Friday, October 9, 2020

Use new APIs to understand and audit group memberships

What’s changing 

We’re launching new APIs in beta to help better identify, audit, and understand indirect group membership (also known as ‘transitive’ or ‘nested’ group membership, see explanation below). The indirect membership visibility, membership hierarchy, and check APIs are part of the Cloud Identity Groups API and enable you to: 
These APIs are currently available as an open beta, which means you can use it without enrolling in a specific beta program. Use our API documentation to learn more. 



Who’s impacted 

Admins and developers 



Why it’s important 

These features will help provide all of the information you need to create visualization of complex group structures and hierarchies. Having this kind of membership visibility can help you make decisions about who to add to or remove from your groups. 


Customers often use groups to manage access to content and resources within their organization. Using ‘nested’ groups is common as it can decrease duplication, simplify administration, and centralize access management. 


However, nested groups can create a complex hierarchy that can make it hard to understand who ultimately has access to content or resources and why they have access. These APIs simplify finding out these answers by making it easier to identify the direct and indirect members for a group. Some use cases include: 
  • A security team can quickly identify all group memberships and associated nested memberships when a bad actor account is identified. 
  • An admin could perform a deep-dive on group structure for audit and compliance. By using the APIs to list and validate direct and indirect members for groups with many nested groups. 
  • A developer could extract group information via the API and feed it to a visualization tool that supports DOT format to make auditing and visualizing complex nested structures easier. 


Additional details 

Indirect memberships, also known as transitive memberships, come from ‘nested’ groups. Nested groups refer to situations where groups are members of other groups. As a result, users in the sub-group are members of both groups. For example, group Y is a member of group X. Users in group Y are direct members of group Y and indirect members of group X. 


Getting started 

Rollout pace 

  • This feature is available now for all users in beta. 

Availability 

  • Available to Enterprise Standard, Enterprise Plus, Enterprise for Education, and Cloud Identity Premium customers 
  • Not available to Essentials, Business Starter, Business Standard, and Business Plus, as well as G Suite Basic, Business, Education, and Nonprofits customers

Resources