vkhoury
New Member.
508 views

Reevaluation of entitlment after group membership Deletion

hi, I'm using a RBE driver in order to grant/revoke entitlements based on a certain criteria. When the entitlement is granted the user is added to a group.
Groups along with group members are being synced to AD via AD driver.
The scenario is as follows:
A user has been granted the entitlement and therefore added to the group. Later, the user has been removed from the group in AD. Since Group Members are synced between AD and the vault,
the user will be removed from the group in the vault as well. However, the entitlement is still granted.
Reevaluate Entitlement is useless in this case because the entitlement is already granted.
It's not a good idea to revoke the entitlement and then reassign it since the entitlement may be responsible for other things than adding the user to the group. The user will then lose all the resources assigned and this is depreciated.
The aim is to force the system to add the user to the group again if a deletion in AD occurred and if the entitlement is granted.
I was thinking of writhing a policy which checks for membership deletion and based on the entitlement state add the user again to the group after deletion.
However, this solution seems to be Group specific and might slow the system since it has to search for the desired group for every user.
Is there any better solution?
Labels (1)
Tags (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: Reevaluation of entitlment after group membership Deleti

vkhoury;2492975 wrote:
hi, I'm using a RBE driver in order to grant/revoke entitlements based on a certain criteria. When the entitlement is granted the user is added to a group.
Groups along with group members are being synced to AD via AD driver.
The scenario is as follows:
A user has been granted the entitlement and therefore added to the group. Later, the user has been removed from the group in AD. Since Group Members are synced between AD and the vault,
the user will be removed from the group in the vault as well. However, the entitlement is still granted.
Reevaluate Entitlement is useless in this case because the entitlement is already granted.
It's not a good idea to revoke the entitlement and then reassign it since the entitlement may be responsible for other things than adding the user to the group. The user will then lose all the resources assigned and this is depreciated.
The aim is to force the system to add the user to the group again if a deletion in AD occurred and if the entitlement is granted.
I was thinking of writhing a policy which checks for membership deletion and based on the entitlement state add the user again to the group after deletion.
However, this solution seems to be Group specific and might slow the system since it has to search for the desired group for every user.
Is there any better solution?


I haven't done it, but I'd do it in policy. I'd start with the "Add Group assignments for User On Sync" rule in the NOVLADENTEX-pub-etp-EntitlmentsImpl policy set, use that for inspiration, then work out what has to be done to fix what somebody is breaking.

Then I'd consider breaking the fingers of whoever is removing group memberships when they shouldn't be.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Reevaluation of entitlment after group membership Deletion

On 12/27/2018 8:04 AM, vkhoury wrote:
>
> hi, I'm using a RBE driver in order to grant/revoke entitlements based
> on a certain criteria. When the entitlement is granted the user is added
> to a group.
> Groups along with group members are being synced to AD via AD driver.
> The scenario is as follows:
> A user has been granted the entitlement and therefore added to the
> group. Later, the user has been removed from the group in AD. Since
> Group Members are synced between AD and the vault,
> the user will be removed from the group in the vault as well. However,
> the entitlement is still granted.


I suppose you could try and catch Pub channel group membership changes,
match them to entitlements and remove to match. But they when the group
criteria is updated/re-evaluated in RBE it will readd to the group.

Which might be what you want. Might now.


> Reevaluate Entitlement is useless in this case because the entitlement
> is already granted.
> It's not a good idea to revoke the entitlement and then reassign it
> since the entitlement may be responsible for other things than adding
> the user to the group. The user will then lose all the resources
> assigned and this is depreciated.
> *The aim is to force the system to add the user to the group again if a
> deletion in AD occurred and if the entitlement is granted.*
> I was thinking of writhing a policy which checks for membership deletion
> and based on the entitlement state add the user again to the group after
> deletion.
> However, this solution seems to be Group specific and might slow the
> system since it has to search for the desired group for every user.
> Is there any better solution?
>
>


0 Likes
Highlighted
schwoerb Absent Member.
Absent Member.

Re: Reevaluation of entitlment after group membership Deleti

vkhoury;2492975 wrote:
hi, I'm using a RBE driver in order to grant/revoke entitlements based on a certain criteria. When the entitlement is granted the user is added to a group.
Groups along with group members are being synced to AD via AD driver.
The scenario is as follows:
A user has been granted the entitlement and therefore added to the group. Later, the user has been removed from the group in AD. Since Group Members are synced between AD and the vault,
the user will be removed from the group in the vault as well. However, the entitlement is still granted.
Reevaluate Entitlement is useless in this case because the entitlement is already granted.
It's not a good idea to revoke the entitlement and then reassign it since the entitlement may be responsible for other things than adding the user to the group. The user will then lose all the resources assigned and this is depreciated.
The aim is to force the system to add the user to the group again if a deletion in AD occurred and if the entitlement is granted.
I was thinking of writhing a policy which checks for membership deletion and based on the entitlement state add the user again to the group after deletion.
However, this solution seems to be Group specific and might slow the system since it has to search for the desired group for every user.
Is there any better solution?


I personally solved this situation by using AD permissions to deny people modifying IDM Managed groups. Easiest is to have a separate OU for IDM managed groups that has been restricted that others can't modify the membership.

It does take more groups for places where you want AD managed groups in combination with IDM managed groups, but that is easier to deal in my opinion.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Reevaluation of entitlment after group membership Deletion

schwoerb wrote:

> I personally solved this situation by using AD permissions to deny
> people modifying IDM Managed groups. Easiest is to have a separate OU
> for IDM managed groups that has been restricted that others can't modify
> the membership.
>
> It does take more groups for places where you want AD managed groups in
> combination with IDM managed groups, but that is easier to deal in my
> opinion.


Agree, far simpler than writing code to handle all possible scenarios

--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.