Enable Active Directory Mappings to Sub Groups

When this setting is enabled, source definitions for Active Directory integrations will include an option to cascade all person mappings to their sub groups

The definition of (nested) sub groups in Active Directory is as follows:

What are nested groups in Active Directory?

Group nesting is when you add a group as a member of another group. Although group nesting is often required, AD nests groups based on a parent-child hierarchy. In other words, if you make Group 1 a member of Group 2, the users in Group 1 have, by default, the same permissions as the users in Group 2.

The preview feature should therefore include all persons in an AD scan (configured for an AD security group) of the group being scanned, and any groups that also have membership to that mapped group.

With this included the Active Directory LDAP connector can import Users via the following mappings:

  • groups with membership to a mapped group

  • OUs within a mapped group

  • OUs within a mapped OU

This does not include groups within a mapped OU.

However, the recommendations on this are:

  1. As this is a Preview Feature, and you decide to use it, please heavily test it in your Test environment first. It is not a core supported feature yet as it has only been written for a specific customer. Any issues with this feature will not be “hotfixed” for customers, and may only be addressed in a future release.

  2. It is recommended to avoid using this obviously complex membership configuration with ASM. Best practice is to create 3-4 security groups (eg ASM Admin, ASM Analyst, ASM User) in Active Directory, specifically for ASM, and provide membership to those groups as per the User's access requirement.