110 likes | 140 Views
Provisioning Groups, Memberships, and Permissions to LDAP. Provisioning Objectives. Groups, memberships, and/or permissions Custom group attributes too Flexible presentation in LDAP Incremental update each polling cycle But not … Mapping Grouper group access privileges to LDAP
E N D
Provisioning Objectives • Groups, memberships, and/or permissions • Custom group attributes too • Flexible presentation in LDAP • Incremental update each polling cycle But not … • Mapping Grouper group access privileges to LDAP • Custom group list fields Distributed Access Management CAMP
Selecting Groups & Membershipsfor Provisioning • Select by stem, group attribute, modify time • Multiple selections are unioned together • Limited by the access privileges of the Subject the provisioning connector is running as Distributed Access Management CAMP
Selecting Permissionsfor Provisioning • All active • All active with identified permission characteristics • Limits, functions, subsystems • Selection requirements remain to be explored Distributed Access Management CAMP
Finding the LDAP Entry of a Subject • For each Subject Source, declare • A subject attribute • An LDAP search using that attribute Distributed Access Management CAMP
Provisioning Groups • “Flat” or “bushy” • Subject attribute-valued membership attribute • hasMember from eduMember objectclass • DN-valued membership attribute • member or uniqueMember, commonly • Map of Grouper group attributes to LDAP group attributes Distributed Access Management CAMP
“String” style “eduPermission” style Provisioning Permissions Distributed Access Management CAMP
Permission as String eduPersonEntitlement: urn:mace:uchicago.edu:permission:approvalTool:fin-approver:UofC:fin-approver-limit:ge-cc-app-app-approve <Prefix>:<SubSystem>:<PermissionId>:<Scope>:<LimitId>:<Limit> Distributed Access Management CAMP
De-Provisioning • All groups in a given OU (flat) or subtree (bushy) must be “owned” by a single instance of the LDAP provisioner • “Multiple cooks problem” is not an issue for memberships or permissions • If only Grouper & Signet gave notification of changes… Distributed Access Management CAMP