We want to implement IDM to manage accounts and group memberships in AD. We came aware of a IDM behavior which I hope is not true. Is is about managing account group membership during a migration to IDM.
Suppose existing AD account is memberof group A, B, C and D. Now we’re introducing IDM and creating roles. We assign a role to corresponding user that includes, via assignment, membership of group A in AD. After reconciliation we notices that the account keeps member of A BUT it removes group B, C and D (NO!!).
Is there is setting/way to prevent this behaviour? It should initially untouch AD group memberships that are not managed by IDM.