• State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 92 subscribers
  • Views 6446 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dynamic Business Role and removing ad Group while retaining membership - viinherite

ToddFendt
over 6 years ago

Hi all,

 

1IM v6.1.4 ( soon to be 7)

 

I am using a Dynamic Business Role to populate AD Groups used for access security. I need to be bale to remove an AD Group from the Dynamic Bus Role and have the ad Group retain the memberships. 

 

I created a Dynamic Business Role in my test env, created 2 ad groups in the domain. Associated the 2 AD Groups to the Dynamic Business Role, Let them cook and populate. Verified via the domain that they have memberships. I then removed one of the AD Groups. In a reasonable time all of the memberships were deleted. Makes sense. ( All of the entries in adsaccountinadsgrouptotal for the group had niinherite set to 4 (Dynamic).

 

2nd test, Sams as above but before i removed the AD Group from the Dynamic Business Role I updated adsaccountinadsgrouptotal table entries for the target group, updating the viinherite from a 4 to a 6 (Indirect, dynamic). Removed the AD Group, then later all memberships were automatically removed.

 

3rd test, same as above but changed the viinherite to a 7 (direct, indirect and dynamic). Same result.

Is there a way to preserve the membership when removing a AD Group from a Dynamic Business Role?

 

Thanks in advance, Todd Fendt

 

  

  • +1 over 6 years ago

    Hi Todd,

    I'm thinking back to 6.1 days, so I may be a little hazy here.  There are two tables involved: ADSAccountInADSGroup and ADSAccountInADSGroupTotal .  All of the rows from ADSAccountInADSGroup are in ADSAccountInADSGroupTotal but not vice versa.  Accounts in ADSAccountInADSGroup are directly assigned.  I don't think is is sufficient to change the viInherite flag in ADSAccountInADSGroupTotal.  I think you have to actually create the rows in ADSAccountInADSGroup. 

    HTH,

     

    George

  • 0 over 6 years ago
    George is right. You have to create the entries in ADSAccountInADSGroup for each of the members in ADSAccountInADSGroupTotal you do not want to be deleted.

    The flags in the total table will be changed accordingly by the system.

    General advice, do not mess with the flags to avoid any unnecessary trouble.
  • 0 over 6 years ago
    Thanks for the Reminders George and Markus. I was able to perform another test using this info. I created entries in adsaccountinadsgroup using this query:

    insert into adsaccountinadsgroup
    (UID_ADSAccount,UID_ADSGroup, XObjectKey)
    select
    agt.UID_ADSAccount
    ,agt.UID_ADSGroup
    ,'<Key><T>ADSAccountInADSGroup</T><P>' + agt.UID_ADSAccount + ' </P><P>' + agt.UID_ADSGroup + '</P></Key>'
    from adsaccountinadsgrouptotal agt
    join adsgroup g on g.uid_adsgroup = agt.UID_ADSGroup
    WHERE g.cn = 'todd one'

    And then removed the group from the Business Role and the Membership stayed intact.

    Thanks again, Todd
  • 0 over 6 years ago
    Glad it worked, Todd.
    One thing to keep in mind...you have to be very careful when you use SQL directly. Table scripts, templates, events, etc will not fire unless you are going through the API.