You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@syncope.apache.org by Manish Baid <mm...@gmail.com> on 2014/11/19 21:08:35 UTC
Provisioning multiple external resource entitlements (ex. ldap
groups) on a role assignment
Hello,
We are evaluating Syncope to be our provisioning engine, I could not find a
way to achieve following MUST HAVE requirement in our project:
Associate MULTIPLE target resource entitlements (ex. ldap groups) to a
ROLE: such that user assigned to the role will be provisioned corresponding
resource entitlements.
Observation: Single Resource entitlement can be synchronized (reconciled)
as ROLE in syncope and assigned to the user.
Corresponding feature in proprietory software -->
Oralce Identity Manager: Access Policy
IBM Tivoli Identity Manager: Provisioning Policy
Thanks
Re: Provisioning multiple external resource entitlements (ex. ldap
groups) on a role assignment
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 20/11/2014 18:33, Manish Baid wrote:
> Hi Ilgrosso,
> Use Case is:
>
> Organizational Role: "IDM Developers"
> LDAP Groups: "svn_user", "domain_user"....5 more === Total 7 roles
>
> ASK: User who belong to "IDM Developers" role should be automatically
> provisioned to above 7 LDAP groups.
>
> As per my understanding, if I were to implement above requirement in
> Syncope, I will have to:
>
> a) reconcile LDAP groups into Syncope which would be established as
> role with LDAP resource
>
> b) User will have to then request for all those 7 roles
>
>
> Please let me know if I am missing anything or there is better way to
> get it done.
Hi,
without any further customization, your understanding is correct: 7
groups in LDAP <-> 7 roles in Apache Syncope.
Alternatively, as I was suggesting in my original reply, you can define
7 different LDAP resources sharing the same LDAP connector, but each
with different account link expression; at that point you can assign
such 7 LDAP resources to a single role in Syncope thus getting to the
situation where 7 groups in LDAP <-> 1 role in Apache Syncope.
Naturally this latter option might have some drawbacks I haven't
considered yet, but is probably worth exploring.
> Also, can you please point me to some documentation which explains
> about "Role template" and how to use them.
There isn't unfortunately enough documentation about this: role (and
user) templates are a way to describe how a role (or a user) that gets
created into Syncope via synchronization from an external resource
should look like: suppose you want that a role synchronized from LDAP
also gets assigned to the same LDAP resource (so that any modification
in Syncope also gets propagated back to LDAP), or that you would like to
automatically populate some attribute (via JEXL expression).
HTH
Regards.
> On Wed, Nov 19, 2014 at 11:45 PM, Francesco Chicchiriccò
> <ilgrosso@apache.org <ma...@apache.org>> wrote:
>
> On 19/11/2014 21:08, Manish Baid wrote:
>
> Hello,
> We are evaluating Syncope to be our provisioning engine, I
> could not find a way to achieve following MUST HAVE
> requirement in our project:
>
> Associate MULTIPLE target resource entitlements (ex. ldap
> groups) to a ROLE: such that user assigned to the role will be
> provisioned corresponding resource entitlements.
>
>
> Hi,
> with Syncope you can assign external resource(s) to a role; this will
>
> 1. provision any user assigned to that role to the related
> external resource(s) - if such resource(s) have user mapping defined
> 2. provision such role to the related external resource(s) - if
> such resource(s) have role mapping defined and support group
> provisioning (currently only Active Directory, LDAP and possibly
> scripted SQL)
> 3. (only for LDAP & Active Directory) maintain Syncope membership
> (e.g. Syncope user is assigned to Syncope role) to external
> membership (e.g. LDAP user is in LDAP group)
>
> Coming to your question: could you please provide an example of
> Syncope role mapped to several LDAP groups?
> A role can be assigned to multiple external resource(s) and you
> can of course define multiple LDAP resources using the same LDAP
> connector instance, but I am not sure of what you are trying to
> achieve.
>
> Observation: Single Resource entitlement can be synchronized
> (reconciled) as ROLE in syncope and assigned to the user.
>
> Corresponding feature in proprietory software -->
> Oralce Identity Manager: Access Policy
> IBM Tivoli Identity Manager: Provisioning Policy
>
>
> Could you please clarify the use case you would like to replicate
> with Syncope?
>
> Regards.
>
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
Re: Provisioning multiple external resource entitlements (ex. ldap
groups) on a role assignment
Posted by Manish Baid <mm...@gmail.com>.
