Configuring the erGroup attribute

When you modify the Groups attribute of a user account, IBM Security Verify Governance sends the erGroup attribute in the modify operation with an attribute operation type of replace.

About this task

When the attribute operation type is replace, the adapter removes the membership of the user from the groups of which the user is a member on the Active Directory and that are not included in the modify request. You do not get the membership of a user account to groups that are added to the user account by using the external application when:
  • You modify the user account membership on the Active Directory by using an external application.
  • The user accounts are not reconciled frequently.

When you modify the user account membership on the Active Directory, modify the profile for sending the erGroup attribute in the modify request with an attribute operation type of Add or Delete. To handle the erGroup attribute with attribute operation type as Add or Delete, modify the profile for Active Directory. The adapter profile (ADprofile.jar) is included in the JAR file for the adapter.

To modify the ADprofile.jar file for handling the erGroup attribute with an attribute operation type of Add or Delete, perform the following steps:

Procedure

  1. Copy the ADprofile.jar file to a temporary directory, for example, C:\Temp directory.
  2. Extract the contents of ADprofile.jar file into the temporary directory by running the following command: 
    cd C:\Temp
jar -xvf ADprofile.jar
    The jar command creates the C:\Temp\ADprofile directory that has all the profile files.
  3. From the extracted ADprofile directory, open the resource.def file in a text editor and search for the entry <Parameter Name="erGroup" Source="account" ReplaceMultiValue="true" />.
  4. Delete all the occurrences of the above entry from the resource.def file and save the file.
  5. Run the following command to create a new jar file: 
    cd C:\Temp
jar -cvf ADprofile.jar ADprofile
  6. Import the new ADprofile.jar file on IBM Security Verify Governance.
  7. After you import the adapter profile, restart IBM Security Verify Governance to reflect the updates.