I am trying to come up with a solution to address a problem I am
having, and I was wondering if some of you guys could give me some
This is the scenario: 1 Identity Vault and 2 subordinate connected
systems. There are several groups maintained in the Identity vault. Some
are maintained by group membership entitlements and some are manually
populated by an external system since their membership is practically
static. I would like to restrict what groups are synchronized to what
connected system(s).

If I create the equivalent of a user account entitlement for a group and
synchronize the group based on that entitlement, how will the
Engine/Driver handle the synchronization of the group membership
attributes (groupMembership and SecurityEquals) on the user side when
the group does not exist on the connected system? Some users will be
members of groups in the vault that do not exist in one of the connected
systems while the user account exists in the connected system itself.
Am I going to get a bunch of errors?

For the groups populated based on group membership entitlement, I
believe I could move the existing entitlements from the vault to the
connected system. However, what about the other groups?

Should I use a different approach? What do you guys think?

celsolima's Profile: https://forums.netiq.com/member.php?userid=260
View this thread: https://forums.netiq.com/showthread.php?t=48755