How to configure MemberOf with ADGroup name on Scoping rule in the Roles.

Document ID : KB000012346
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Customer would like to configure delegated user in specific group member only. 
So, he add following rule with user filter in scope rule. 
1. User: condition: Member of = AD Group name 
2. User: condition: GroupId = AD Group name. 

Question:

User try to configure delegated user in specific AD group member only.

So, he add following rule as user filter in scope rule.

User: where( Member of = AD group name )

But it does not work.  Any user does not list.

How does it configure to work?

 

Environment:
OS: AnyProd: CA Privileged Identity Manager r12.9 SP1 for SAM Central DB: MS SQLServer or ORACLE User Store: ActiveDirectory
Answer:

user can specify AD group as LDAP format, such as cn=ADGroupName, cn=Users, dc=mydomain,dc=local.

This sample for Delegated user requests cofiguration:

 

1-1. Login Enterprise Management Console as System manager. 

1-2. select Users and Groups > Roles > Privileged Access Roles > Modify Roles. 

1-3. select Privileged Accounts Request Role 

1-4. choice Member tab 

1-5. add as following on Scope Rule: 

User: where (  MemberOf = cn=AD group name, cn=Users, dc=mydomain, dc=local )

Privileged Accounts: Account Name = * 

1-6. ok and submit.