1 / 11

Provisioning Groups, Memberships, and Permissions to LDAP

Provisioning Groups, Memberships, and Permissions to LDAP. Provisioning Objectives. Groups, memberships, and/or permissions Custom group attributes too Flexible presentation in LDAP Incremental update each polling cycle But not … Mapping Grouper group access privileges to LDAP

edwardcain
Download Presentation

Provisioning Groups, Memberships, and Permissions to LDAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Provisioning Groups, Memberships, and Permissions to LDAP

  2. Provisioning Objectives • Groups, memberships, and/or permissions • Custom group attributes too • Flexible presentation in LDAP • Incremental update each polling cycle But not … • Mapping Grouper group access privileges to LDAP • Custom group list fields Distributed Access Management CAMP

  3. Selecting Groups & Membershipsfor Provisioning • Select by stem, group attribute, modify time • Multiple selections are unioned together • Limited by the access privileges of the Subject the provisioning connector is running as Distributed Access Management CAMP

  4. Selecting Permissionsfor Provisioning • All active • All active with identified permission characteristics • Limits, functions, subsystems • Selection requirements remain to be explored Distributed Access Management CAMP

  5. Finding the LDAP Entry of a Subject • For each Subject Source, declare • A subject attribute • An LDAP search using that attribute Distributed Access Management CAMP

  6. Provisioning Groups • “Flat” or “bushy” • Subject attribute-valued membership attribute • hasMember from eduMember objectclass • DN-valued membership attribute • member or uniqueMember, commonly • Map of Grouper group attributes to LDAP group attributes Distributed Access Management CAMP

  7. “String” style “eduPermission” style Provisioning Permissions Distributed Access Management CAMP

  8. Permission as String eduPersonEntitlement: urn:mace:uchicago.edu:permission:approvalTool:fin-approver:UofC:fin-approver-limit:ge-cc-app-app-approve <Prefix>:<SubSystem>:<PermissionId>:<Scope>:<LimitId>:<Limit> Distributed Access Management CAMP

  9. De-Provisioning • All groups in a given OU (flat) or subtree (bushy) must be “owned” by a single instance of the LDAP provisioner • “Multiple cooks problem” is not an issue for memberships or permissions • If only Grouper & Signet gave notification of changes… Distributed Access Management CAMP

More Related