Documentation forAccess Rights Manager

Identify recursive groups

Groups can be members of other groups. Active Directory (AD) allows children to become parents within their own family tree.

If the nested group structure loops in a circular way, group membership assignments become ineffective and nonsensical. Through these recursions or circular nested groups, every user who is a member of any recursive group is granted all access rights of all groups. This method results in a confusing mess of excessive access rights.

ARM automatically identifies all recursions in your system. SolarWinds highly recommends removing the recursion by breaking the chain of circular group memberships.

If you manage groups and group memberships using ARM, recursions cannot occur because ARM prevents recursions from being created.

The deeper your group structure, the more likely you are to have circular nested group structures. SolarWinds recommends monitoring the number of nested group levels. You can break the circle by managing group memberships (rich client) or removing group memberships (web client). See Identify groups in recursion (web client) for additional information.

  1. Log in to the Access Rights Manager application as an administrator.

  2. In the toolbar, click Dashboard.

  3. Maximize Groups and double-click Groups in recursions.

    The Multiselection tab is selected automatically.

    In the Multiselection screen, the scenario Groups in recursions is active. ARM lists all groups included in the recursion.

  4. In the Name column, select a group name.

    In the right column, ARM lists all users and groups in the selected recursion.

  5. Double-click the group you selected in step 4.

    The Accounts tab in the toolbar is selected automatically.

    ARM switches to the Accounts view. The recursion is indicated by the orange line.