dkdng
Visitor.
372 views

Migrate from IDVault for Group objects to Active Directory

Hi,

We are having IDM 4.7 on Linux server. We have 1000+ dynamic groups which will add members based on given condition/query. We have corresponding static groups that are associated to equivalent groups in Active Directory.

The members from dynamic groups are added to static group using a Loop back driver.

The process is described below:
1. Members are added to dynamic group based on the query condition.
2. Loop back driver detects the event and then it adds the newly added users from dynamic group to its equivalent static group.
3. The group member (in IDM) add event is then picked up by Active Directory driver and then adds the user to group in AD group which associated

By somehow, we see that the members in static group in IDM not matching to members in AD group.
Example. Group-abc in IDM has 10 members but the group Group-abc in AD the members are around 100 members.

It's happening not only for one group, for several groups.

Solution: we want to fix this issue where we want to keep the members same as IDM to AD

Question 1: How this can be fixed?

There is the Migrate from IDVault option on the subscriber driver to sync/resync an object to Application (in this case to AD).
Can we use this option and select a group in IDM, so that the member will be synched to AD to have equivalent members...

Does this option work in about mentioned manner?

Please let us know if there's any other option.

Question 2: Also, please let us know if we can track/identify from AD whether the members are added manually and by whom - using some driver policy/rule on publisher channel in AD driver.

Question 3: Similarly, can we use the option on filter "Merge authority" as IDVault to keep the members same as IDM to AD and resync again or remove if any members are added directly on AD group.


Thanks in advance.

best regards,
dk
Labels (1)
0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Migrate from IDVault for Group objects to Active Directory

On 04/12/2019 03:54 PM, dkdng wrote:
>
> We are having IDM 4.7 on Linux server. We have 1000+ dynamic groups
> which will add members based on given condition/query. We have
> corresponding static groups that are associated to equivalent groups in
> Active Directory.
>
> The members from dynamic groups are added to static group using a Loop
> back driver.
>
> The process is described below:
> 1. Members are added to dynamic group based on the query condition.
> 2. Loop back driver detects the event and then it adds the newly added
> users from dynamic group to its equivalent static group.
> 3. The group member (in IDM) add event is then picked up by Active
> Directory driver and then adds the user to group in AD group which
> associated
>
> By somehow, we see that the members in static group in IDM not matching
> to members in AD group.
> Example. *Group-abc* in IDM has 10 members but the group *Group-abc* in
> AD the members are around 100 members.
>
> It's happening not only for one group, for several groups.
>
> Solution: we want to fix this issue where we want to keep the members
> same as IDM to AD
>
> *Question 1: *How this can be fixed?
>
> There is the Migrate from IDVault option on the subscriber driver to
> sync/resync an object to Application (in this case to AD).
> Can we use this option and select a group in IDM, so that the member
> will be synched to AD to have equivalent members...
>
> Does this option work in about mentioned manner?


This option does a good job of making sure what is in IDM make it to the
application, but it does not necessarily clean out the application of more
than that, so it is probably not what you want right now.

> Please let us know if there's any other option.


For a one-time fix you may want to check out Console 2, a program written
by another IDM expert, and which I believe will let you compare groups
even among other directories like microsoft active directory (MAD). For
more, check out https://sneakycat.biz/

> *Question 2: *Also, please let us know if we can track/identify from AD
> whether the members are added manually and by whom - using some driver
> policy/rule on publisher channel in AD driver.


You can definitely use IDM to undo this kind of action, though I doubt
that MAD will tell you who caused the action as much as that it happened,
and approximately when. My bet, since you have more users on the MAD side
than the IDM side, is that this is being done by somebody directly in MAD,
and unless those users are then able to synchronize to IDM they will not
end up in the IDM group.

You could catch this right now, detecting these changes on the Publisher
channel and then seeing if they are new or just the result of MAD's
loopback. If new, e-mail yourself and investigate the trace, then track
down how it came up in MAD and resolve the problem there.

> *Question 3: *Similarly, can we use the option on filter "*Merge
> authority*" as IDVault to keep the members same as IDM to AD and resync
> again or remove if any members are added directly on AD group.


Merge authority is great for merges, but this is likely not a merge (note
that we do not know that, but it seems to be unlikely). You CAN use the
Filter, though, and set the Publisher channel for this attribute to Reset.
Hopefully that works like I hope it will, since MAD is not smart enough
to know which user made which changes with the API microsoft provides for
synchronization, and therefore all changes that go to MAD from IDM loop
back on the Publisher channel (into IDM) usually to be optimized out as
redundant; if the IDM engine resets this attribute value there, and that
then loops back, you can see a loop may result, though I do not think that
is how it will work. For cleanup, though, see Console 2 (mentioned above).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
cpedersen Outstanding Contributor.
Outstanding Contributor.

