fartyalvikram Contributor.
Contributor.
1082 views

Sync Users from AD to eDir on basis of AD Group Assignment

I want that, User is sync from AD to eDir only if when AD User is Assigned into an particular AD Group.
For example, I have one user (tuser01) and one Group (idmgrp) inside AD.
I have configured Active Directory Driver and User sync from AD to eDir is working fine. Now I want, that user will be sync from AD to eDir only when user (tuser01) is Assigned into Group (idmgrp).

I am using Identity Manager 4.5.
Labels (1)
0 Likes
12 Replies
Knowledge Partner
Knowledge Partner

Re: Sync Users from AD to eDir on basis of AD Group Assignment

On 5/4/2018 9:26 AM, fartyalvikram wrote:
>
> I want that, User is sync from AD to eDir only if when AD User is
> Assigned into an particular AD Group.
> For example, I have one user (tuser01) and one Group (idmgrp) inside
> AD.
> I have configured Active Directory Driver and User sync from AD to eDir
> is working fine. Now I want, that user will be sync from AD to eDir only
> when user (tuser01) is Assigned into Group (idmgrp).
>
> I am using Identity Manager 4.5.


If you are using Roles/Resources/Entitlements this is easy.

Define a Role for AD access. Assign it a Resource you define that has
an Entitlement assigned for AD UserAccount Entitlement.

Then assign that Role to the Group.

Now only members of that group will sync to oAD.


0 Likes
fartyalvikram Contributor.
Contributor.

Re: Sync Users from AD to eDir on basis of AD Group Assignme

No, I am not using "Roles/Resources/Entitlements" for this.
I just want to write one policy which can validate those User which are not the member of AD group (idmgrp), so I can veto those user at the time of sync from AD to eDir if and only if they have not assigned into AD group (idmgrp).
0 Likes
Knowledge Partner
Knowledge Partner

Re: Sync Users from AD to eDir on basis of AD Group Assignment

On 5/4/2018 2:04 PM, fartyalvikram wrote:
>
> No, I am not using "Roles/Resources/Entitlements" for this.
> I just want to write one policy which can validate those User which are
> not the member of AD group (idmgrp), so I can veto those user at the
> time of sync from AD to eDir if and only if they have not assigned into
> AD group (idmgrp).


If class=user
If source attribute Group Membership not equal to \TREE\o\ou\ou\cn then Veto

Note, the compare needs to include the leading slash and tree.

The step you are not likely aware of, is that Source Attribute, if you
compare a single value, and it returns a multi valued attribute then it
is true if ANY of the values match. And false if NONE of the values match.

But the way Designer's Simulator returns the value would be without the
tree, but the engine returns it with the tree.
0 Likes
fartyalvikram Contributor.
Contributor.

Re: Sync Users from AD to eDir on basis of AD Group Assignme

I have write the below policy inside Input Transformation of Publisher channel. Is that correct?
<rule>
<description>Veto Users</description>
<conditions>
<and>
<if-class-name mode="nocase" op="equal">User</if-class-name>
<if-op-attr mode="nocase" name="Group Membership" op="not-equal">~ad-group-dn~</if-op-attr>
</and>
</conditions>
<actions>
<do-veto/>
</actions>
</rule>

Here "ad-group-dn" is GCV which is configured inside that Driver and value of this GCV is AD Group 'idmgrp' DN "CN=idmgrp,CN=Groups,CN=IDM,DC=DEMO,DC=local".
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Sync Users from AD to eDir on basis of AD Group Assignme

You're using Operation Attribute which is unlikely to be available during all operations. As per Geoff's suggestion, use Source Attribute. Don't forget, that being the Input Transform, the attribute and class names is that of the application (AD) and not eDirectory as the schema mapper has not been hit yet.

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Sync Users from AD to eDir on basis of AD Group Assignment

On 5/6/2018 6:16 PM, ScorpionSting wrote:
>
> You're using Operation Attribute which is unlikely to be available
> during all operations. As per Geoff's suggestion, use Source Attribute.
> Don't forget, that being the Input Transform, the attribute and class
> names is that of the application (AD) and not eDirectory as the schema
> mapper has not been hit yet.


Ya, do NOT do this in the Input Transform.

Are you using a group in AD? To control creating in the IDV? I remember
reading it the other way.

I would do it in the Match policy of the proper channel. This way only a
non-associated user (Else it won't get into the Match) that is either an
add, or a modify converted to a synthetic add will be vetoed.

Or do it in the Sub-ETP and check for <sync>, <move>, <add>, or <modify>
events as well as class=user to block.

0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Sync Users from AD to eDir on basis of AD Group Assignme

Wouldn't Creation be the appropriate? Mind you, depends on their naming standards and what already exists in the IDV....

