This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OneIM Assigning groups from two different domains to One Businessrole

Hello Experts,

I have a bit of an issue at my hand that i need your help with.  We have built several Business roles that are based on Department, Title and Location with dynamic roles.  we have a where clause defined in SQL portion in the Dynamic Rule.  When we apply these roles to a user, its adding the groups from our Legacy Domain as well as our new domain.  The Goal is to assign only group from the domain the business role is defined for.

Version is 8.0.1.  

Here is an example of one of the Where clause.

(UID_Locality = (select UID_Locality from Locality where Ident_Locality = 'MCK')) and (UID_Department = (Select UID_Department from Department where DepartmentName = '100-400-43006')) and 1 = 0 and lower(PersonalTitle) like '%director%'

This clause looks at the following things for Role "RG_43006_Director_TMK", _TMK tells me this is for TMK Domain only.

Location = MCK, Department = 100-400-43006 and Title = director

Any and all help will be greatly appreciated!

Thank you,

Parents
  • Just asking, why are you assigning an AD Group from the wrong domain to the business role if you do not want it to be inherited?

  • I am not.  my apologies for the confusion.  here is the proper detail.  so we have RG_43006_Director_TMK for Domain 1 and RG_43006_Director_Torch for Domain2.  Two different Roles for different accounts.  Currently they both have the same where clause i need to figure out how i can distinguish the User domain so it only adds Domain 1 Groups to Domain 1 Role and Domain 2 Groups to Domain 2 Role.

    hope this is not too confusing... 

  • I am still confused. OOTB the system does not automatically assign groups to roles. The dynamic role membership is for identities and not accounts.

    So when you are saying that the system adds Domain 1 groups to Domain 1 roles it does not sound right for me.

    Or is it that your identities have more than one account from more than one domain assigned and both of his accounts receive the group assigned to the role?

Reply
  • I am still confused. OOTB the system does not automatically assign groups to roles. The dynamic role membership is for identities and not accounts.

    So when you are saying that the system adds Domain 1 groups to Domain 1 roles it does not sound right for me.

    Or is it that your identities have more than one account from more than one domain assigned and both of his accounts receive the group assigned to the role?

Children
  • Hi Markus,

    I have identities with multiple accounts in multiple domains.  so this is what I have done I have created business roles based on the domain.  I just realized the roles are based on Person and not account.  so I have Identity "1" with Account A in Domain A, Account B in Domain B.  I guess the question would be, How do I keep Groups from Domain B Assigned to Account A in Domain A?.  I am not able to post a picture to show you a better visual. 

    Role 1 for Domain A contains all the groups from Domain A (Legacy Domain Version)

    Role 2 for Domain B contains All the group from Domain B (New Domain Version)

    Domain A = Legacy Domain (Fully Managed)

    Domain B = New Domain (Not yet managed)

    Account A(Legacy Account) in Domain A(Legacy Domain) has Groups from Domain A as well as Domain B(New Domain - Not Yet Managed).

    I hope this helps and thanks again.

    JP

  • Thing is, as long as the assignments of groups from domain B are feasible for an account from domain A the system will inherit these groups memberships as well.

    You have two options here:

    a) work with sub-identities and assign each account to a separate sub-identity and assign those sub-identities to the correct roles.

    b) use 2 different categories for the accounts in groups in each domain. So that accounts and groups of domain A have the first category set and the accounts and groups in domain b have the second category set. This should avoid cross-domain assignments.