Environment
Novell Identity Manager 3.6.1
Active Directory Driver pre-configs for IDM 3.6 v4, v5, v6
Situation
Group Membership changes in AD may not remove the corresponding Security Equals & Equivalent to me entries on the for the user on the user & group. It is also possible that a security equivalent for another user, not being removed from the group, can lose their security equivalence incorrectly.
This issue has been discovered with the AD driver pre-config for IDM 3.6 v4, v5 and v6.
Resolution
There are two parts to the fix.
1. Replace the existing rule for “Remove Equivalent To Me when removing object from a group” with the rule below.
<rule>
<description>Remove Equivalent To Me when removing object from a group</description>
<comment xml:space="preserve">The identity Vault gives group members the rights of the group by adding the object to the "Equivalent to Me" attribute. Remove the object now.</comment>
<conditions>
<and>
<if-class-name mode="case" op="equal">Group</if-class-name>
<if-op-attr mode="regex" name="Member" op="changing-from">.+</if-op-attr>
</and>
</conditions>
<actions>
<do-remove-dest-attr-value name="Equivalent To Me">
<arg-value type="string">
<token-xpath expression="./modify-attr[@attr-name='Member']/remove-value/value"/>
</arg-value>
</do-remove-dest-attr-value>
<do-strip-xpath expression="./modify-attr[@attr-name='Equivalent To Me']/remove-value/value"/>
<do-clone-xpath dest-expression="./modify-attr[@attr-name='Equivalent To Me']/remove-value" src-expression="./modify-attr[@attr-name='Member']/remove-value/value"/>
</actions>
</rule>
<description>Remove Equivalent To Me when removing object from a group</description>
<comment xml:space="preserve">The identity Vault gives group members the rights of the group by adding the object to the "Equivalent to Me" attribute. Remove the object now.</comment>
<conditions>
<and>
<if-class-name mode="case" op="equal">Group</if-class-name>
<if-op-attr mode="regex" name="Member" op="changing-from">.+</if-op-attr>
</and>
</conditions>
<actions>
<do-remove-dest-attr-value name="Equivalent To Me">
<arg-value type="string">
<token-xpath expression="./modify-attr[@attr-name='Member']/remove-value/value"/>
</arg-value>
</do-remove-dest-attr-value>
<do-strip-xpath expression="./modify-attr[@attr-name='Equivalent To Me']/remove-value/value"/>
<do-clone-xpath dest-expression="./modify-attr[@attr-name='Equivalent To Me']/remove-value" src-expression="./modify-attr[@attr-name='Member']/remove-value/value"/>
</actions>
</rule>
2. Move both the Security Equals rules to the bottom of the AD Publisher Command Transformation policy. (see the JPG below) The Security Equals rules need to be below the rule: Prevent unassociated users from being removed from groups
Example of corrected rule logic and rules location.
3. Restart the driver and run tests.
This should ensure that all group membership changes in AD remove the corresponding Security Equivalence in eDirectory as well.
Note: Novell always recommend you run this in your test system to make sure it is doing what you expect it to do prior to running live in production.
The problem logic potentially removed security equals from other users, not being removed from the group, and left security equals for members remaining in the group. You will have to verify that all the security equals are correct on all your groups comparing their members and security equals. This logic should prevent the inconsistency from occurring again in the future.