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Sync Users from AD to eDir on basis of AD Group Assignment

On 5/6/2018 8:34 PM, ScorpionSting wrote:
>
> Wouldn't Creation be the appropriate? Mind you, depends on their naming
> standards and what already exists in the IDV....


You would think, right? Except if a match is found, you would associate
them, and you probably do NOT want to do that if they are not 'supposed'
to have an account. (But then of course, they do have an account, so
why not match it?).

I guess it epends on your perspective of what only members of the grooup
should have an account means as to which place to do it.


0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Sync Users from AD to eDir on basis of AD Group Assignme

Yeah, hence my condition on how they name their accounts and what already exists (i.e. created from HR then "matched" from AD, or not)

Visit my Website for links to Cool Solution articles.
0 Likes
fartyalvikram Contributor.
Contributor.

Re: Sync Users from AD to eDir on basis of AD Group Assignme

When new user is created inside AD, I am getting the below event inside driver log.
<nds dtdversion="2.2">
<source>
<product build="20170106_120000" instance="\IDM45\system\driverset1\Active Directory Driver" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<add class-name="user" event-id="Active Directory Driver##163391e0760##0" src-dn="CN=Test User14,CN=Users,CN=IDM,DC=DEMO,DC=local">
<association>f5fa402516649341913785835fb54d63</association>
<add-attr attr-name="accountExpires">
<value naming="false" type="string">9223372036854775807</value>
</add-attr>
<add-attr attr-name="dirxml-uACAccountDisable">
<value type="state">false</value>
</add-attr>
<add-attr attr-name="displayName">
<value naming="false" type="string">Test User14</value>
</add-attr>
<add-attr attr-name="givenName">
<value naming="false" type="string">Test</value>
</add-attr>
<add-attr attr-name="sAMAccountName">
<value naming="false" type="string">tuser14</value>
</add-attr>
<add-attr attr-name="sn">
<value naming="false" type="string">User14</value>
</add-attr>
<add-attr attr-name="userPrincipalName">
<value naming="false" type="string">tuser14@DEMO.local</value>
</add-attr>
</add>
</input>
</nds>

I can able to do veto when new User has not the group membership (idmgrp) inside AD. But when I was adding the group (idmgrp) inside that User (Test User14), this user is not sync from AD to eDir.

When I was adding group (idmgrp) in user (Test User14) inside AD, the below event is getting inside driver log.
<nds dtdversion="2.2">
<source>
<product build="20170106_120000" instance="\IDM45\system\driverset1\Active Directory Driver1" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="group" event-id="0" src-dn="CN=idmgrp,CN=Groups,CN=IDM,DC=DEMO,DC=local">
<association>f99bd9ed9d737e4dbe251c6b274aed23</association>
<modify-attr attr-name="member">
<remove-all-values/>
<add-value>
<value association-ref="3b6bb6db730c5a4db1f7df0a578caad4" naming="false" type="dn">CN=Test User14,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
<value association-ref="59ba771329a534488a60ce86ff19374c" naming="false" type="dn">CN=Test User10,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
<value association-ref="392d4c4ef046d84f8a993db5164f6e2b" naming="false" type="dn">CN=Test User07,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
<value association-ref="c037b315aaace14a86035161047d4cb8" naming="false" type="dn">CN=tmp1,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>

When I was removing the group (idmgrp) from user (Test User14) inside AD, the below event is getting inside driver log.
<nds dtdversion="2.2">
<source>
<product build="20170106_120000" instance="\IDM45\system\driverset1\Active Directory Driver1" version="4.0.2.1">AD</product>
<contact>NetIQ Corporation</contact>
</source>
<input>
<modify class-name="group" event-id="0" src-dn="CN=idmgrp,CN=Groups,CN=IDM,DC=DEMO,DC=local">
<association>f99bd9ed9d737e4dbe251c6b274aed23</association>
<modify-attr attr-name="member">
<remove-all-values/>
<add-value>
<value association-ref="59ba771329a534488a60ce86ff19374c" naming="false" type="dn">CN=Test User10,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
<value association-ref="392d4c4ef046d84f8a993db5164f6e2b" naming="false" type="dn">CN=Test User07,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
<value association-ref="c037b315aaace14a86035161047d4cb8" naming="false" type="dn">CN=tmp1,CN=Users,CN=IDM,DC=DEMO,DC=local</value>
</add-value>
</modify-attr>
</modify>
</input>
</nds>
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Sync Users from AD to eDir on basis of AD Group Assignme

The "joys" of Active Directory.... When it comes to Group Membership, the link is only one way (i.e. the Group holds the link, not the user) unlike eDirectory that has referential DNs (i.e. both the Group and User reference each object).

So, you will need to work through checking Group Membership changes and taking appropriate action, or wait for another change to the user object itself (such as login time or password change) to trigger the user event after the Group modification...

Isn't AD fun?! 😉

Visit my Website for links to Cool Solution articles.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.