Architecture Overview

8 min

activate security group compliance manager (sgcm) is built on the activate connector framework and provides continuous detection, classification, and response to active directory (ad) changes this document outlines the key architectural components and concepts that underpin sgcm operations architecture overview sgcm operates as a background monitoring and enforcement service that synchronises active directory data into the activate platform using the ad dirsync control changes are processed through connector workflows that detect events such as object creation, modification, or group membership updates the architecture is composed of three primary layers detection layer – uses dirsync to identify ad changes in near real time connector layer – stores detected changes in the activate connector space for evaluation workflow layer – executes policy based actions (notifications, removals, job submissions) in response to events detecting active directory changes sgcm uses microsoft’s dirsync control (a lightweight directory access protocol, or ldap, extension) to detect any new, modified, or deleted objects within ad each synchronisation cycle compares known activate managed changes with those detected directly in ad to identify external modifications key characteristics tracks users, groups, and computers across multiple domains includes deleted object detection uses a domain controller–specific dirsync cookie to maintain state between syncs when changing the domain controller, the existing dirsynccookie parameter must be removed to force a full resynchronisation connector space the activate connector space provides a dedicated data model for tracking ad objects and their state sgcm uses a single connector space per forest, storing object attributes and membership relationships for comparison and event generation monitored object types users computers security groups distribution lists change events create – new object detected update – attributes or membership changed delete – object removed from ad membership changes are handled separately from group or user modifications, allowing granular tracking of each add/remove operation event processing each detected change generates a corresponding event within activate event types include create new object or group membership added update object properties or relationships modified delete object removed or group membership deleted deny triggered when a change violates policy (for example, an unauthorised group addition) event handlers determine the appropriate workflow or response—such as rolling back an unauthorised membership, notifying group managers, or initiating a service removal schema and monitored attributes sgcm uses a standard activate connector schema that defines the columns tracked within the connector space typical attributes include true 330,331left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type additional columns may be defined for extended compliance checks, provided the connector schema size matches or exceeds the ad schema permissions sgcm synchronisation must run under a service account with the replicate directory changes permission on the monitored domain this permission can be delegated to a non administrative account if required refer to microsoft kb article 303972 – how to grant the “replicating directory changes” permission for detailed steps workflow integration sgcm workflows define what happens when a change event occurs workflows can submit an activate task for approval send notifications to role based recipients remove users from restricted groups log compliance actions for audit workflows are configured under //resources/active directory and may include predefined templates such as importworkflow – imports detected changes changeworkflow – processes detected object changes groupmemberworkflow – handles membership specific events fullworkflowwithgroups – combines all stages for continuous polling background polling sgcm runs as part of the activate job service a background thread polls ad on a scheduled interval, executing a defined polling workflow parameters controlling this behaviour include true 220,220,221left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type left unhandled content type integration with other products activate identity manager – provides user lifecycle data and role mappings for ad synchronisation activate privileged access management (pam) – aligns privileged group membership monitoring with just in time access policies summary the security group compliance manager architecture combines real time detection with automated remediation to enforce ad integrity through its integration with activate’s connector framework and workflow engine, sgcm provides a unified, policy driven approach to directory compliance across hybrid environments