Views:

Applies To:

GroupID 9 & 10 – Automate and Self-Service

Business Case:

We are running the Group Life Cycle job with an account that falls under the User security role in GroupID. This account has all the necessary permissions to run the job. The job processes all groups successfully and sends group expiry notifications to the specified recipients. However, it fails to write/update certain attributes for groups in the GroupID database (in SQL) and in Elasticsearch.

More Information:

The Group Life Cycle job in GroupID monitors group expiry based on Group Life Cycle settings for an identity store. It sends group expiry notifications to group owners x days before the group expires (the number of days is configurable in Group Life Cycle settings). The job then expires groups and deletes them from the identity store x number of days after expiry.

Solution:

Turns out, the account used to run the Group Life Cycle job falls under the User security role that does not have the ‘Manage Any Group’ permission in the identity store. As a result, it fails to write/update the database and Elasticsearch attributes for groups that it does not own (assuming that the User role has the ‘Manage my Groups’ permission in the identity store).

To make sure the relevant attributes are updated, assign the ‘Manage Any Group’ permission to the security role the account belongs to.

Note: Imanami does not recommend that you assign the ‘Manage Any Group’ permission to the User role. Rather, move the account under a high privileged security role with elevated permissions (such as the Administrator role). You can even create a new security role and update its membership with all accounts used to run scheduled jobs in GroupID.

Steps to create a new security role with accounts as members:

  1. Using GroupID, create a group in the identity store and add all accounts used to run scheduled jobs to its membership.

    OR

    Create a new container in your directory and add all accounts used to run scheduled jobs to it.

  2. Create a new security role in the identity store and add the group/container as its member.
    For that, you need to set the role membership criteria for the security role to ‘group’ or ‘container’ (depending on whether you created a group or container for the accounts).

  3. In security role permissions, assign the ‘Manage Any Group’ permission to the role.

Steps to assign the permission:

  1. In GroupID Management Console, click the Identity Stores node.

  2. Double click an identity store to open its properties.

  3. On the Security Roles tab, select the security role that the account(s) fall under, and click Edit.

  4. On the User Properties page, select the Permissions tab.

  5. Set the Manage Any Group permission to Allow. It would enable the account used for the Group Life Cycle job to write/update the values of the relevant attributes.

  6. Click Apply and then OK.

Reference:

GroupID Online Help: Security Roles

Keywords: account, permissions, attribute, write, store, database, Elasticsearch, expiry date, group, scheduled job