Hi team,
We would like to include nested AD groups in campaign user access reviews and how to implement this?
Thanks
Kalyan
@kalyannambi2010 I believe it is not possible as we wont be able to read the nested AD groups and link to the user accounts. Hence those cannot be included in campaign as well.
Regards,
Shekhar Das
Do check out this post for any clarification
1 Like
Hi Kalyana,
Include the nested groups separately as well during launch of a Access Review.
So, if group A is having Group B as nested group, launch access review of group A and group B both
Regards
Arjun
Hi @arjun_sengupta, @Anshu_Kunal and @shekhardas1825,
Thank you all for your reply.
Does SailPoint IDN can detect nested AD groups automatically and include them in user access reviews? Or we need to manually add nested AD groups and launch user access reviews?
Thanks
Kalyan
As a demonstration, I set up two groups in my dev Active Directory domain:
flatGroup- this is a group that contains only two users:Luke SkywalkerandLeia OrganamixedGroup- this group contains two users:YodaandObi-Wan Kenobi; as well as one nested group,flatGroup
I create a certification campaign targeting mixedGroup specifically. As you can see, there is no reference anywhere in this campaign to the child entitlement, flatGroup.
Here, we can see mixedGroup’s direct membership, as well as its recursive membership, as pulled via Powershell:
I’m not sure how @princess included the child entitlement alongside the identities in her campaign, but my guess is that it was done through a non-standard configuration on the Active Directory source?
1 Like
Hi @sup3rmark thank you so much for your reply.
Thanks
Kalyan
We are also unable to replicate the behaviour indicated by the screenshot from @princess. The lack of detail from that post isn’t helping the community.
For one, why would Group / Entitlement object be showing up as an Identity in the screenshot?
The group–>group (Parent entitlement → Child entitlement) relationship does not appear to be a supported / documented / catered certifiable line item / object in a certification of the Parent entitlement even though the child entitlement is a ‘member’. i.e. Current observation: Access Review / certification only supports Entitlement → Account relationships.
p.s. I’m of the opinion (and experience) that certification of parent-child nested AD groups / SAP roles / Oracle DB roles are not typically part of IGA. Similar to what’s mentioned by @edmarks here. e.g. IGA doesn’t govern / certify AD tree ACL…
Endpoint-specific privilege association configurations do not generally fall under IGA. Having the client to align with this view is another challenge of its own though.
1 Like
Hi,
Thank you for detailed information.
Thanks
Kalyan
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.