• State Suggested Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 94 subscribers
  • Views 2527 views
  • Users 0 members are here
Options
Related

adsgroup update from business roles

m tchernyshev
over 4 years ago

hello, need to bother again a little.

can anyone advise for me please when exactly am I expected to see that adsgroup object will be updated (which in turn will be handled by provisioning workflow when it runs)?

Let me explain:

When I manually assign AD Groups using Actuve Directory Target module I see the following jobs (tasks) in the following order

1) Created by QBMDBQueueProcess: handle object update for object type ADSGroup

2) ADS_ADGroup_Update

and then few minutes later that results in new Group member is added which is what I would expect

However, if I assign an AD Group using business roles and then assign employees manually or using dynamic roles here is what I don't understand - the graph representation of business role shows all groups for given role, it also shows me all employees which are expected to get a new group. But nothing like that happens, in fact I see that my Job Queue is empty and then later on the following user won't have his/her new group assignments in the Active Directory

If I run provisioning workflow (i have Groups and Users enabled and mapped by default) after finish there are also no changes

It seems that the systems still works fine but there is some procedural mistake, like I'm not yet triggering any ADSGroup update with my current set up of Business roles

Any ideas?

Parents Reply
  • 0 over 4 years ago in reply to m tchernyshev

    If you take a look here, this flag is documented right here in the documentation.

    https://support.oneidentity.com/de-de/technical-documents/identity-manager/8.0/administration-guide-for-connecting-to-active-directory/31#TOPIC-851899

    Assigning Active Directory Groups to Active Directory User Accounts, Active Directory Contacts and Active Directory Computers

    You can assign groups directly and indirectly to user account, workdesks and devices. Employees (workdesks, devices) and groups are grouped into hierarchical roles in the case of indirect assignment. The number of groups assigned to an employee (workdesk or device) From the position within the hierarchy and is calculated from the position within the hierarchy and inheritance direction.

    If you add an employee to roles and that employee owns a user account or a contact, the user account or contact is added to the group. Prerequisites for indirect assignment of employees to user accounts:

    • Assignment of employees and groups is permitted for role classes (department, cost center, location or business role).
    • User accounts and contacts are labeled with the option Groups can be inherited.
Children