on 07-24-2014 5:50 AM
Hi,
Got a bit of a niggly issue here:
Scenario:
We have 3 different ADs that we read from, and provision users to SAP, based on group assignment.
Groups are created locally in the 3 ADs, but are made global, so they can be assigned to users in other ADs. While that works fine for AD, and I can see the assignments through the AD browser, IdM is not picking up the relationship between a user and the "foreign" groups.
Anyone have any thoughts on what can be done to address this, without having to create the groups locally in each AD?
cheers,
Henrik
All, thanks for your input on this challenge.
We managed to get it sorted by creating a union query on all 3 AD repositories, and now the results are showing up as expected.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Henrik,
Three domain controllers or three separate domains? That will matter a lot in trying to resolving this issue.
Matt
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I guess a little more detail is required 🙂
There is a repository for each AD, and provisioning works as intended. The only case when it is not working, is when the AD group assigned to a user is from another AD. Example:
We have AU, NZ and Corporate domains. They are subdomains of the main domain, but I can't pull the from the main domain to get a consolidated view.
If an AU user is assigned a local AU group, then no problem.
If an AU user is assigned a NZ group, which is in NZ AD, it does not coming through in the delta load job into AD, even though I can see it in the AD browser...
Does that help?
I'm still confused as to what exactly you mean by:
If an AU user is assigned a NZ group, which is in NZ AD, it does not coming through in the delta load job into AD
When you got one IDM-repository per AD, then IdM should manage those 3 ADs as different systems. Meaning that you read the group assignments from all three and IdM sees them as 3 seperate assignments. Now what is not coming through? Something to IdM? Something to one/all of the ADs?
Do you expect to see all AD group assignments in all three ADs, when you assign them in IdM? So that you can see the NZ groups also assigned to the AU users in their AU AD? Or are we talking about something that is missing in the IdM?
Yeah, I'm getting more confused...
So, because the 3 domains belong to the same forest, it is possible to assign a group from AD-NZ to a user in AD-AU, without that group actually existing in AD-AU, or the user existing in AD-NZ.
That works just fine from an AD point of view.
However, that is the relationship that is not coming through when I read the AD.
Does that make more sense?
<quote>
Do you expect to see all AD group assignments in all three ADs, when you assign them in IdM? So that you can see the NZ groups also assigned to the AU users in their AU AD?
</quote>
Yes, that's exactly it!
/henrik
Hello Henrik,
are all three ADs connected as repositories to the IdM?
You can read the groups and the assigned users into IdM. There should be something for this in the initial load-job. Then you could assign SAP roles dynamicly through dynamic groups and their business roles.
Or did I missunderstood and you don't want to actually read the group assignments into IdM (so they are visible there for the identities and in the privileges), but you just want to create a job that reads the group assignments into a temp table and assigns SAP roles depending on AD group assignments through that?
Both should be possible as far as I know.
Or maybe I missed your point completly.
Regards,
Steffi.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.