Version 8.3
Hi All,
We have a requirement to aggregate groups from Active Directory Target1 and create the group in Active Directory Target 2 in different OU. Two targets are in different domain and OU in which group should be created also different.
If anyone worked on similar requirement like this please share your inputs how it can be achieved.
Thanks
@pnandhakumar
Can you please clearer, do you mean accounts in Domain 1 can have membership in Domain 2 and vice versa?
You Can either go with having two different applications where you aggregate accounts from each domain to specific app but under groups you can have both the domain mappings in application group search filter and also domains and forest settings
This way provisioning of account and group and group memberships can be handled.
We did a similar implementation for us.
Thanks for your response Satish… Groups in domain 1(target 1 ex: DC=corp,DC=net) when aggregated into Sailpoint should be created in domain 2 (target 2 ex: DC=thirdparty,DC=com).
Currently we have 2 directories like in the ex above, groups and users sync between them is handled by MIM we are going decommission it but sync should not be disturbed and Sailpoint should handle it.
Okay so are you planning to create all the groups from Domain1( DC=corp,DC=net) in Domain2 ( DC=thirdparty,DC=com) using SailPoint in target or just show them in SailPoint under domain2 , still its confusing?
we have to create them using sailpoint
If that’s the case , below should work for you for groups
Have two different applications separately with each domain accordingly and run the full aggregations of Group to make sure both the apps have updated entitlements from target within SailPoint
Now you can come up a rule that compares the group present in application 1 ( tied to domain 1) and missing in application 2 ( tied to domain 2)
If any group is missing provision to group from SailPoint in domain 2.
If your size of groups are huge and comparison happening daily can cause performance issues you can have filters based on last refresh or last updated of Managed Attribute object of application 1.
This will handle the group sync, are you also looking for user data and user to group membership relation sync as well?
Thanks Satish, User Group membership relation sync might be in scope not confirmed yet. can I include this logic in group aggregation refresh rule of application 1, Is that fine?
Have this in group refresh rule may cause performance issues, so I would suggest have this as standalone rule or code
Thank you so much !!
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.