How can i add ADS group to my special identity

Hi All

Here i have service category called AD group.

And i have ADS groups as service items in that service category.

Now i want the AD group to be added to special identity rather than normal main identity.

Once the request submitted by user in IT shop how this group can be added to my special identity.

Please suggest the solution, thanks in advance.

Parents
  • This doesn't work ootb as the sub-identity has to be present if you want to request the group membership for the sub-identity. You may create a custom approval step EX in the approval workflow for the group membership request that waits for the sub-identity to be created and then changes the recipient of the group membership request to the new sub-identity before approving the current step. But I haven't done that before to ensure that this is really working.

Reply
  • This doesn't work ootb as the sub-identity has to be present if you want to request the group membership for the sub-identity. You may create a custom approval step EX in the approval workflow for the group membership request that waits for the sub-identity to be created and then changes the recipient of the group membership request to the new sub-identity before approving the current step. But I haven't done that before to ensure that this is really working.

Children
  • we were trying this but ,post approval the group was assigning to both main identity (may be thru oob functionality) and sub identity.(Through custom process what we invoked after the approval)

    can we stop auto assignment of groups to main identity after the approval?

  • You haven't read my answer thoroughly. You would need to change UID_PersonOrdered of the request during the approval to the new sub-identity before you approve the request. And as another idea please check https://support.oneidentity.com/technical-documents/identity-manager/8.0/administration-guide-for-connecting-to-active-directory/34#TOPIC-851912 (Active Directory Group Inheritance Based on Categories)

  • Hi Markus,

    After looking into above URL process ,
    I have added a user account category called "SAI"  and group category called "SAI1"  under Domain/Active Directory

    Then for one of the account and one of the group I have selected the corresponding category name's from change master data.
    Now what will be my next step like what will happen in this case and can could you please explain a little bit what the above URL is processing for this example.

  • Hi Markus,

    we are close to what we thought.

    In One Identity sandbox we achieved assigning AD groups to selected privilege accounts from IT shop web portal using Resource properties and custom process.

    So we created a Resource property for privilege accounts and normal account and defined in personwantsorg, shoppingcartitem, Identity type in person table.

    Now user selected Account type from Resource property and raise the request for AD group.

    so using custom process we are able to assign the AD group to requested privilege account rather than normal AD account.

    Here we are facing we issues:

    1)The same AD group can be assigned to multiple privilege accounts and to the normal AD account for the same user?

    2)Once the AD group is already assigned to any of privilege account or AD account to particular user in IT shop, under that AD group service item the message is like "the product is already assigned to the user", so in this scenario this the right message or not? and the same group can be assigned to other privilege account or normal AD account to the same user?

    3)How this service item or product will behave among these accounts and this scenario could you please suggest us.

  • If you are using resource properties you are referring to what exactly?

    I am afraid that, without understanding your solution fully, I am unable to be of any further assistance.