Azure AD Group Name Issue

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

8.2P1.]

Please share any images or screenshots, if relevant.

[Please insert images here, otherwise delete this section]

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

Hi All,

We are facing an issue with the Azure AD group name. Whenever we are trying to update any name in Azure end the same is not reflecting in sailpoint entitlements. Can you please help on this as how we can resolve this issue?

Regards
Amit

2

Group names are not update in case they are change on the target system after the first aggregation. So in order to reflect the updated name in sailpoint we have two options

  • need to delete that group from sailpoint and re-ran the aggregation or
  • you can have the Group Aggregation Refresh Rule on your aggregation task.
if(obj != null) {
   	String displayName = (String) obj.getAttribute("displayName");  
    try{
      if (Util.isNotNullOrEmpty(displayName)) {   
		accountGroup.setDisplayName(displayName);
      }
    } catch (GeneralException e) {
      log.debug("Exception while running Group Refresh rule : " +e);
    }
  }

  return accountGroup;
3

Did you try running group aggregation ?

4

Hi @ayadav_12 ,

I think, as far as I remember, this won’t happen by default because it depends on the connector, whether it is allowing or not. I see few connectors are not allowing, like AD and some others. Similarly, this connector is also like this. You have to manually update in SailPoint explicitly if something changes natively from the application side.

Try with the below code in the group refresh rule, and run group aggregation. I am hoping that itt will work. (Basically, the rule checks if the old value and newly updated value are the same or not. If not, then update it.)

  //For Reflecting Group update in IIQ 
  if(null != accountGroup && null != obj)
  {
    log.error("inside if of checking obj and accountGroup starting"); 
    
    log.error("ManagedAttribute object value : "+accountGroup.toXml()); 
    log.error("ResourceObject object value : "+obj.toXml()); 

    String maEntValue = accountGroup.getValue();
    String maDisplayName = accountGroup.getDisplayName();
    String objDNValue = obj.getIdentity();
    String objDisplayName = obj.getDisplayName();
    


    if(null != objDNValue && null != maEntValue && null != objDisplayName && null != maDisplayName )
    {
      if(!(maEntValue.equals(objDNValue)) || !(objDisplayName.equals(maDisplayName)))
      {
        log.error("Both values are not equal");

        accountGroup.setValue(objDNValue);
        accountGroup.setDisplayName(objDisplayName);
        
        log.error("Both values are not equal, so setting updated value");
      }
      else
      {
        log.error("Both values are equal");
      }
    }
    else
    {
      log.error("Either of maEntValue or maDisplayName values are null");
    }

    log.error("inside if of checking obj and accountGroup ending");    
  }

You can also extra checks by getting from obj if you want based on your requirement.