• State Suggested Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 63 subscribers
  • Views 602 views
  • Users 0 members are here
Options
Related

Dynamic Group rebuild are "polluting" user Change History

MAK
3 months ago

Hi All,

I've been searching around the forum and can't find an answer to my question. Perhaps others are not experiencing this or don't see it as an issue.

We have users that are in a few (large) dynamic groups. Whenever a group is automatically rebuilt which is often, users' Change History is full of the changes and it's really difficult to find details on anything else that happened to the account.

I've been looking for a way to exclude the Dynamic Groups from Change Tracking, but so far I have not been able to do this.

Is this possible? If not, does anyone have any suggestions how we could work around it?

Thanks,

Parents
  • 0 3 months ago

    Do you have any Dynamic Group membership rules that reference Active Roles Virtual Attributes, or do you only have rules referencing Active Directory attributes?

  • 0 3 months ago in reply to Terrance.Crombie

    Hi Terrance,

    We have only one Dynamic Group that references virtual attributes. This could of course change any time and we might create more.

  • 0 3 months ago in reply to MAK

    With Dynamic Groups that reference only native Virtual Attributes, it is possible to create a dedicated Active Roles configuration to handle real-time Dynamic Group operations. This has a few advantages: mainly, it frees up resources in your primary Active Roles configuration for other operations, but it also removes Dynamic Group operations from the logging of your primary Active Roles configuration.

    When using Dynamic Groups that reference Active Roles Virtual Attributes, this becomes a little bit more complicated. You'd have to import your Virtual Attributes into the new configuration and then set up something like an Active Roles Synchronization Service Workflow to keep them in sync between the configurations. Still might be a good idea if you are interested in improving performance or simplifying logging.

    I've also had some customers configure a dedicated service account on a Dynamic Group job server within the same configuration, and then filter out operations made by that account in their auditing tools. This might be a simpler ask depending on your needs.

    We are aware that the current logging needs to be improved and we are tracking a requested change to this specific product functionality under ER 431618.

  • 0 3 months ago in reply to Terrance.Crombie

    Hi Terrance,

    Yes, I've seen requested change to the functionality you mention.

    It will be really interesting to find out more about a dedicated Active Roles configuration to handle real-time Dynamic Group operations. Not just for the issue I've mentioned here, but for other setup we're working on. Is there a resource you could point me to for a dedicated config?

    Cheers,

    M

Reply
  • 0 3 months ago in reply to Terrance.Crombie

    Hi Terrance,

    Yes, I've seen requested change to the functionality you mention.

    It will be really interesting to find out more about a dedicated Active Roles configuration to handle real-time Dynamic Group operations. Not just for the issue I've mentioned here, but for other setup we're working on. Is there a resource you could point me to for a dedicated config?

    Cheers,

    M

Children
No Data