IBM Security Verify

 View Only
  • 1.  ISIM - Create user in AD group

    Posted Fri June 24, 2022 05:18 AM
    Hello community, 
    I`m trying to create user and add it in AD group. I know how to do it step by step from "Manage groups" -> select service and etc. Is it possible to do this from create user form ? 

    Thank you!

    Galin Gospodinov

  • 2.  RE: ISIM - Create user in AD group

    Posted Mon June 27, 2022 03:16 AM
    I believe you are confused by several things here - one of them is the difference between the identity entity (Persons) in ISIM and the accounts. If you go through "Manage groups" -> select service and the select a group and perform "Manage  Members" or "Add Members" you are working on account entities i.e. accounts coming from the AD Service.
    Create user is setting up a person (an Identity). This in itself will not do anything on the AD Service. To do so you can after the person is created (and the policies allows it) you can through "Manage Users" -> find your user -> "Request Account" and then add the necessary data manually to the account you want including the group membership.
    The above process WILL work - but here is the the catch - this is NOT how you should do it - the whole purpose of having ISIM is to define this as policies so that this is an automated process as much as you want to define it - or is based on a role setup (RBAC). So - the process somewhat more complex to setup - but then much easier to perform afterwards :
    1. Define a set of policies that applies for how an AD account should look like - what is the userid (identity policy) - what is the basic attributes (names and other attributes from your identity that comes from your authoritative) source etc. These will need to be linked to a (dynamic) role that represents the identities in scope
    2. Define "birthright" policies - these are policies that based on Identity/Person attributes (through dynamic roles) that assign the person to some rights/groups on the services that they should receive automatically.
    3. Define request policies/roles - these are combination of roles that the person can be added to and the policies should then determine the rights/groups that the roles should result in.

    Now - this is just a very high level description of the process - but I hope it gives you an idea WHAT you can do with ISIM - doing things manually is of course possible - but that will not give you the value of ISIM :-)


    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs

  • 3.  RE: ISIM - Create user in AD group

    Posted Mon June 27, 2022 03:18 AM
    Hi Galin,

    Sure, it is possible, there are several ways for it.
    It depends what are you using ISIM for.

    First of all, let us agree on terminology:

    We (people using ISIM) tend to call "users" the users registered in ISIM, either through some HR feed or manually.
    Then, these users may get accounts, on different services, like AD, or even ISIM itself.

    So, what you need to have first, is an user in ISIM (you can't create AD account to nobody, you need owner first). Then you go (in manual provisioning)​ find that user, and "request account" for it. Find AD service, and here you are in form for account add request, where you may want to set some of AD attributes fields, including group membership (search box).
    At the end, you submit request.

    This is the simplest example - we usually do not do it this way but rather over policies or accesses, but functionality wise thit is it.

    Hope it helps,


    Mita Mitic

  • 4.  RE: ISIM - Create user in AD group

    Posted Mon June 27, 2022 03:28 AM
    Thanks for chiming in :-)

    I hope Galin will be able to to merge our feedback into something useful...

    We normally say that ISIM can do anything including welding under water and coffee brewing (we do NOT recommend this on the same time ;-) )  or in other words - there many ways to skin a cat...

    Now - the value of the product like ISIM that is designed for "automation" can be difficult to see due to the complexity that this will require to take of - but if you succeed getting it to work (and that has nothing to do with ISIM as a product but much more your understanding of your business and how to drive an IAM program) then ISIM can do things I believe is very difficult to do with other products in the market efficiently...

    Franz Wolfhagen
    IAM Technical Architect for Europe - Certified Consulting IT Specialist
    IBM Security Expert Labs

  • 5.  RE: ISIM - Create user in AD group

    Posted Tue June 28, 2022 07:31 AM
    Thank you for your answers! 

    Can you give me some advice how can I provision AD users in different OU, because I can only provision them in Base point that is set in Active directory service configuration ? 

    Thank you again!

    Galin Gospodinov