You will first need to update ac-dir.xml under Directory Groups Behavior so that it will look for nested groups. You can get access to ac-dir.xml from our idmmange page. Export the xml and search for GroupTypes by default this is set to DYNAMIC. You will need to update this to be set for ALL.
<!-- ******************** Directory Groups Behavior ******************** -->
<!-- OPTIONAL - GroupTypes determines what kind of groups Identity Manager will use. -->
<!-- GroupTypes consists of the following attributes: -->
<!-- 1. type - indicates the type of groups Identity Manager uses (NONE, ALL, DYNAMIC, NESTED) -->
<!-- If type is ALL or NESTED, be sure to determine and configure the nested group membership -->
<!-- if the nested group members are to be stored in a separate static member list, the an additional -->
<!-- ImsManagedObjectAttribute for %NESTED_GROUP_MEMBERSHIP% will need to be provided -->
<!-- in the definition for the Group Managed Object. -->
Once set you will need to update the ac-dir.xml in one other location so that the import will succeed. Look for <Container objectclass="top,organizationalUnit" attribute="ou"/> and after "ou" add value="".
<Container objectclass="top,organizationalUnit" attribute="ou" value=""/>
Import the ac-dir.xml back into idmmange and go to Home › Environments › ac-env › Advanced Settings › Miscellaneous. Please make sure that SkipLDAPDynamicGroupSearch and StoreADUsersInCache is set to false. If you set UseInMemoryEvaluation make sure it's value is 3.
Now Enterprise Manager is fully setup to see nested group in scoping rules. You will also need to update each group you will reference in scoping rules so that the nested groups are set in the wbemPath attribute.
My top level group is SAMUsers. It's member is SAMAuthUser group. Users who need access are within the SAMAuthUser group. I have updated the wbemPath of SAMUsers to include the full DN of the nested group.
You will need to add each member group one by one to this list. One this is done you can update your roles within Enterprise Manager to point to the top level group. Any groups and users within this group will be giving access based on the scope.
Example Role: Access Control for PUPM Privileged Access Role
I added so that users who are members of group SAMUsers have access to privileged accounts under the Access Control for PUPM endpoint type. My user is not a direct member of SAMUsers but a member of the SAMAuthUser group which is nested under SAMUsers.