This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dynamic Groups in One Identity

I want AD groups to have dynamic membership depending on a user having a resource, their domain and a custom field. The only way I can see to do this is to create a business role for each group and apply dynamic membership to that business role so that the user inherits the AD group. Is there a better way to do this?

0 mekindad over 7 years ago

If You really want this dynamic this is the way but... You will end up with lots of dynamic groups which might show up in a bad performance.

if You have a similar or semantic rule for all groups create a process and run in on a scheduler. This will be much friendlier on the performance.
Cancel
Up 0 Down

Cancel
0 ds_walters over 7 years ago

Thanks mekindad. I am a little worried about performance. Could you elaborate on the second method? I searched for one identity semantic rule and nothing came up. Where would this kind of thing be configured?
Cancel
Up 0 Down

Cancel
0 mekindad over 7 years ago

I meant that if Your roles are like:

if person attribute contains XX then put in in AD group named Group_XX (same rule can be applied to all groups) then it is Quite easy to create a process to assign those memberships.

If You really have tottaly different rules for every group then You naybe create a mapping table of groups and rules ...but this is a bit more complicated solution
Cancel
Up 0 Down

Cancel