December 12, 2016 at 12:41 pm #14787
I am evaluating Openidm for our internal user base.
Reading through the documents and samples I got a good overview of the functionalities.
So far it look promising.
We have a big application with many Ldap roles/groups for authorization.
My question is: what is the best way to set this up?
What I mean:
An user have a function like “Junior account manager”
This function does need access to several application roles (groups in the ldap)
with IDM-roles and assignments I’m able to manage this, but what it the best way?
one2one mapping from all of the roles? or create a role “Junior account manager” and add the ldapgroups (application roles) here?
the latter look more easy to maintain, but what will happen is an user gets 2 roles where the ldap roles overlap?
it will merge. fine… but what if one of the roles gets deleted?
What in the vision of OpenIdm is the best approach setting this up?
EdwardDecember 13, 2016 at 12:19 pm #14795[email protected]Participant
I would go the easiest way, which I think is somewhere in the middle. Having higher level business roles (like junior account manager) is nice, but that additional level of abstraction needs to be managed. So as long as there are not that many roles needed, this is a good approach.
When you need to be able to assign the lower level application roles as well, it means you need those in IdM as well. I think that the ideal situation is when you are able to cover 80+ % of privilege assignments with some base automatically assigned business roles (like internal / external employee) and then have the rest as manually assigned one-to-one application roles directly mapped from LDAP groups.
TL;DR This really depends on the specific environment and your requirements / needs :).December 23, 2016 at 9:13 am #15054
Thanks for you answer.
There is no need to directly assign application roles to users.
We want to follow a more process/task architecture for specific access.
For regular “basic” things we will use the Role architecture.
This then looks like:
UserA is an internal employee, so we create the role “Internal employee” and assign the necessary ldap groups to it.
UserA is Junior account manager, so we create a role “Junior account manager” in idm and assign the necessary ldap groups to it.
UserA is also part of a team taking care of order approvals, so we create a role “Order approval” in idm and assign the necessary ldap groups to it.
Now lets have a look at the ldap groups assigned to the idm Roles:
Internal employee has the following ldap groups assigned:
read_common and session
Junior account manager has the following ldap groups:
quotation, order_entry and nac_data.
Order approval has the following ldap groups:
quotation, order_entry, nac_data and order_management.
My question is: is this going to work from the idm perspective?
is there an advantage over having the roles and ldap groups managed in IDM compared to if we create and manage these roles/groups in ldap?
please comment on this!January 19, 2017 at 9:42 am #15423
Not a lot of activity here… :(
You must be logged in to reply to this topic.