返回
-
标题
Invalid assignments to read only Azure group memberships -
说明
For the following generated error in Identity Manager (1IM) 9.0 and 9.1 database journal:
"Cannot update {0} because assignment to groups with read only memberships are not permitted.|AADUserinGroup"
With version 8.2 for Azure groups (AADGroup) with OnPremisesSyncEnabled=1, the ability to assign to accounts was prevented. However, if from an older 1IM version these AADGroups were already assigned to an ITShop, Business Roles or EntitlementsSets, especially possible through GroupAutoPublish in older versions, the result is a data situation that is inconsistent and invalid.
If the 1IM DBQueue Processor calculates an inheritance based on such an assignment or if an order is triggered, then this calculation fails in the trigger with the above message. -
原因
This is a product defect (36527), affecting One Identity Manager versions 8.2.1, 9.0 and 9.1.x. -
解决办法
Please use the attached document to identify such invalid data situations and review the repair scripts inside to verify this solution fits your requirements.
- OnPremisesSyncEnabled is the attribute populated by Microsoft Azure Active Directory (AD) when the account was synced from AD using ADConnect (MS app). OnPremisesSyncEnabled specifies whether synchronization from local Active Directory is enabled.
If there is a need to verify if this Azure group was sync’ed up via ADConnect from an onPrem AD then check OnPremisesSyncEnabled.
- HasReadOnlyMemberships is a more generic OneIM attribute which has a value template and takes OnPremisesSyncEnabled + GroupTypes (DynamicMembership or Unified) + IsMailEnabled into account. Memberships in this group are filled dynamically in the target system, memberships cannot be influenced by One Identity Manager.
If there is a need to verify if a Azure group can be assigned new members manually then check HasReadOnlyMemberships.
-
附件
-
其他信息
Please review and edit as per KCS requirements.