Active Directory Group Provisioning
Provisioning Active Directory groups (AD groups) to the application, is most efficient if users are already organized into AD groups. This avoids the need to re-create the groups in the application.
To provision an AD group and its members to the application, execute the following (in any order):
- Provision AD groups to the application
- Provision AD group members to the application
Provision AD groups to the application
- Use the Sync groups from local directory to target application option.
- AD groups that should be excluded from provisioning can be done with the Provisioning Script.
- Members of the group that have not been provisioned through role mapping are listed in the dirsync report.
Note the following about provisioning AD groups:
- An email address is required for the AD group.
- Support for provisioning nested groups depends on the service provider.
- If an AD group has the same name as an existing group in the application, CyberArk Identity recognizes the same name in the existing group during provisioning and updates it with the AD group’s attributes.
- If you use the option to provision AD groups, CyberArk Identity ignores the Destination Group setting in Role Mappings. Provisioning AD groups and provisioning users to existing groups using role mapping are mutually exclusive.
- You can not de-provision groups by disabling or deleting them in Active Directory.
Provision members of the AD group to the application using Role Mapping
- If Sync groups from local directory to target application is enabled, the Destination Group setting in Role Mappings is ignored, and the users are provisioned into the synced AD groups.
Provision Active Directory Groups in CyberArk Identity
If you want to provision AD groups, you need to deploy a new application in the Admin Portal; the feature is not backward-compatible with previously deployed applications.
Open the SAML application in Admin Portal.
Click the Provisioning tab.
Select Sync groups from local directory to target application, then click Save. When starting the provisioning job, CyberArk Identity provisions all AD groups to the application, with an email address.
This option overrides the Destination Group setting in Role Mappings.
Add roles to Role Mappings as necessary, then click Save.
All users who belong to AD groups should:
- Belong to a role in Role Mappings.
- Have an email address (required) for provisioning.
Destination Groups do not need to be specified. This setting is ignored in favor of AD groups when Sync groups from local directory to target application is selected.
(Optional) Filter any AD groups that should not be provisioned using the provisioning script
The Provisioning Script box provides directions and an example script. Uncomment and modify the script as necessary.
Manually sync the AD objects. Refer to Provisioned account synchronization options for more detail.
CyberArk Identity provisions all AD groups to the application unless they are filtered by the
reject()method. Any user objects in a mapped role, are synced to a destination group in the application that matches the object’s AD group. (The Destination Group setting in Role Mappings is ignored).
Updated about 2 years ago