Re: Migrate from IDVault for Group objects to Active Directory

On 12.04.19 23:54, dkdng wrote:
>
> Hi,
>
> We are having IDM 4.7 on Linux server. We have 1000+ dynamic groups
> which will add members based on given condition/query. We have
> corresponding static groups that are associated to equivalent groups in
> Active Directory.
>
> The members from dynamic groups are added to static group using a Loop
> back driver.
>
> The process is described below:
> 1. Members are added to dynamic group based on the query condition.
> 2. Loop back driver detects the event and then it adds the newly added
> users from dynamic group to its equivalent static group.
> 3. The group member (in IDM) add event is then picked up by Active
> Directory driver and then adds the user to group in AD group which
> associated
>
> By somehow, we see that the members in static group in IDM not matching
> to members in AD group.
> Example. *Group-abc* in IDM has 10 members but the group *Group-abc* in
> AD the members are around 100 members.
>
> It's happening not only for one group, for several groups.
>
> Solution: we want to fix this issue where we want to keep the members
> same as IDM to AD
>
> *Question 1: *How this can be fixed?
>
> There is the Migrate from IDVault option on the subscriber driver to
> sync/resync an object to Application (in this case to AD).
> Can we use this option and select a group in IDM, so that the member
> will be synched to AD to have equivalent members...
>
> Does this option work in about mentioned manner?
>
> Please let us know if there's any other option.
>
> *Question 2: *Also, please let us know if we can track/identify from AD
> whether the members are added manually and by whom - using some driver
> policy/rule on publisher channel in AD driver.
>
> *Question 3: *Similarly, can we use the option on filter "*Merge
> authority*" as IDVault to keep the members same as IDM to AD and resync
> again or remove if any members are added directly on AD group.
>
>
> Thanks in advance.
>
> best regards,
> dk
>
>


Many years ago we looked at a similar problem, not quit the same; we
needed the Groupmember Ship to be on the users instead of a static group
(membership as pointing to the dynamic group).

The construct was different, but in general terms the loopback driver
which was responsible of assigning group membership (dynamic --> static)
used the ldap query in the dynamic group to verify if the user should be
a member of the group.

As a possible one off, you can could build a construct which runs
through all the users, and and verify if they need to be a member or
not. Or you can run through all the groups read out all the members and
assign/remove members from the static groups.


Casper

0 Likes
Knowledge Partner
Knowledge Partner

Re: Migrate from IDVault for Group objects to Active Directo

dkdng;2498302 wrote:
Hi,

We are having IDM 4.7 on Linux server. We have 1000+ dynamic groups which will add members based on given condition/query. We have corresponding static groups that are associated to equivalent groups in Active Directory.

The members from dynamic groups are added to static group using a Loop back driver.

The process is described below:
1. Members are added to dynamic group based on the query condition.
2. Loop back driver detects the event and then it adds the newly added users from dynamic group to its equivalent static group.
3. The group member (in IDM) add event is then picked up by Active Directory driver and then adds the user to group in AD group which associated

By somehow, we see that the members in static group in IDM not matching to members in AD group.
Example. Group-abc in IDM has 10 members but the group Group-abc in AD the members are around 100 members.

It's happening not only for one group, for several groups.

Solution: we want to fix this issue where we want to keep the members same as IDM to AD

Question 1: How this can be fixed?

There is the Migrate from IDVault option on the subscriber driver to sync/resync an object to Application (in this case to AD).
Can we use this option and select a group in IDM, so that the member will be synched to AD to have equivalent members...

Does this option work in about mentioned manner?

Please let us know if there's any other option.

Question 2: Also, please let us know if we can track/identify from AD whether the members are added manually and by whom - using some driver policy/rule on publisher channel in AD driver.

Question 3: Similarly, can we use the option on filter "Merge authority" as IDVault to keep the members same as IDM to AD and resync again or remove if any members are added directly on AD group.


Thanks in advance.

best regards,
dk


I suspect there is more than one problem here. There may be technical problems, but I have to first question the stated design.


1. Members are added to dynamic group based on the query condition.


Members are not, ever, added to a dynamic group based on the group's query condition. The dynamic group functions as a canned LDAP query, returning "members" whenever you ask it what the membership is, based on the query.


2. Loop back driver detects the event and then it adds the newly added users from dynamic group to its equivalent static group.


Since #1 is not the case, there is no event here to act on. This makes me suspect that your problem is one of design. Your dynamic group membership isn't changing, so your static group membership no longer matches, because this driver sees no events to process. You'd have to have it configured to run from a scheduled polling job or something similar.


3. The group member (in IDM) add event is then picked up by Active Directory driver and then adds the user to group in AD group which associated


This part is straightforward and probably working fine.


I'd start here with the first item. Get your dynamic / static group memberships in the Vault working correctly. If not working, get a trace of the loopback driver and figure out why not.

Then look at the vault to MAD events. Again, get a trace, see what's changing or not changing, and whether or not it should be.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.