NetIQ Access Governance (SailPoint IIQ 7) does not support aggregation of nested groups Out of the Box (OOTB). However, there is a way to process nested groups by writing custom bean-shell code (java based scripting language) in “Group Aggregation Refresh Rule”.
I have explained the steps to process nested groups using Active Directory Group Aggregation task.
Let’s assume you have following AD Group hierarchy:
Now, business wants to look at Group1 and would like to see all users (User 1 to User6) as members of Group1.
Download a copy of IdentityIQ Object Model and Usage PDF file from the following link:
NetIQ Access Governance stores Identity cube object as XML format. You can look for Identity cube XML by going to debug page or executing the get Identity <IdentityName> command from the console.
<Exceptions> element contains all entitlement related (i.e. group information in case of AD application) information under <EntitlementGroup> sub-element.
Access Governance creates Link object for each application account for an Identity. Link Object contains all application-specific attribute values defined in schema section of the application definition.
ManagedAttribute Object gets created for each and every entitlement. For example, there will be n number of ManagedAttribute objects for n number of AD groups.
ManagedAttribute objects are getting created and updated by group refresh task. In this solution, I have written an AccountGroupRefresh rule which will process nested groups and add member entry into <ManagedAttribute> element created for parent group (i.e. Group1 in my example).
Add member attribute in the Active Directory group schema. This attribute will maintain the hierarchy of the Groups.
An AccountGroupRefresh rule runs during an Account Group Aggregation task. It allows custom manipulation of account group attributes while the account group is being refreshed (on both create and update).
AccountGroupRefresh has following arguments available along with common arguments.
Download the Rule from here: AccountGroupRefreshRule-ProcessNestedGroup
The given rule will execute following steps:
(ii) If all the members of the group is a group object, process further, otherwise ignore
(iii) Get the ManagedAttribute object of the member group identified in step (ii)
(iv) Find all members from ManagedAttribute (i.e. all members of group identified in step (ii) )
(v) Loop through all members (identified in step (iv)) and get the Link Object created for Active Directory Application for the User/Member
(vi) Extract the Link Object and get the memberOf attribute and add the Processing Group (if it is not already added)
(vii) Save the Link Object
(viii) Add group members (identified in step (iv)) into accountGroup object and this rule these will add these members into ManagedAttribute object automatically.
Here is the logical flow of the code:
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.