search cancel

Importing a Security Group under a Role and Account AD Import Rule is not creating an AD Import Filter

book

Article ID: 163133

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

A customer is importing a Security Group with multiple sub-security groups under it. When checking under “Inv_Security_Groups” table, the primary security groups are not visible nor when checking under "Manage\Filters\Notification Server Filters\Directory Filters”.

In brief, none of these security group's filters were created.

The NS logs shows that the desired security group and sub-security groups have been imported.

Cause

There was a misalignement between the customer goal and the configuraiton of the import. The process in general was right but it was missing one step to becomplete.

  1. The Role & Account import is special, as it does not:

    • create any filters (never did) – because “groups” becomes NS Roles, and they are already aggregating structure to keep account (user from AD) membership.

    • does not populate “Inv_Security_Groups” inventory, as we maintain membership by the resource associations between Role and Account, instead off basing it on inventory data.

  1. Also, importing Roles and Accounts is not the same as importing Users, because when you do a Role and Account AD Import, the resources to be created in NS are really “role resource” and “account resource”, not “user” resourvces, as happens when you do User AD Import…

This difference is very important to understand: while it is possible to have two rules (one for Role and Account AD Import and the next for Users) importing from same groups, the result will be completely different in terms of NS resource model, and there are no “cross references” between them. You have to build filters in a completely different way for “account”, “role” and “user” (computer) resources…

For a simple user/computer import – using inventory data is fine, for roles and accounts you have to build your own filters by querying for associations between roles and accounts.

Resolution

Importing Roles and Accounts via AD Import doesn't bring the computer or user association from AD. In order to do this you needed to have a Computer and User AD Import Rule for those Security Groups in order for that association to be present.

After this was done in the customer environment, the "missing" AD filters were present and he was able to uses them as necessary

Important note! When you have a top Security Group, the AD Import Filter is created and the sub-security groups for that top one will be included as explicit Inclusions for that AD Import Filter.