AD Groups sync to Forgerock - Edgecase

dlokman · April 9, 2024, 9:10pm

Hello,

If an AD group is a member of 2 other AD groups. Then if we synch AD groups to Forgerock roles, will we only get the main AD group or will Forgerock roles also show information in regards to 2 other AD groups.

Because the user effectively has privileges of 3 AD Groups. And this information somehow needs to be available via Forgerock roles.

The UI interacting with Forgerock user service OAuth2Client.getUserInfo() is more like a dummy UI and it relies on Forgerock user service to provide up to date Ad group membership info. The AD group memberships can be updated and thus UI code should get all the information from Forgerock user service.

I wanted to know if the AD Group synch to Forgerock can handle such an enterprise website scenario. Thanks

dlokman · April 10, 2024, 6:41pm

This is in regards to IDM 6.5 and LDAP Connector

guy.pensa · April 12, 2024, 3:15pm

Greetings Diokman,

Look at this requirement from the LDAP object perspective: Absolutely, all the attributes of any LDAP object can be synchronized. In this particular case, the value of the attribute is a reference to another distinct LDAP object (these referenced groups). Therefore, in order to complete this operation in a successful manner, these references must exist at the time of ldap add or modify.
Absolutely, nested roles are supported.
Please see: Groups :: ForgeRock Directory Services