Include inherited group members?

rogersmj
rogersmj
Community Member

I've been testing the SCIM bridge with Azure AD and I've just discovered that it doesn't seem to sync user memberships in groups via inheritance.

For example, I have AD group "A" which has, as a member, AD group "B". I have a user who is a direct member of group "B" and therefore, logically, is granted all the privileges of group A by inheritance.

In 1Password, group A syncs and is shown in my group list...but the users that should be inherited as a member of that group (via B ) are not there. (Note: in my scenario, group B is also being synced to 1Password, but I will have use cases where that would not be the case too).

How can we get inherited members to sync? We have a permissions system that relies on inheritance to ensure proper security boundaries without manually adding people to a bunch of different groups. Not having this would be a major hindrance.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • cohix
    cohix
    1Password Alumni

    @rogersmj This is something that I've run into myself during development of SCIM, and the unfortunate answer is that while AD (and most IdPs) support inheritance of group memberships, the SCIM protocol itself does not. It has no concept of inheritance, and I've yet to find a clean way to allow an admin to mirror the inheritance using the SCIM protocol. I'd love to hear any ideas or insight you may have here.

  • rogersmj
    rogersmj
    Community Member

    Bummer. Unfortunately I don't have any ideas...I'm just going to add everyone explicitly to the roles that get synced to 1P I guess.

  • cohix
    cohix
    1Password Alumni

    @rogersmj Unfortunately, that is likely the best way to go about it.

This discussion has been closed.