Symantec IGA

 View Only
Expand all | Collapse all

Explore and Correlate based on Group Membership

Jump to Best Answer
  • 1.  Explore and Correlate based on Group Membership

    Posted Mar 04, 2019 01:56 AM

    Hi All,

     

    We have a scenario. There is a group (say group A) present in AD LDS and a container (OU) containing users. We need to explore and correlate users from that container that are members of the group A. Rest users should not be explored and correlated. Has anyone implemented any similar scenario. Any suggestions are appreciated.

     

    Regards

    Ankur Arora



  • 2.  Re: Explore and Correlate based on Group Membership
    Best Answer

    Posted Mar 04, 2019 08:54 AM

    The following information pertains to the standard ADS Connector and I am not sure if a similiar approach would work for other connectors (i.e. ConnXP JNDI DYN connector against LDS) so the below is provided as-is and would need to be further tweaked to use proper DNs for the other connector instead.

     

    There is a way to acheive this but there is some caveats.

     

    By default the explore of the endpoint only retrieves some account information and with the AD endpoint the group membership is not returned. So the first thing that needs to be done is to force group membership data to be returned on the explore and this can be done in one of two ways by doing one of the following within the Provisioning Manager:
    - Under System->Domain Configuration->Explore and Correlate->Correlation Attribute and configuring a correlation rule on the ActiveDirectory:GroupMembership
    - On the acquired AD Endpoint's Attribute Mapping tab configuring a mapping involving GroupMembership

     

    Note that doing either of the above will cause the account's group membership values to be stored in the Provisioning Repository so that viewing an account will show the values retrieved/stored on the last Explore and not the current data set on the endpoint itself so it could be "stale" information which is the negative side-effect of doing this.

     

    The next part of this would be that you would need to use an ldapsearch command to trigger the Explore so that you can provide a filter since the Provisioning Manager and IM UI do not allow for providing a filter. An example of such a command would be:

     

    ldapsearch.exe -LLL -h IMPS_HOST -p 20389 -D "eTGlobalUserName=BIND_USER,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta" -w BIND_PWD -b "eTADSContainerName=Users,eTADSDirectoryName=MY_ADS_ENDPOINT,eTNamespaceName=ActiveDirectory,dc=im,dc=eta" -s sub "(&(objectclass=eTADSAccount)(eTADSmemberOf=CN=Administrators,CN=Builtin,DC=***,DC=YYY,DC=ZZZ))" eTExploreUpdateEtrust

     

    You would need to adjust the BaseDN, Group Value, and possible scope in the command.

     

    Note that not all connectors allow for such a filtered explore but ADS Connector does currently. That is not to say it will always allow for it in the future.