Supporting Active Directory Native Move/Rename

In many places in IdentityIQ, the default identifier for Active Directory accounts and groups is Distinguished Name (DN). Some native changes, such as when an account or group is moved within the Active Directory OU or when a person’s name changes, result in a change to the DN.

Beginning with version 8.3, IdentityIQ uses the Active Directory GUID, a globally unique identifier, to determine when an account or group object’s DN has changed. When a change is detected, the object is updated, and the change is propagated to all DN references throughout IdentityIQ.

When a changed DN is updated on aggregation, IdentityIQ creates an event to propagate the changes to these areas:

For account groups:

  • Bundle/Profile

  • Policy

  • Form

  • Rule

  • GroupDefinition

  • Identity

  • Dynamic Scope

  • PasswordPolicy/PasswordPolicyHolder

  • Widgets

For accounts:

  • Form

  • Rule

  • GroupDefinition

  • Identity

If a DN has been updated in response to a native move or rename, the DN is also replaced with the new one in the Provisioning plan at provisioning time, to ensure that there will be no errors on provisioning.

The propagation behavior is enabled by default. If you want to disable it, to prevent the propagation of changes throughout IdentityIQ, follow these steps.

  1. Navigate to gear icon > Global Settings > IdentityIQ Configuration > Miscellaneous tab.

  2. In the Native Identity Change Event Propagation Settings section, uncheck the Enable Native Identity Change Event propagation checkbox.

  3. Save your changes.

System administrators can customize the areas where DN changes are propagated by editing the Native Identity Change Propagation object in the Debug pages. This object is a Request Definition object.

The Account Aggregation task includes an option to Enable rename detection on managed attributes This option affects aggregation from Active Directory. It enables IdentityIQ to detect when an account group DN has changed due to being renamed. IdentityIQ determines whether a DN is new or is a rename of an existing DN, by examining the relevant account group’s GUID or UUID. Enabling this option can prevent unintended changes to access that is based on assignment rules which use DN as assignment criteria.

Note that when a change is made in Active Directory to an OU which contains accounts or groups (such as renaming or moving it), a delta aggregation does not pick up the changes. This is due to a limitation in Microsoft DirSync Control.To avoid this issue, perform a full aggregation to capture the changes and update the child objects. You might have to do this regularly to ensure the data is up to date.

For more information, see Account Aggregation.

During aggregation, if IdentityIQ detects two Active Directory accounts or account groups with the same Distinguished Name but different UUIDs, it will update the UUID to the most recent value, and treat the two accounts or account groups as the same. This handles the case where an account or group is accidentally deleted and re-added. Consequently, it is not advisable to re-use the same DN with a different meaning. IdentityIQ will not detect this as an account or account group change to any attribute but UUID.

If there are future actions that may be impacted by a DN move or rename, such as a sunset date on an entitlement, or a mitigation end date for a policy violation, be cautious about pruning events. Otherwise, if a DN changes for an account included a sunrise/sunset action, IdentityIQ may not perform the provisioning action because it will contain the "old" DN. This is particularly important for dates far in the future.

In policy violation mitigations, if the DN on an account changes during the mitigation period, the next time Check Policy Violations is run, the policy violation can re-appear and need to be mitigated again.