Views:

Applies To:

GroupID 10 - Automate & Self-Service

Business Scenario:

A situation may arise where a slight mistake on a user’s part can lead to a huge error. An administrator, when designing or updating a query for a Smart Group, might end up making errors that can alter the group membership beyond expectation. This might harm the company’s security. How can GroupID help prevent such unforeseen changes to group membership?

Solution:

Administrators can avoid undesired changes to Smart Group and Dynasty memberships by enabling the Out of Bounds settings for an identity store.

These settings enable you to:

  • Specify the maximum number of members for Smart Groups and Dynasties. When a group’s membership exceeds this limit, you can set GroupID to take any of the following actions:

    • Not to update, and retain the old membership.
    • Create nested groups to accommodate membership.

  • Define a criterion for out-of-bounds exceptions to raise alerts for group owners.
    When an out-of-bounds exception occurs, the intended recipient(s) are notified by email. If they deem the change as valid, they can update the group by right-clicking it and selecting Update on the shortcut menu.

Notes:
  • If the group is not updated, the changes remain pending and the group will not be updated in the future when the Smart Group Update job runs.
  • Out-of-bounds exception notifications are sent as per notification settings configured for the Smart Group Update job that updates the respective group’s membership.

Steps:

You can apply the Out of Bounds settings from GroupID Management Console or via GroupID Management Shell.

From GroupID Management Console

  1. In GroupID Management Console, click the Identity Stores node.

  2. Right-click an identity store and select Properties.

  3. On the Identity Stores Properties window, select the Configurations tab and click Out of Bounds in the left pane.

  4. You can:

Restrict group membership

  1. In the Maximum membership per group box, type the number of maximum members that Smart Groups and Dynasties can contain.

  2. Select one of the following options for When threshold reached:

    • Do not update: to prevent any action when the maximum membership limit is breached on update. As a result, the group retains its old membership and no change takes place.
    • Nest into child groups: to create nested child groups when the maximum membership limit is reached. Each nested group, in turn, cannot have more than the maximum number of members specified.
      Nested groups are created as sub-groups of the group being updated. They are displayed in GroupID as members of the parent group.

      Example:
      Let’s assume you set the maximum membership limit to 500 and opt for nested groups when membership exceeds this limit.
      Scenario 1: On update, 485 objects are fetched to be added to Group A’s membership. Since the count is less than 500, the objects are directly added as group members.
      Scenario 2: On the next update, 620 objects are fetched to be added to Group A’s membership. Since the count exceeds 500, it breaks the membership into 2 child groups (Group 1 with 500 members and Group 2 with 120 members) and nests them into Group A. 

  3. Click Apply.

Set group update thresholds

The following settings apply in case of membership update through a Smart Group Update job. On manual membership update, these settings have no impact.

  1. Select the Do not update and alert if check box to monitor out-of-bounds exceptions in group memberships.

  2. In the Percent change in membership exceeds box, enter a percentage of membership change that, when exceeded, raises an out-of-bounds exception.

    Membership change is the difference between new membership and the existing membership. Percentage change in membership is calculated by the following formula:

    (newMemberCount - oldMemberCount) x 100 / oldMemberCount

    Let’s assume you specify 20 in this field. When group membership changes by 20% or more, GroupID considers it as an exception.

    So if Group A has 500 members and 200 new members are to be added, the formula will be as:

    (700-500) x 100 / 500 = 40

    Since 40 is greater than 20, GroupID treats it as an out-of-bounds exception.

  3. In the And either current or new membership exceeds box, type the number of current or new memberships. If the current or new membership of a group is equal or less than the specified number, GroupID does not raise an out-of-bounds exception for the group, even when the change percentage is exceeded. This allows you to ignore changes in small groups.

    For example, you set the change percentage to 20 and specify 25 in the And either current or new membership exceeds box. It works as follows:

    • For current (existing) membership:
      When the existing membership of a group is equal or less than 25, GroupID does not trigger out-of-bounds for this group when the change percentage is exceeded (is greater than 20).
      For example, adding 3 new members to a group of 10 members would not trigger an exception. GroupID will update group membership, even though the change percentage is exceeded.
    • For new membership:
      When, say 12 new members are added to a group with 10 existing members, the new membership reaches 22, which is less than 25. Even though the change percentage is exceeded, GroupID will not raise an exception and update group membership.

  4. Click Apply and then OK.

Recommended Settings

For smooth operations, set the following values for Out of Bounds:

  • Set the maximum membership limit to 4999.
  • Apply the Do not Update setting.
  • Set the membership percentage change to 50%.
  • Set the current or new membership exceed limit to 100.

Via Management Shell

You can also configure the Out of Bounds settings for an identity store from GroupID Management Shell.

  1. Launch GroupID Management Shell.

  2. Run the following cmdlet to fetch the service account used to connect to the provider:

    $creds = Get-Credential 

    You have to provide the domain name with service account credentials as parameters in the Out of Bounds settings cmdlet. This is important, else it will override the service account setting in the identity store, which will lead to error and all identity store configurations will be reset.

  3. Run the following cmdlet for the Out of Bounds settings:

    Set-IdentityStore -IdentityStoreName DC1.local -Credential $creds -Domain DC1.local -MaximumMembersPerGroup 4999 -WhenGroupMembershipThresholdReach PreventUpdation -EnableOrphanGroupsDeletion -EnableOutOfBoundsAlerts -MembershipCountThreshold 100 -MembershipPercentageThreshold 50
     
    Note:The values for the parameters are the recommended settings for Out of Bounds.

Reference:

GroupID Online Help topic: Group Membership Settings

Keywords: Automate, Self Service, management shell, group, membership, updates, threshold, large, unforeseen, criterion
Comments (0)