8.3
As per my client requirements, I need to setup NativeChangeDetection for groups from AD. I’m aware that OOTB NCD feature is available for accounts, but I couldn’t find any ways to achieve this for groups.
Is this possible with IIQ? or any workarounds?
The memberOf attribute on the AD account holds group memberships, so in theory you can apply Native Change Detection to that attribute to manage AD groups as well.
We implemented a different method to achieve Native Change Detection (NCD) for AD. Below steps you can follow to achieve it
We created a new AD application specifically for groups.
Configured the account filter with an LDAP group search filter.
Modified the schema to include relevant group attributes. For our use case, we mapped member and memberOf attributes as managed and entitlement attributes.
Developed creation and correlation rules to ensure groups are recognized as group cube identities within SailPoint.
Trigger account aggregation for a new group application, which imported groups as identities.
Before running next aggregation, enabled NCD in the application configuration. Depending on requirements, selected either entitlement-based or attribute-based detection.
Made changes to few of the groups in AD, then ran aggregation for the new group application.
Verified that NCD events are created on modified group identities.
Set up a native change event trigger rule and associated workflow as needed.
Ran the Refresh Identity task to confirm that NCD events were processed for the affected group identities.
Cons:
Aggregation may take a long time if there are a large number of groups present in your system.
Delta aggregation did not work as expected during our testing.
Customization rules should be kept simple to avoid impacting aggregation performance.
Thanks for the detailed response. I’ll try this approach