Provisioning Groups, Memberships, and Permissions to LDAP

1. Provisioning Groups, Memberships, and Permissions to LDAP

3. Provisioning Objectives • Groups, memberships, and/or permissions • Custom group attributes too • Flexible presentation in LDAP • Incremental update each polling cycle But not … • Mapping Grouper group access privileges to LDAP • Custom group list fields Distributed Access Management CAMP

4. Selecting Groups & Membershipsfor Provisioning • Select by stem, group attribute, modify time • Multiple selections are unioned together • Limited by the access privileges of the Subject the provisioning connector is running as Distributed Access Management CAMP

5. Selecting Permissionsfor Provisioning • All active • All active with identified permission characteristics • Limits, functions, subsystems • Selection requirements remain to be explored Distributed Access Management CAMP

6. Finding the LDAP Entry of a Subject • For each Subject Source, declare • A subject attribute • An LDAP search using that attribute Distributed Access Management CAMP

7. Provisioning Groups • “Flat” or “bushy” • Subject attribute-valued membership attribute • hasMember from eduMember objectclass • DN-valued membership attribute • member or uniqueMember, commonly • Map of Grouper group attributes to LDAP group attributes Distributed Access Management CAMP

8. “String” style “eduPermission” style Provisioning Permissions Distributed Access Management CAMP

9. Permission as String eduPersonEntitlement: urn:mace:uchicago.edu:permission:approvalTool:fin-approver:UofC:fin-approver-limit:ge-cc-app-app-approve <Prefix>:<SubSystem>:<PermissionId>:<Scope>:<LimitId>:<Limit> Distributed Access Management CAMP

10. De-Provisioning • All groups in a given OU (flat) or subtree (bushy) must be “owned” by a single instance of the LDAP provisioner • “Multiple cooks problem” is not an issue for memberships or permissions • If only Grouper & Signet gave notification of changes… Distributed Access Management CAMP