How can AD Group Membership be Managed?

Hi - I'm seeing a very similar issue to this one in my own test VMs (v7.1.1). I think the issue is with indirect assignment configuration steps but I haven't been able to isolate what causes it.

In my labs, I have ADS accounts provisioned through account definitions. Direct (manual) assignment through the UI works. Indirect assignment through business roles or dynamic roles doesn't seem to trigger account creation.

If I go onto the Person object and look at one of my test users in a dummy IT department, I can see two account definitions are already assigned. If I go to the “assign to employees” section of either account definition, I can see a tick against the user already, and I can also see the user's qualified for the account via indirect assignment of a business role. If I go to the Business Roles view, the "additionally assigned employees" box shows the user has the qualifying role.

So, everything seems right but neither AD account is created.

If I manually assign the account definitions to a different user through the UI, they get the account definitions AND on the next sync I see the accounts getting created.

Anecdotally, I know someone else who has also read the documentation thoroughly, configured everything right (as far as I can tell) but ALSO doesn't see anything happen when they use a business role for indirect assignment.

I'll review the config at my end and if I figure out what the issue is, I'll post it here as it's quite possible the issues are related.

Hi - I'm seeing a very similar issue to this one in my own test VMs (v7.1.1). I think the issue is with indirect assignment configuration steps but I haven't been able to isolate what causes it.

In my labs, I have ADS accounts provisioned through account definitions. Direct (manual) assignment through the UI works. Indirect assignment through business roles or dynamic roles doesn't seem to trigger account creation.

If I go onto the Person object and look at one of my test users in a dummy IT department, I can see two account definitions are already assigned. If I go to the “assign to employees” section of either account definition, I can see a tick against the user already, and I can also see the user's qualified for the account via indirect assignment of a business role. If I go to the Business Roles view, the "additionally assigned employees" box shows the user has the qualifying role.

So, everything seems right but neither AD account is created.

If I manually assign the account definitions to a different user through the UI, they get the account definitions AND on the next sync I see the accounts getting created.

Anecdotally, I know someone else who has also read the documentation thoroughly, configured everything right (as far as I can tell) but ALSO doesn't see anything happen when they use a business role for indirect assignment.

I'll review the config at my end and if I figure out what the issue is, I'll post it here as it's quite possible the issues are related.