Provisioning Groups Memberships and Permissions to LDAP Distributed
Provisioning Groups, Memberships, and Permissions to LDAP Distributed Access Management CAMP 1
Distributed Access Management CAMP 2
Provisioning Objectives • Groups, memberships, and/or permissions – Custom group attributes too • Flexible presentation in LDAP • Incremental update each polling cycle But not … • Mapping Grouper group access privileges to LDAP • Custom group list fields Distributed Access Management CAMP 3
Selecting Groups & Memberships for Provisioning • Select by stem, group attribute, modify time • Multiple selections are unioned together • Limited by the access privileges of the Subject the provisioning connector is running as Distributed Access Management CAMP 4
Selecting Permissions for Provisioning • All active with identified permission characteristics – Limits, functions, subsystems – Selection requirements remain to be explored Distributed Access Management CAMP 5
Finding the LDAP Entry of a Subject • For each Subject Source, declare – A subject attribute – An LDAP search using that attribute Distributed Access Management CAMP 6
Provisioning Groups • “Flat” or “bushy” • Subject attribute-valued membership attribute – has. Member from edu. Member objectclass • DN-valued membership attribute – member or unique. Member, commonly • Map of Grouper group attributes to LDAP group attributes Distributed Access Management CAMP 7
Provisioning Permissions “String” style “edu. Permission” style Distributed Access Management CAMP 8
Permission as String edu. Person. Entitlement: urn: mace: uchicago. edu: permission: approv al. Tool: fin-approver: Uof. C: fin-approverlimit: ge-cc-app-approve <Prefix>: <Sub. System>: <Permission. Id>: <Scope>: < Limit. Id>: <Limit> Distributed Access Management CAMP 9
De-Provisioning • All groups in a given OU (flat) or subtree (bushy) must be “owned” by a single instance of the LDAP provisioner • “Multiple cooks problem” is not an issue for memberships or permissions • If only Grouper & Signet gave notification of changes… Distributed Access Management CAMP 10
Distributed Access Management CAMP 11
- Slides: 11