AD Owner is not getting updated in SailPoint

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Hi all,

we are seeing a case where owner of the AD entitlements are not getting updated. The owner has been updated on the AD side already. The group aggregation is all success.

Below is the template of the aggregation task:

<TaskDefinition formPath="/monitor/tasks/accountGroupAggregationTask.xhtml" name="AD Group Aggregation" resultAction="Rename"  subType="task_item_type_acct_grp_aggregation" type="AccountGroupAggregation">
  <Attributes>
    <Map>
      <entry key="accountGroupRefreshRule" value="Rule-FrameWork-Group-Refresh"/>
      <entry key="aggregationType" value="group"/>
      <entry key="applications" value="AD"/>
      <entry key="checkDeleted" value="false"/>
      <entry key="deltaAggregation" value="false"/>
      <entry key="descriptionLocale" value="en_US"/>
      <entry key="enablePartitioning" value="false"/>
      <entry key="groupSchema"/>
      <entry key="haltOnMaxError" value="false"/>
      <entry key="noGroupCycleDetection" value="True"/>
      <entry key="promoteClassifications" value="false"/>
      <entry key="taskCompletionEmailNotify" value="Disabled"/>
    </Map>
  </Attributes>
  <Description>Task template for application group scanning.</Description>
  <Owner>
    <Reference class="sailpoint.object.Identity" id="" name="spadmin"/>
  </Owner>
  <Parent>
    <Reference class="sailpoint.object.TaskDefinition" id="" name="Account Group Aggregation"/>
  </Parent>
</TaskDefinition>

we added noGroupCycleDetection to resolve pruning cyclic warning.

We have the appropriate schema as below:

image
image1234Ă—612 37.1 KB

Has any one faced similar issue ? any workaround?

1 Like
2

Hi Rabindra, IIQ won’t set the entitlement owner automatically based off a schema attribute. This can be accomplished via an account group refresh rule. Here is an example that SailPoint provides in their Rule document

import java.util.List;
import java.util.ArrayList;
import sailpoint.object.ResourceObject;
import sailpoint.object.AccountGroup;
import sailpoint.object.Identity;

String ownerDN = null;
String ownerName = null;
Identity identity = null;
Object owner = obj.getAttribute("owner");

if(owner instanceof List){
  ownerDN = (String)owner.get(0);
}else{
  ownerDN = (String)owner;
}
  
if(ownerDN != null){
  ownerName = ownerDN.substring(ownerDN.indexOf("uid=")+4,ownerDN.indexOf(","));
}

if (null != ownerName) {
  identity = context.getObjectByName(Identity.class, ownerName);
}

if (null != identity) {
  accountGroup.setOwner(identity);
}

return accountGroup;
3 Likes
3

@rabshrestha AD Group aggregation only brings group objects in SailPoint, but it does not set meta data like group owner etc. To set a group owner, you need to create a “Group Aggregation Refresh Rule” and select in your AD Group Aggregation task.

image
image1481Ă—626 35.8 KB

1 Like
4

Thank you all. Yep we found the refresh rule in the application xml. The logic in-place inside the rule was preventing terminated owners to be set as owners. Thus, now we got the clarity of our implementation.

Thanks again.

5

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.