Hello guys,
I am trying to filter out my AD connector to exclude entitlement from an specific OU during entitlement aggregation. I tried multiple filters but seems like it is not working.
For example: I tried this filter (&((objectClass=group)(!(distinguishedName=CN=random,OU=SamplOU,OU=Sample,DC=example,DC=com)))).
This did exclude the entilement but I want to exclude all the entilements from that specific SamplOU. I tried %u and *, but both of them doesnt work in IdentityNow.
Thank you
Hi @surajrimal2323 , welcome to the community.
I am guessing these groups are being loaded through the account aggregation and not the entitlement aggregation. When running an account aggregation, the connector read group memberships of the accounts which then lists the groups as entitlements. I don’t think there is a way currently to exclude those groups from being aggregated during the “account aggregation” process.
1 Like
Wild search doesn’t work for AD entitlement, you would have to include all entitlements individually in the filter.
Hi @surajrimal2323,
There is no specific common attribute that you can have for all the group from the specific OU as your use-case?
Let’s say if still you are unable to filter out entitlement then what is the issue it is causing?
Is just for the sake of exclusion you want this to be working or there is some specific use-case that you are unable to achieve.
Kindly let us know so that accordingly we can help.
Thanks
1 Like
Not sure of Suraj’s specific use case, but you may want to filter entitlements if you have a second source for AD admins or a specialized application but don’t want the entitlement to cross with the main AD source particularly when doing certifications.
In addition to using the filters within the specific connector configuration, you can also use source filters with can be applied to accounts or groups. Source filters can be used in conjunction with connector filters.
IdentityNow Account Filtering during Account Aggregation - Compass (sailpoint.com)
Source filters support logic such as startsWith, endsWith and contains which may address your wildcard situation.
Keep in mind that source filters identify which objects that you wish to exclude where AD connector LDAP filters identify which objects that you wish to include so they are logical opposite.
2 Likes
Hi @surajrimal2323 ,
Try using this filter
(&((objectClass=group)(!(distinguishedName.contains("OU=SamplOU,OU=Sample")))))
Thanks
1 Like
I tried this. It didnot work.
1 Like
Hi
Use below sample filter in your source configuration ldap filter not in filterString.
(&(objectCategory=group)(!(msDS-parentdistname=OU=ParentOU,DC=domain,DC=com)))
Thanks,
Siva.K
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.