cancel
Showing results for 
Search instead for 
Did you mean: 

Issue MSAD - Parent and Child Domain

Former Member
0 Kudos

Hello,

We area implementing SAP IDM 8.0 SP01 and we have been facing the follow issue:

2 Active Directory repositories: A and B (B is child domain from A) like a.com.br and b.a.com.br

We want to grant group privilegies(active directory universal group) from a B group for a user from domain A. Is this possible?

When we execute it, IDM tries create the same user A in the domain B.

How can we resolve this issue? Our implementation is correct from this AD cases?

Thanks

Accepted Solutions (1)

Accepted Solutions (1)

former_member201064
Active Participant
0 Kudos

Hello Rafael,

we have four domains, one of them is a subdomain of the other. This subdomain will be the "one domain" some day. However, groups need to be assigned wildly across domains.

I solved it like this in 7.2, should work similar in 8.0. I don't know if I remember it 100% correctly without looking:

  • No master priv assign task for any of the domains. I think, you could do it for your primary domain though
  • Creation of the user like normal. The only priv of the user's domain is set (no DIRECT_REFERENCE=1) from the request / massimport the user shall be created of. Then the provisioning begins. The groups of the user's domain are assigned after the creation.
  • Assignment of the groups in other domains is done with a batch job. This one also sets the Only privs of the other domains with DIRECT_REFERENCE=1. No system priv for these domains though.
  • Reconciliation is done in the night and if the user is needed on the same day the AD approver checks the user. They have to do some manual steps anyway like homeshare creation

Best regards

Dominik

Answers (0)