Fix Rename of AD Group Entitlement | Voters

Fix Rename of AD Group Entitlement

Onno van Hooff

If the underlying AD group of an entitlement is renamed, the already distributed entitlements in HelloID will not be updated with the new AD group name, but the old name will remain visible. This is very confusing, and I would expect the name to be changed within HelloID as well.

January 14, 2021

Rick van den Dijssel

Merged in a post:

Assign AD groups to GUID instead of Name

René Jonkers

In provisioning we connect in the businessrules some AD groups. This assignment is based on the AD Group Name. But, when the name of an AD group changed the rule cannot find the AD group anymore. Instead of connecting to the AD Group Name it would be nice - just like Service Automation - to read the GUID instead of the name so if the name of an AD group changed the rule keeps working.

March 6, 2024

René Jonkers

Rick van den Dijssel This is exactly what I mean. What is the reason that when using the GUID of de AD-group the name of that group not changed on the Provisioning side if GUID is used? The GUID is of course the Unique Identifier so if the group is renamed on the AD-side why is this not automatically renamed on the Provisioning side? I like to see that this would be possible. Please let me know what the possibilities are.

Rick van den Dijssel

René Jonkers: I'll merge this feedback item with Fix Rename of "AD Group Entitlement" based on your extra information

Rick van den Dijssel

René Jonkers: The group name is also stored in the bussiness rule and entitlement. Otherwise we need to get live information everytime you open a business rule, the entitlement overview, action screen. This is really slow and results in a bad user experience. Currently we don't have a solution other than adding the renamed permission to the business rules again after removing the current selected one. This will result in a new group name from all newly granted entitlements but already granted entitlements will have the old name.

Rick van den Dijssel

René Jonkers Could you explain this with a bit more details? This because the built-in on-premises AD target system is using de GUID of a group instead the name of the group. The only thing which isn't automatically updated is the group name assigned in the rule. You need to reapply the group in the rule and then the name is changed. Besides this the old name is shown on the already granted entitlements but when revoked the correct group is unassigned from the user.