Nested AD groups - Best Practices

Hi All,

What is the best practice handle nested AD groups???.

We are looking to perform certifications on AD security groups but many groups are having nested structures and not sure about the best practice to handle this.

Any help/pointers would be really appreciated.

I believe the product doesn’t offer support for this feature. While you can certainly examine the group membership, removing access from nested groups or indirect memberships may not be possible. Nevertheless, you can utilize certifications to evaluate these indirect memberships and explore options to simplify the certification process by potentially removing nested groups.

Unnesting your groups is further justified by the fact that the nesting of groups can frequently become unmanageable and spiral out of control. This can result in a disorderly and cumbersome situation, ultimately leading to a loss of control over who has access to what. Ironically, this situation contradicts the very purpose for which groups are utilized in the first place.

1 Like

“Nested Groups” in Active Directory are similar to “Composite Roles” in SAP (and similar concepts in other sources/systems). By “definition” these should NOT be expanded in IDN or any concern of IDN. These constructs are a feature in the target system and should be addressed directly in the target system considering the nested roles/groups can’t be changed directly in IDN.

As an alternative, IDN Access Profiles/Roles could be used to replace nesting in target applications, but this is a significant lift for the migration and eliminates the benefits (and challenges) of using the native functionality. There are definitely some pros/cons to using nested groups in AD, but these are left to AD vs. being exposed/handled in IDN.

3 Likes

I agree with @sunnyajmera and @edmarks

I have never seen usage of nested AD Groups in IIQ or in IDN. For IIQ/IDN it is just a group/entitlement if it is nested or not doesn’t matter.

If you would like to build the nesting concept in IDN, it is possible with conditions in Role criteria if user is part of one Group add the nested Group as well.

But isn’t it making RBAC complex and unnecessary objects ?

I don’t question AD definitely, they have their own reasons for nesting the Groups.

2 Likes

I hope cleaning up is starting but if you really need to release a review and it has nested groups.

You can add groups as part of your user search in AD.

User Search Scope
fill in your domain information
LDAP Search Filter: (&(objectClass=group))
or target all objectClass where you store your security groups

Hi All,

Thanks for your reply. So if I understood correctly, SailPoint can’t effectively govern Nested Groups via certification. So better solution approach is to clean-up the nested AD groups outside SailPoint.

1 Like

short answer: it can.

We can release certifications where that include nested groups

eg.
review is for ABC Security Group

member 1: user
member 2: user
member 3: UVW Group
member 4: user
member 5: user
member 6: XYZ Group

the best solution is yes, clean up and risk management
Some nested groups could probably cause some chaos in your environment if you start taking them off, and it needs risk appetite from your leaders if best to keep them nested or apply change management

Hello,
Would it be possible to do a secondary certification of the nested group membership in IDN or will that need to be reviewed/managed outside?

I am not aware of any functionality built into the product that would allow this. The options are typically complete the review outside or build a fake source (delimited file) where you can format the data and manually upload it into SailPoint.

We have been reviewing the uncorrelated account certifications as an entry point to clean up our nested groups (treat the top level group as a account and the groups that are members as entitlements).

Is there documentation for setting this up on the AD Source? We were told that this isn’t possible by both SailPoint support and our VAR.

1 Like

The following screenshot may be custom functionality that is not provided out of the box by SailPoint.

@tmclaughlin @jrote01 @c115665

The nested group is included in the access certification of the group we’re reviewing.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.