Provisioning Groups, Memberships, and Permissions to LDAP

Provisioning Objectives Groups, memberships, and/or permissions Custom group attributes too Flexible presentation in LDAP Incremental update each polling cycle But not … Mapping Grouper group access privileges to LDAP Custom group list fields Distributed Access Management CAMP

Selecting Groups & Memberships for Provisioning Select by stem, group attribute, modify time Multiple selections are unioned together Limited by the access privileges of the Subject the provisioning connector is running as Distributed Access Management CAMP

Selecting Permissions for Provisioning All active All active with identified permission characteristics Limits, functions, subsystems Selection requirements remain to be explored Distributed Access Management CAMP

Finding the LDAP Entry of a Subject For each Subject Source, declare A subject attribute An LDAP search using that attribute Distributed Access Management CAMP

Distributed Access Management CAMP Provisioning Groups “Flat” or “bushy” Subject attribute-valued membership attribute hasMember from eduMember objectclass DN-valued membership attribute member or uniqueMember, commonly Map of Grouper group attributes to LDAP group attributes Distributed Access Management CAMP

Provisioning Permissions “String” style “eduPermission” style Distributed Access Management CAMP

Distributed Access Management CAMP Permission as String eduPersonEntitlement: urn:mace:uchicago.edu:permission:approvalTool:fin-approver:UofC:fin-approver-limit:ge-cc-app-app-approve <Prefix>:<SubSystem>:<PermissionId>:<Scope>:<LimitId>:<Limit> Distributed Access Management CAMP

Distributed Access Management CAMP De-Provisioning All groups in a given OU (flat) or subtree (bushy) must be “owned” by a single instance of the LDAP provisioner “Multiple cooks problem” is not an issue for memberships or permissions If only Grouper & Signet gave notification of changes… Distributed Access Management CAMP