This topic has 3 replies, 2 voices, and was last updated 5 years, 8 months ago by edward.borst.

  • Author
  • #14787


    I am evaluating Openidm for our internal user base.
    Reading through the documents and samples I got a good overview of the functionalities.
    So far it look promising.

    We have a big application with many Ldap roles/groups for authorization.
    My question is: what is the best way to set this up?
    What I mean:

    An user have a function like “Junior account manager”
    This function does need access to several application roles (groups in the ldap)
    with IDM-roles and assignments I’m able to manage this, but what it the best way?

    one2one mapping from all of the roles? or create a role “Junior account manager” and add the ldapgroups (application roles) here?
    the latter look more easy to maintain, but what will happen is an user gets 2 roles where the ldap roles overlap?
    it will merge. fine… but what if one of the roles gets deleted?

    What in the vision of OpenIdm is the best approach setting this up?


    I would go the easiest way, which I think is somewhere in the middle. Having higher level business roles (like junior account manager) is nice, but that additional level of abstraction needs to be managed. So as long as there are not that many roles needed, this is a good approach.

    When you need to be able to assign the lower level application roles as well, it means you need those in IdM as well. I think that the ideal situation is when you are able to cover 80+ % of privilege assignments with some base automatically assigned business roles (like internal / external employee) and then have the rest as manually assigned one-to-one application roles directly mapped from LDAP groups.

    TL;DR This really depends on the specific environment and your requirements / needs :).


    Thanks for you answer.
    There is no need to directly assign application roles to users.
    We want to follow a more process/task architecture for specific access.
    For regular “basic” things we will use the Role architecture.

    This then looks like:
    UserA is an internal employee, so we create the role “Internal employee” and assign the necessary ldap groups to it.
    UserA is Junior account manager, so we create a role “Junior account manager” in idm and assign the necessary ldap groups to it.
    UserA is also part of a team taking care of order approvals, so we create a role “Order approval” in idm and assign the necessary ldap groups to it.

    Now lets have a look at the ldap groups assigned to the idm Roles:
    Internal employee has the following ldap groups assigned:
    read_common and session
    Junior account manager has the following ldap groups:
    quotation, order_entry and nac_data.
    Order approval has the following ldap groups:
    quotation, order_entry, nac_data and order_management.

    My question is: is this going to work from the idm perspective?
    is there an advantage over having the roles and ldap groups managed in IDM compared to if we create and manage these roles/groups in ldap?

    please comment on this!


    Not a lot of activity here… :(

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?