Documentation forAccess Rights Manager

Identify recursive groups (web client)


Groups can be members of other groups. Active Directory allows "children" to become "parents" within their own family tree. If the nested group structure loops in a circular way group membership assignments become ineffective and nonsensical. Through these recursions or circular nested groups every user who is a member of any of the recursive groups is granted all of the access rights of all of the groups. The consequence is a confusing mess of excessive access rights. Access Rights Manager automatically identifies all recursions in your system. We highly recommend removing the recursion by breaking the chain of circular group memberships.


Administer only with ARM and recursions can no longer happen because ARM does not allow the creation of recursions.


Related features

The deeper your group structure the more likely you are to have circular nested group structures. Therefore, keep an eye on the nesting depth of your groups.

Identify recursive groups (rich client)

Break the circle by managing group memberships (rich client) or removing group memberships (web client).


Step-by-step process

Go to the Risk Assessment Dashboard.


  1. ARM shows a rating for the risk factor Groups in recursion.
  2. Click Minimize risks.

The tiles are sorted by risk level and may therefore be located in different positions.


A046-04 EN Gruppen in Rekursion im Webclient identifizieren

  1. Access Rights Manager lists all groups in recursion.
  2. Use sorting, filtering and grouping to analyze the data.
  3. Select the columns to display in the grid and in the reports.
  4. Export the data into Excel.
  5. Create a report in PDF- or CSV-format. Save the report or email it.