Object created for Active Directory Application for the User/Member

    (vi) Extract the Link Object and get the memberOf attribute and add the Processing Group (if it is not already added)

    (vii) Save the Link Object

    (viii) Add group members (identified in step (iv)) into accountGroup object and this rule these will add these members into ManagedAttribute object automatically.


Here is the logical flow of the code:


DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2018-01-31 23:32
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.