Anonymous_User Absent Member.
Absent Member.
211 views

Groupmembership & nested group in null service Driver


Hi,

we use a null service driver to calculate and fill a custom attribute
when the groupmembership of a user change.

The trouble is that the changes in nested group is not detected by the
driver, and our rule aren't run.

The "User1" is member of "GroupA". When i add the "GroupA" in "GroupZ",
is see in iManager that groupmembership of User1 containt "GroupA" and
"GroupZ". But the Null service driver don't see that change (the filter
is configure to notify the change of groupmembership for the user).

I try the "Revert to calculated membership value behavior" option, but
no succes.

What can i do to make this work right?

Thanks for your support.


--
it_contrats_at_evam_ch
------------------------------------------------------------------------
it_contrats_at_evam_ch's Profile: https://forums.netiq.com/member.php?userid=9850
View this thread: https://forums.netiq.com/showthread.php?t=55374

Labels (1)
0 Likes
2 Replies
Knowledge Partner
Knowledge Partner

Re: Groupmembership & nested group in null service Driver

it contrats at evam ch wrote:

> we use a null service driver to calculate and fill a custom attribute
> when the groupmembership of a user change.
>
> The trouble is that the changes in nested group is not detected by the
> driver, and our rule aren't run.
>
> I try the "Revert to calculated membership value behavior" option, but
> no succes.


This setting onyl affects reading group memberships off a group/user from
policy. It does not trigger event creation from nested memberships as you
already found out.

> What can i do to make this work right?


You ned to move from an event triggered to a scheduled sync appriach, e.g. add
atrigger job to your null driver that produces one trigger operation per
group/user you need to update and check their members/memberships from policy.
To detect membership changes you could assign the group's member attribute to a
nodeset variable, serialize it as XML, then calculate a hash value. Store it on
the group object and compare subsequent runs against the stored value: if it is
different, update your cutom attribute.

--
http://www.is4it.de/en/solution/identity-access-management/
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Knowledge Partner
Knowledge Partner

Re: Groupmembership & nested group in null service Driver

lhaeger;2420060 wrote:
it contrats at evam ch wrote:

> we use a null service driver to calculate and fill a custom attribute
> when the groupmembership of a user change.
>
> The trouble is that the changes in nested group is not detected by the
> driver, and our rule aren't run.
>
> I try the "Revert to calculated membership value behavior" option, but
> no succes.


This setting onyl affects reading group memberships off a group/user from
policy. It does not trigger event creation from nested memberships as you
already found out.

> What can i do to make this work right?


You ned to move from an event triggered to a scheduled sync appriach, e.g. add
atrigger job to your null driver that produces one trigger operation per
group/user you need to update and check their members/memberships from policy.
To detect membership changes you could assign the group's member attribute to a
nodeset variable, serialize it as XML, then calculate a hash value. Store it on
the group object and compare subsequent runs against the stored value: if it is
different, update your cutom attribute.

--
http://www.is4it.de/en/solution/identity-access-management/


Lothar approach will work, but potentially you will have "grey period" between scheduled sync, when group membership will be wrong (Real time VS Scheduler, IDM VS FIM)
If you have any attributes that involved in your group recalculation logic - you can set Notify filter on these attributes.
In this way you will never miss time for group membership recalculation. 🙂

Alex
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.