Supporting Active Directory Native Move / Rename

In many places in IdentityIQ, the default identifier for Active Directory accounts and groups is Distinguished Name (DN). Some native changes, such as when an account or group is moved within the Active Directory OU or when a person's name changes, result in a change to the DN.

Beginning with version 8.3, IdentityIQ uses the Active Directory GUID, a globally unique identifier, to determine when an account or group object's DN has changed. When a change is detected, the object is updated, and the change is propagated to all DN references throughout IdentityIQ.

When a changed DN is updated on aggregation, IdentityIQ creates an event to propagate the changes to these areas:

For account groups:

  • Bundle/Profile

  • Policy

  • Form

  • Rule

  • GroupDefinition

  • Identity

  • Dynamic Scope

  • PasswordPolicy/PasswordPolicyHolder

  • Widgets

For accounts:

  • Form

  • Rule

  • GroupDefinition

  • Identity

To process the event, a Native Identity Change Propagation Request is created, which propagates changes to the appropriate destinations based on the event type. After all propagations to the destinations have completed successfully, the event is marked as DONE. If the event fails for any reason, the event and request are both marked as FAILED.

Failed events can be restarted or pruned from your system using the Reset Failed NativeIdentityChangeEvents task. For more information on using this task, see Reset Failed NativeIdentityChangeEvents.

If a DN has been updated in response to a native move or rename, the DN is also replaced with the new one in the Provisioning plan at provisioning time, to ensure that there will be no errors on provisioning.

The propagation behavior is enabled by default. If you want to disable it, to prevent the propagation of changes throughout IdentityIQ, follow these steps.

  1. Navigate to gear icon > Global Settings > IdentityIQ Configuration > Miscellaneous tab.

  2. In the Native Identity Change Event Propagation Settings section, uncheck the Enable Native Identity Change Event propagation checkbox.

  3. Save your changes.

System administrators can customize the areas where DN changes are propagated by editing the Native Identity Change Propagation object in the Debug pages. This object is a Request Definition object.

The Account Aggregation task includes an option to Enable rename detection on managed attributes This option affects aggregation from Active Directory. It enables IdentityIQ to detect when an account group DN has changed due to being renamed. IdentityIQ determines whether a DN is new or is a rename of an existing DN, by examining the relevant account group's GUID or UUID. Enabling this option can prevent unintended changes to access that is based on assignment rules which use DN as assignment criteria.

Note that when a change is made in Active Directory to an OU which contains accounts or groups (such as renaming or moving it), a delta aggregation does not pick up the changes. This is due to a limitation in Microsoft DirSync Control.To avoid this issue, perform a full aggregation to capture the changes and update the child objects. You might have to do this regularly to ensure the data is up to date.

For more information, see Account Aggregation.

During aggregation, if IdentityIQ detects two Active Directory accounts or account groups with the same Distinguished Name but different UUIDs, it will update the UUID to the most recent value, and treat the two accounts or account groups as the same. This handles the case where an account or group is accidentally deleted and re-added. Consequently, it is not advisable to reuse the same DN with a different meaning. IdentityIQ will not detect this as an account or account group change to any attribute but UUID.

If there are future actions that may be impacted by a DN move or rename, such as a sunset date on an entitlement, or a mitigation end date for a policy violation, be cautious about pruning events. Otherwise, if a DN changes for an account included a sunrise / sunset action, IdentityIQ may not perform the provisioning action because it will contain the "old" DN. This is particularly important for dates far in the future.

In policy violation mitigations, if the DN on an account changes during the mitigation period, the next time Check Policy Violations is run, the policy violation can reappear and need to be mitigated again.

You can also use the System Maintenance task to prune Native Identity Change Events. Use the Prune Native Identity Change Events to include this action as part of your system maintenance task. This task will prune events that are older than the age specified in your system configuration.

The age value is set in the <entry key="nativeIdentityChangeMaxAge" value="0"/> key in your system configuration. The value is the age, in days, of events to be pruned. Note that a value of zero means that no events will be pruned, ever.

Events that are processed successfully are retained in your IdentityIQ instance. Use this task and option to prune all events, not just failed events.

Changes made to Distinguished Name that are initiated within IdentityIQ (for example, through Rapid Setup or customizations) result in appropriate updates to all IdentityIQ objects. These changes are not treated as new identities, but are recognized as moves or renames.

A "noCustomRenamePropagation" argument can be set to true in the provisioning plan to disable this functionality.