Project

General

Profile

Actions

Task #2889

closed

Read AD groups and Azure roles

Added by Roman Kučera over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Roman Kučera
Target version:
Start date:
07/14/2021
Due date:
% Done:

100%

Estimated time:
Owner:

Description

list all groups https://docs.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0&tabs=java
detail of group https://docs.microsoft.com/en-us/graph/api/group-get?view=graph-rest-1.0&tabs=http
There should be owners and members which we need in IdM.

Azure roles https://docs.microsoft.com/en-us/graph/api/resources/directoryrole?view=graph-rest-1.0
In connector configuration there will be new option if you want to load Azure roles or not. You need higher permission so it makes no sense to turn it on by default

Actions #1

Updated by Roman Kučera over 3 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 20

owners and members, are not loaded into group object as I thought, so we need to load them extra.
Green line now should work.
Added new attributes to schema.

Actions #2

Updated by Roman Kučera over 3 years ago

There is a way to expand basic query to get members but it has some limitation, it only return limited number of record without link to next page, so its useless.
Sticking with workaround from previous post - loading all members and owners by extra query

Actions #3

Updated by Roman Kučera over 3 years ago

  • % Done changed from 20 to 90

Implemented loading of AD groups and Azure roles.
If you want to load Azure roles you need to enable it in connector config. Default value is false.

Tested operations:
  • Load all AD groups
  • Load all AD groups and Azure roles
  • Get members and owners with AD groups
  • Get members with Azure roles

All was tested via synchronization in IdM. Objects in IdM are correctly created.
Getting of one record is implemented to and it should work, but it can be test in IdM version 11.0.1 because of bug which was fixed #981
If you try to load one record on account tab or entities tab you object class ACCOUNT is used every time instead of GROUP.

Actions #5

Updated by Roman Kučera over 3 years ago

When you try to load Azure roles only the roles which are already assigned to someone are returned.

Actions #6

Updated by Roman Kučera over 3 years ago

  • % Done changed from 90 to 100

feedba in #2888#note-1

Actions #7

Updated by Roman Kučera over 3 years ago

  • Status changed from In Progress to Closed

released

Actions

Also available in: Atom PDF