Hi Ilgrasso,
Use Case is:
Organizational Role: "IDM Developers"
LDAP Groups: "svn_user", "domain_user"....5 more === Total 7 roles
ASK: User who belong to "IDM Developers" role should be automatically
provisioned to above 7 LDAP groups.
As per my understanding, if I were to implement above requirement in
Syncope, I will have to:
a) reconcile LDAP groups into Syncope which would be established as role
with LDAP resource
b) User will have to then request for all those 7 roles
Please let me know if I am missing anything or there is better way to get
it done.
Also, can you please point me to some documentation which explains about
"Role template" and how to use them.
Thanks
On Wed, Nov 19, 2014 at 11:45 PM, Francesco Chicchiriccò <
ilgrosso@apache.org> wrote:
> On 19/11/2014 21:08, Manish Baid wrote:
>
>> Hello,
>> We are evaluating Syncope to be our provisioning engine, I could not find
>> a way to achieve following MUST HAVE requirement in our project:
>>
>> Associate MULTIPLE target resource entitlements (ex. ldap groups) to a
>> ROLE: such that user assigned to the role will be provisioned corresponding
>> resource entitlements.
>>
>
> Hi,
> with Syncope you can assign external resource(s) to a role; this will
>
> 1. provision any user assigned to that role to the related external
> resource(s) - if such resource(s) have user mapping defined
> 2. provision such role to the related external resource(s) - if such
> resource(s) have role mapping defined and support group provisioning
> (currently only Active Directory, LDAP and possibly scripted SQL)
> 3. (only for LDAP & Active Directory) maintain Syncope membership (e.g.
> Syncope user is assigned to Syncope role) to external membership (e.g. LDAP
> user is in LDAP group)
>
> Coming to your question: could you please provide an example of Syncope
> role mapped to several LDAP groups?
> A role can be assigned to multiple external resource(s) and you can of
> course define multiple LDAP resources using the same LDAP connector
> instance, but I am not sure of what you are trying to achieve.
>
> Observation: Single Resource entitlement can be synchronized (reconciled)
>> as ROLE in syncope and assigned to the user.
>>
>> Corresponding feature in proprietory software -->
>> Oralce Identity Manager: Access Policy
>> IBM Tivoli Identity Manager: Provisioning Policy
>>
>
> Could you please clarify the use case you would like to replicate with
> Syncope?
>
> Regards.
>
> --
> Francesco Chicchiriccò
>
> Tirasa - Open Source Excellence
> http://www.tirasa.net/
>
> Involved at The Apache Software Foundation:
> member, Syncope PMC chair, Cocoon PMC, Olingo PMC
> http://people.apache.org/~ilgrosso/
>
>
>
--
Manish Baid
Security Architect, CISSP - ISSAP, ConfluxSys
Work: (510) 516 1115
Email: Manish.Baid@confluxsys.com
IM: Google: mmbaid | Yahoo: baid_manish
Re: Provisioning multiple external resource entitlements (ex. ldap
groups) on a role assignment
Posted by Francesco Chicchiriccò <il...@apache.org>.
On 19/11/2014 21:08, Manish Baid wrote:
> Hello,
> We are evaluating Syncope to be our provisioning engine, I could not
> find a way to achieve following MUST HAVE requirement in our project:
>
> Associate MULTIPLE target resource entitlements (ex. ldap groups) to a
> ROLE: such that user assigned to the role will be provisioned
> corresponding resource entitlements.
Hi,
with Syncope you can assign external resource(s) to a role; this will
1. provision any user assigned to that role to the related external
resource(s) - if such resource(s) have user mapping defined
2. provision such role to the related external resource(s) - if such
resource(s) have role mapping defined and support group provisioning
(currently only Active Directory, LDAP and possibly scripted SQL)
3. (only for LDAP & Active Directory) maintain Syncope membership
(e.g. Syncope user is assigned to Syncope role) to external membership
(e.g. LDAP user is in LDAP group)
Coming to your question: could you please provide an example of Syncope
role mapped to several LDAP groups?
A role can be assigned to multiple external resource(s) and you can of
course define multiple LDAP resources using the same LDAP connector
instance, but I am not sure of what you are trying to achieve.
> Observation: Single Resource entitlement can be synchronized
> (reconciled) as ROLE in syncope and assigned to the user.
>
> Corresponding feature in proprietory software -->
> Oralce Identity Manager: Access Policy
> IBM Tivoli Identity Manager: Provisioning Policy
Could you please clarify the use case you would like to replicate with
Syncope?
Regards.
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/