Issue with Replication of Active Directory group rename or OU change

Hi Team,

I require your assistance in the issue with the Active Directory (AD) group rename or OU change in target application.

IdentityIQ version: IIQ 8.4p1
Application: Microsoft Active Directory
objectType: group
identity Attribute: distinguishedName(DN)

Issue happens when somebody changes below directly in target application:

  1. Rename a group
  2. Change the OU

Issue is replicated upon next AD group Aggregation in IIQ:

  1. Existing entitlement in Entitlement catalogue is replaced with new entitlement and thus all its existing properties are lost like requestable, owner, etc.
  2. name change or OU change of the group does not replicate in the the existing IT role in which old entitlement was already a member.

Solution Implemented till now:

  1. Already enabled the below in gear icon > Global Settings > IdentityIQ Configuration > Miscellaneous tab:
    Enable Native Identity Change Event propagation

  2. Request Definition Object: Native Identity Change Propagation Request looks like below:

Which IIQ version are you inquiring about?

8.4 p1*

Please share any images or screenshots, if relevant.

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

Old entitlement is replaced with new when next AD group aggregation happens
AD group name is not replicated in the role
When somebody is assigned the role, then the assignment fails with below error:
“Error(s) reported back from the IQService - Error occurred while connecting to group CN=TEST_IAM_New_Updated_17Jan,OU=TEST,OU=FileGroups,OU=----,DC=-----test,DC=local. Failed to connect to the server for CN=TEST_IAM_New_Updated_17Jan,OU=TEST,OU=FileGroups,OU=----,DC=-----test,DC=local:There is no such object on the server. There is no such object on the server. 0000208D: NameErr: DSID-0310028D, problem 2001 (NO_OBJECT), data 0, best match of: ‘OU=TEST,OU=FileGroups,OU=----,DC=-----test,DC=local’ 0000208D: NameErr: DSID-0310028D, problem 2001 (NO_OBJECT), data 0, best match of: ‘OU=TEST,OU=FileGroups,OU=----,DC=-----test,DC=local’ . HRESULT:[0x80072030]Failed to connect to the server for CN=TEST_IAM_New_Updated_17Jan,OU=TEST,OU=FileGroups,OU=----,DC=-----test,DC=local:There is no such object on the server. There is no such object on the server. 0000208D: NameErr: DSID-0310028D, problem 2001 (NO_OBJECT), data 0, best match of: ‘OU=TEST,OU=FileGroups,OU=----,DC=-----test,DC=local’ 0000208D: NameErr: DSID-0310028D, problem 2001 (NO_OBJECT), data 0, best match of: ‘OU=TEST,OU=FileGroups,OU=----,DC=-----test,DC=local’ . HRESULT:[0x80072030] Possible reasons for failure include a) The Domain Controller is currently not reachable b) The object has either been moved or renamed c) The object has been deleted Please Ensure the data has been aggregated before performing the operation”.

Would appreciate your assistance on same.
Please suggest how can we make the group rename and OU change work without impacting the existing entitlement in IIQ.

Thanks & regards,
Ankur

@goyalan All these thing u need to handle with process,
change group name in sailpoint and AD , while changing make sure copy properties , once group name change , updated value then check and update custom object, Bundle and other place where it is hardcoded(this one you can get from db query), then change other properties and final run the single account aggreation for all the memeber who are part of this

Hi @goyalan

I attempted to recreate the issue by renaming the AD group from the target end. I noticed that the owner is updated according to the AD group, but IIQ properties like “requestable” and “iiqElevatedAccess” remain unchanged. Additionally, the group was not recreated, as the creation date stayed the same before and after renaming the group.

I have a few more questions:

  1. Was this functionality working previously? If yes, what was the IIQ version?
  2. Could you check the debug page to see if the object ‘NativeIdentityChangeEvent’ has been created with both the old and new group names?

Hi Aripitha,
“Enable rename detection on managed attributes” in AD Account aggregation is already included.

I don’t see any change event for groups in debug page under NativeIdentityChangeEvent object.

There are change events only for users and all of those are success.
I guess that is the only problem.
We have enabled “Native Change Detection” in AD application as well.
We are using 8.4p1 and it worked fine till 8.2 p3 when we were using objectGuid as the identityattribute for group type object.
But with 8.3p3, SailPoint asked to change it back to distinguishedName, as they handle this in the backend through objectGuid because that remains same for the group.