Role Assignment Criteria

ssel · September 30, 2025, 12:53am

Hi,

The requirement is to add the users from an AD group A to group B through IDN role. So have done the below role configuration however the identities are not getting added as part of role refresh, would appreciate an extra pair of eyes on this

{

"name": "Group B - DL",
"created": "2025-09-29T19:29:25.429023Z",
"modified": "2025-09-29T21:40:22.307498Z",
"description": null,
"owner": {
    "type": "IDENTITY",
    "id": "7a874b1c3d5e4d858dac2084f55902c8",
    "name": "Bransy"
},
"entitlements": [],
"accessProfiles": [
    {
        "id": "f4a16134dad44fb89acf547b8f41a6bf",
        "type": "ACCESS_PROFILE",
        "name": "group B"
    }
],
"membership": {
    "type": "STANDARD",
    "criteria": {
        "operation": "OR",
        "key": null,
        "values": null,
        "stringValue": null,
        "children": [
            {
                "operation": "AND",
                "key": null,
                "values": null,
                "stringValue": null,
                "children": [
                    {
                        "operation": "EQUALS",
                        "key": {
                            "type": "IDENTITY",
                            "property": "attribute.status",
                            "sourceId": null
                        },
                        "values": [
                            "active"
                        ],
                        "stringValue": null,
                        "children": null
                    },
                    {
                        "operation": "EQUALS",
                        "key": {
                            "type": "ACCOUNT",
                            "property": "attribute.memberOf",
                            "sourceId": "8c3937f3e01d407c962bf7a836f3f8bb"
                        },
                        "values": [
                            "CN=group A,OU=Department,DC=Access,DC=org"
                        ],
                        "stringValue": null,
                        "children": null
                    }
                ]
            }
        ]
    },
    "identities": null
},
"legacyMembershipInfo": null,
"enabled": true,
"requestable": false,
"accessRequestConfig": {
    "commentsRequired": null,
    "denialCommentsRequired": null,
    "approvalSchemes": [],
    "reauthorizationRequired": false
},
"revocationRequestConfig": {
    "approvalSchemes": []
},
"segments": [],
"dimensional": false,
"dimensionRefs": [],
"accessModelMetadata": {
    "attributes": []
},
"additionalOwners": []

}

sita_ram · September 30, 2025, 3:04am

Try changing EQUALS → CONTAINS

{
    "operation": "CONTAINS", 
    "key": {
        "type": "ACCOUNT",
        "property": "attribute.memberOf",
        "sourceId": "8c3937f3e01d407c962bf7a836f3f8bb"
    },
    "values": [
        "CN=group A,OU=Department,DC=Access,DC=org"
    ],
    "stringValue": null,
    "children": null
}

The issue is that the “memberOf” attribute in AD is multi-valued. You must use the “CONTAINS” operator instead of “EQUALS” to check if a user is in a specific group.

Give it a try.

Topic		Replies	Views
Assignment Logic Failing within Role ISC Discussion and Questions identity-security-cloud	6	735	July 19, 2023
To Populate an Identity Attribute ISC Discussion and Questions identity-security-cloud , identity-profiles	8	401	April 1, 2024
Role membership criteria ISC Discussion and Questions rules , identity-security-cloud , roles	10	308	January 17, 2025
Transform -- validating Identity is a assigned a role or an entitlement ISC Discussion and Questions identity-security-cloud , provisioning	9	281	October 20, 2024
Assign a new role to existing identities in bulk ISC Discussion and Questions identity-security-cloud , roles	11	1016	April 9, 2024

Role Assignment Criteria

Related topics