8.4p3
Hello Community,
How can I filter users in Sailpoint who are only members of a specific group in Active Directory? I was able to filter groups, but I couldn’t filter users who are members of a group. All users are listed, and therefore, they have extra applications on them.
Thanks,
Let me make sure what u want to achieve.
Do you want only Users aggregated that are a part of a specific ad group?
E.g.
User 1 member of shouldGoInIIQAdGrp = Account aggregated to IIQ
User 2 not a member of shouldGoInIIQAdGrp = account not aggregated in IIQ
Hi @BenjaminIglesias ,
Yes, that’s exactly what I want. Because it’s an application for certification and they want to review specific groups and their members. We came up with the idea of integrating the application this way to avoid having to manually add groups for the certificate each time.
Thanks,
If you add this to the Iterate Search FIlter, it should do that (of course all users, that doesn’t have this group would be deleted if u run the account aggregation with detect deleted on, but i guess that’s what u are looking to achieve):
(&(objectClass=user)(memberOf=CN=YourGroupName,OU=Groups,DC=example,DC=com))
This is direct membership only.
@BenjaminIglesias
This way, it would actually require manual processing, wouldn’t it? I have a lot of groups, so I’ll add them, and then when a new group arrives, I’ll have to add it here again, so I’ll actually have to keep track of it.
Yeah, it would. Unless there is some sort of reliable piece of data that you can rely on for the filter? Specific OU, extensionAttribute or something. Then you can construct a filter for that.
You can also set up a customization rule and return null in cases where you don’t want the user to be included in the system. Not the greatest performance wise, if there is a lot to churn through. But then u can use beanshell/java if you need some more advanced logic
@BenjaminIglesias
Should the extensionAttribute be on the group or the user? Shouldn’t AD fill in this field every time for the user who is a member of the group?
I considered customization, but unfortunately, it wouldn’t be good performance-wise for 13k accounts.
What logic can I use in the Java rule?
Well, i think the first step is to figure out a way to distinguish these groups from others that should be the criteria of what users to include in your instance. If you are looking to automating the import and not relying on a manual update of some sort of “list”. E.g. on one of our AD connectors, we have a extensionAttibute on groups. If that one is set, the group/group memberships should go in to IIQ (not exactly ur use case). But i think you need to take a step back and consider your options for which data you can use to make this dynamically.
