Anonymous_User Absent Member.
Absent Member.
136 views

Reset Group Membership for specific groups?


All our groups are presently kept in synch.
eDir <-> IDVault <-> AD
Changes sourced from eDir or AD work well to replicate memberships
across directories.

We have a requirement to keep a couple groups in synch but to NOT allow
membership changes sourced from eDir or AD.
Membership to these two groups is done via another driver (Oracle) which
updates specific attributes in the IDVault. Those changes are picked up
by a Null Driver and group membership Add/Delete are done this way.

For this reason, these two groups should no longer be modified by
administrators of eDir or AD. I'd like to essentially do the same as a
filter "Reset" if a membership change is being Published.

Can someone please point me in the right direction for the policy/rules
I might need in eDir and AD drivers?
I've searched and haven't found any posts that might help me.

Thanks for any help,
Marc


--
ohico
------------------------------------------------------------------------
ohico's Profile: https://forums.netiq.com/member.php?userid=4171
View this thread: https://forums.netiq.com/showthread.php?t=49100

Labels (1)
0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Reset Group Membership for specific groups?

On 10/30/2013 6:24 PM, ohico wrote:
>
> All our groups are presently kept in synch.
> eDir <-> IDVault <-> AD
> Changes sourced from eDir or AD work well to replicate memberships
> across directories.
>
> We have a requirement to keep a couple groups in synch but to NOT allow
> membership changes sourced from eDir or AD.
> Membership to these two groups is done via another driver (Oracle) which
> updates specific attributes in the IDVault. Those changes are picked up
> by a Null Driver and group membership Add/Delete are done this way.
>
> For this reason, these two groups should no longer be modified by
> administrators of eDir or AD. I'd like to essentially do the same as a
> filter "Reset" if a membership change is being Published.
>
> Can someone please point me in the right direction for the policy/rules
> I might need in eDir and AD drivers?
> I've searched and haven't found any posts that might help me.
>
> Thanks for any help,
> Marc
>
>

This is going to be tricky as the modify from edir will essentially be the same as another driver
modifying it. One possibility is that for the groups in question you mark them in some way that you
can read from a rule (some attribute or container) to tell that they should be handled this way.
Then you could read the event ID. Coming from oracle the event ID for the membership change when it
hits your AD driver should still be the association value from the oracle driver. You will need to
test this to verify. I'm not sure this is the best way but it is one possibility.

Another way would be to do this via workflow. Still another way would be to modify some other
attribute, maybe a structured one, that the AD driver would look to for it's membership changes.

You could also have the oracle driver just reset changes. So that if it changes in AD, then syncs
to eDir, then syncs to the oracle driver, the oracle driver says no thank you and sets the
membership back to what it knows to be true. That is actually probably the best way albeit the
chattiest of the above.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Reset Group Membership for specific groups?


Thanks for the suggestion. You confirmed that using IDM was too
complicated for my knowledge level so I opted to simply protect the
groups using eDirectory trustee permissions.

In eDir I moved the two groups to a new sub-container named "ReadOnly"
and added trustee rights to key admin & IDM user objects. Then applied
an Inherited Rights Filter (IRF) to block all trustee edit permissions
at that "ReadOnly" container.

Since our IT staff manage our users/groups via eDirectory (C1 or
iManager) this will stop them from being able to make any changes and
the groups will continue to have correct memberships controlled by Null
driver in ID Vault.

Maybe someday I'll figure out how to make the same permission change in
MAD but for now this will suffice.

Marc


--
ohico
------------------------------------------------------------------------
ohico's Profile: https://forums.netiq.com/member.php?userid=4171
View this thread: https://forums.netiq.com/showthread.php?t=49100

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.