cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Read group assignments from Active Directory

Go to solution
Henrik1
Participant

on ‎07-24-2014 5:50 AM

0 Kudos

Hi,

Got a bit of a niggly issue here:

Scenario:

We have 3 different ADs that we read from, and provision users to SAP, based on group assignment.

Groups are created locally in the 3 ADs, but are made global, so they can be assigned to users in other ADs. While that works fine for AD, and I can see the assignments through the AD browser, IdM is not picking up the relationship between a user and the "foreign" groups.

Anyone have any thoughts on what can be done to address this, without having to create the groups locally in each AD?

cheers,

Henrik

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Henrik1
Participant
‎08-21-2014 1:31 AM
0 Kudos

All, thanks for your input on this challenge.

We managed to get it sorted by creating a union query on all 3 AD repositories, and now the results are showing up as expected.

Show replies
Show replies
Steffi_Warnecke
Active Contributor
‎08-21-2014 7:29 AM
0 Kudos

Hello Henrik,

it's great that got solved!

To help others find your solution, would you please close the thread properly by marking an answer as correct (I guess that would be your last post)? This way your thread gets one of those neat little green check marks next to it. ^^

Regards,

Steffi.

Answers (2)

Answers (2)

former_member2987
Active Contributor
‎07-24-2014 2:36 PM
0 Kudos

Henrik,

Three domain controllers or three separate domains?  That will matter a lot in trying to resolving this issue.

Matt

Show replies
Show replies
Henrik1
Participant
‎07-24-2014 10:22 PM
0 Kudos

Hi,

I guess a little more detail is required 🙂

There is a repository for each AD, and provisioning works as intended. The only case when it is not working, is when the AD group assigned to a user is from another AD. Example:

We have AU, NZ and Corporate domains. They are subdomains of the main domain, but I can't pull the from the main domain to get a consolidated view.

If an AU user is assigned a local AU group, then no problem.

If an AU user is assigned a NZ group, which is in NZ AD, it does not coming through in the delta load job into AD, even though I can see it in the AD browser...

Does that help?

former_member2987
Active Contributor
‎07-24-2014 10:48 PM
0 Kudos

Henrik,

Maybe setting up a VDS to consolidate the views?

What Delta load job are you using, is it part of the framework or a custom job?

Matt

Henrik1
Participant
‎07-24-2014 10:53 PM
0 Kudos

VDS could potentially be an option to investigate. But since I'm not getting the data through at all, would it work?

I have modified the initial load job to just read users, groups and assignments. But those are the standard passes...

Steffi_Warnecke
Active Contributor
‎07-25-2014 8:24 AM
0 Kudos

I'm still confused as to what exactly you mean by:



If an AU user is assigned a NZ group, which is in NZ AD, it does not coming through in the delta load job into AD


When you got one IDM-repository per AD, then IdM should manage those 3 ADs as different systems. Meaning that you read the group assignments from all three and IdM sees them as 3 seperate assignments. Now what is not coming through? Something to IdM? Something to one/all of the ADs?

Do you expect to see all AD group assignments in all three ADs, when you assign them in IdM? So that you can see the NZ groups also assigned to the AU users in their AU AD? Or are we talking about something that is missing in the IdM?

Yeah, I'm getting more confused...

former_member2987
Active Contributor
‎07-25-2014 3:16 PM
0 Kudos

Well VDS reads the AD directly as is.  Sounds like your Job has some sort of filtering going on.  Did you mention that you are using Delta?

Henrik1
Participant
‎07-28-2014 3:08 AM
0 Kudos

So, because the 3 domains belong to the same forest, it is possible to assign a group from AD-NZ to a user in AD-AU, without that group actually existing in AD-AU, or the user existing in AD-NZ.

That works just fine from an AD point of view.

However, that is the relationship that is not coming through when I read the AD.

Does that make more sense?

<quote>

Do you expect to see all AD group assignments in all three ADs, when you assign them in IdM? So that you can see the NZ groups also assigned to the AU users in their AU AD?

</quote>

Yes, that's exactly it!


/henrik

Steffi_Warnecke
Active Contributor
‎07-24-2014 7:18 AM
0 Kudos

Hello Henrik,

are all three ADs connected as repositories to the IdM?

You can read the groups and the assigned users into IdM. There should be something for this in the initial load-job. Then you could assign SAP roles dynamicly through dynamic groups and their business roles.

Or did I missunderstood and you don't want to actually read the group assignments into IdM (so they are visible there for the identities and in the privileges), but you just want to create a job that reads the group assignments into a temp table and assigns SAP roles depending on AD group assignments through that?

Both should be possible as far as I know.

Or maybe I missed your point completly.

Regards,

Steffi.

Show replies
Show replies
Henrik1
Participant
‎07-24-2014 10:23 PM
0 Kudos

Yes, 3 repositories, and yes, it works just fine - with one minor issue as described in the answer to Matt 🙂

Ask a Question