1. Provisioning Groups, Memberships, and Permissions to LDAP

3. Provisioning Objectives
Groups, memberships, and/or permissions
Custom group attributes too
Flexible presentation in LDAP
Incremental update each polling cycle
But not …
Mapping Grouper group access privileges to LDAP
Custom group list fields
Distributed Access Management CAMP

4. Selecting Groups & Memberships for Provisioning
Select by stem, group attribute, modify time
Multiple selections are unioned together
Limited by the access privileges of the Subject the provisioning connector is running as
Distributed Access Management CAMP

5. Selecting Permissions for Provisioning
All active
All active with identified permission characteristics
Limits, functions, subsystems
Selection requirements remain to be explored
Distributed Access Management CAMP

6. Finding the LDAP Entry of a Subject
For each Subject Source, declare
A subject attribute
An LDAP search using that attribute
Distributed Access Management CAMP

7. Distributed Access Management CAMP
Provisioning Groups
“Flat” or “bushy”
Subject attribute-valued membership attribute
hasMember from eduMember objectclass
DN-valued membership attribute
member or uniqueMember, commonly
Map of Grouper group attributes to LDAP group attributes
Distributed Access Management CAMP

8. Provisioning Permissions
“String” style
“eduPermission” style
Distributed Access Management CAMP

9. Distributed Access Management CAMP
Permission as String
eduPersonEntitlement: urn:mace:uchicago.edu:permission:approvalTool:fin-approver:UofC:fin-approver-limit:ge-cc-app-app-approve
<Prefix>:<SubSystem>:<PermissionId>:<Scope>:<LimitId>:<Limit>
Distributed Access Management CAMP

10. Distributed Access Management CAMP
De-Provisioning
All groups in a given OU (flat) or subtree (bushy) must be “owned” by a single instance of the LDAP provisioner
“Multiple cooks problem” is not an issue for memberships or permissions
If only Grouper & Signet gave notification of changes…
Distributed Access Management CAMP