I experienced issues with duplicate entitlements being created for an Active Directory application. The issue appeared when there were nested AD groups that were inheriting other groups.
The symptom was some rogue ManagedAttribute objects with type="Entitlement" instead of "group" which caused a failure "Exception during aggregation of <group>. Reason: could not insert: [sailpoint.object.ManagedAttribute]
The issue came down to some bad settings:
First, in the Active Directory account aggregation, the Promote Managed Attributes checkbox was checked. This should only be checked if there is NO account group aggregation. The account group aggregation replaces this checkbox.
Second, the memberOf schema value on the account was not set to schemaObjectType of group. This, along with Managed, Entitlement, and Multi-Valued, are required for this field.
Finally, the memberOf schema value on the group was not set to schemaObjectType of group. Also while the Entitlement and Multi-Valued checkboxes were set, the Indexed was not, and so I set that Indexed in order to match another successfully running application on a different AD domain.
To summarize, for AD connections:
On account aggregation, do NOT select "Promote Managed Attributes"
On the account schema, select group as the schemaObjectType, plus Managed, Entitlement, and Multi-Valued
On the group schema, select group as the schemaObjectType, plus Entitlement, Multi-Valued, and Indexed.
No comments:
Post a Comment