Role Assignment Criteria

ssel · September 30, 2025, 12:53am

Hi,

The requirement is to add the users from an AD group A to group B through IDN role. So have done the below role configuration however the identities are not getting added as part of role refresh, would appreciate an extra pair of eyes on this

{

"name": "Group B - DL",
"created": "2025-09-29T19:29:25.429023Z",
"modified": "2025-09-29T21:40:22.307498Z",
"description": null,
"owner": {
    "type": "IDENTITY",
    "id": "7a874b1c3d5e4d858dac2084f55902c8",
    "name": "Bransy"
},
"entitlements": [],
"accessProfiles": [
    {
        "id": "f4a16134dad44fb89acf547b8f41a6bf",
        "type": "ACCESS_PROFILE",
        "name": "group B"
    }
],
"membership": {
    "type": "STANDARD",
    "criteria": {
        "operation": "OR",
        "key": null,
        "values": null,
        "stringValue": null,
        "children": [
            {
                "operation": "AND",
                "key": null,
                "values": null,
                "stringValue": null,
                "children": [
                    {
                        "operation": "EQUALS",
                        "key": {
                            "type": "IDENTITY",
                            "property": "attribute.status",
                            "sourceId": null
                        },
                        "values": [
                            "active"
                        ],
                        "stringValue": null,
                        "children": null
                    },
                    {
                        "operation": "EQUALS",
                        "key": {
                            "type": "ACCOUNT",
                            "property": "attribute.memberOf",
                            "sourceId": "8c3937f3e01d407c962bf7a836f3f8bb"
                        },
                        "values": [
                            "CN=group A,OU=Department,DC=Access,DC=org"
                        ],
                        "stringValue": null,
                        "children": null
                    }
                ]
            }
        ]
    },
    "identities": null
},
"legacyMembershipInfo": null,
"enabled": true,
"requestable": false,
"accessRequestConfig": {
    "commentsRequired": null,
    "denialCommentsRequired": null,
    "approvalSchemes": [],
    "reauthorizationRequired": false
},
"revocationRequestConfig": {
    "approvalSchemes": []
},
"segments": [],
"dimensional": false,
"dimensionRefs": [],
"accessModelMetadata": {
    "attributes": []
},
"additionalOwners": []

}

sita_ram · September 30, 2025, 3:04am

Try changing EQUALS → CONTAINS

{
    "operation": "CONTAINS", 
    "key": {
        "type": "ACCOUNT",
        "property": "attribute.memberOf",
        "sourceId": "8c3937f3e01d407c962bf7a836f3f8bb"
    },
    "values": [
        "CN=group A,OU=Department,DC=Access,DC=org"
    ],
    "stringValue": null,
    "children": null
}

The issue is that the “memberOf” attribute in AD is multi-valued. You must use the “CONTAINS” operator instead of “EQUALS” to check if a user is in a specific group.

Give it a try.

system · November 29, 2025, 3:04am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Assignment Logic Failing within Role ISC Discussion and Questions identity-security-cloud	6	678	July 19, 2023
IdentityNow Role membership criteria ISC Discussion and Questions	2	1209	July 19, 2023
To Populate an Identity Attribute ISC Discussion and Questions identity-security-cloud , identity-profiles	8	362	April 1, 2024
Skip all roles for Company ISC Discussion and Questions	3	956	July 19, 2023
Assign a new role to existing identities in bulk ISC Discussion and Questions identity-security-cloud , roles	11	905	April 9, 2024

Role Assignment Criteria

Related topics