- Identity jdoe belongs to an AD group named "ACME Admins".
- "ACME Admins" is a member of the AD group named "Domain Admins".
- If I have a risk score configured for "Domain Admins", it does NOT affect the overall score for jdoe.
- If I have a risk score configured for "ACME Admins", it DOES affect the overall score for jdoe.
This is working as currently designed (as of identityIQ 5.2). The risk score algorithm does not take into account nested groups. It expects scores to be set at the individual group level.