Map external groups to internal authz roles
A user’s access to Advanced Identity Cloud is based on one or more authorization roles. Authorization roles are cumulative, and are calculated for a user in the following order:
-
Roles set specifically in the user’s
userRoles
property -
Group roles — based on group membership in an external system
Group roles are controlled with the following properties in the authentication configuration:
-
groupMembership
: the property on the external system that represents group membership. In a DS directory server, that property isldapGroups
by default. In an Active Directory server, the property ismemberOf
by default. For example:"groupMembership" : "ldapGroups"
The value of the groupMembership
property must be the ICF property name defined in the provisioner file, rather than the property name on the external system. For more information on the attributes in connectors, refer to Connector objects and properties. -
groupRoleMapping
: a mapping between an IDM role and a group on the external system. Setting this property ensures that if a user authenticates through pass-through authentication, they are given specific IDM roles depending on their membership in groups on the external system. In the following example, users who are members of the groupcn=admins,ou=Groups,dc=example,dc=com
are given the internalopenidm-admin
role when they authenticate:"groupRoleMapping" : { "internal/role/openidm-admin" : ["cn=admins,ou=Groups,dc=example,dc=com"] }
-
groupComparisonMethod
: the method used to check whether the authenticated user’s group membership matches one of the groups mapped to an IDM role (in thegroupRoleMapping
property).The
groupComparisonMethod
can be one of the following:-
equals
: a case-sensitive equality check -
caseInsensitive
: a case-insensitive equality check -
ldap
: a case-insensitive and whitespace-insensitive equality check. Because LDAP directories do not take case or whitespace into account in group DNs, you must set thegroupComparisonMethod
if you are using pass-through authentication with an LDAP directory.
-
-
To control access to external systems, use provisioning roles and assignments, as described in Use assignments to provision users. |