Use Groups to Control Access to IDM

A user's access to IDM is based on one or more authorization roles. Authorization roles are cumulative, and are calculated for a user in the following order:

  1. Roles set specifically in the user's userRoles property

  2. Group roles—based on group membership in an external system

    Group roles are controlled with the following properties in the ${authConfig}:

    • groupMembership: the property on the external system that represents group membership. In a DS directory server, that property is ldapGroups by default. In an Active Directory server, the property is memberOf by default. For example:

      "groupMembership" : "ldapGroups"

      Note that the value of the groupMembership property must be the ICF property name defined in the provisioner file, rather than the property name on the external system.

    • groupRoleMapping: a mapping between an IDM role and a group on the external system. Setting this property ensures that if a user authenticates through pass-through authentication, they are given specific IDM roles depending on their membership in groups on the external system. In the following example, users who are members of the group cn=admins,ou=Groups,dc=example,dc=com are given the internal openidm-admin role when they authenticate:

      "groupRoleMapping" : {
          "internal/role/openidm-admin" : ["cn=admins,ou=Groups,dc=example,dc=com"]
      }
    • groupComparisonMethod: the method used to check whether the authenticated user's group membership matches one of the groups mapped to an IDM role (in the groupRoleMapping property).

      The groupComparisonMethod can be one of the following:

      • equals: a case-sensitive equality check

      • caseInsensitive: a case-insensitive equality check

      • ldap: a case-insensitive and whitespace-insensitive equality check. Because LDAP directories do not take case or whitespace into account in group DNs, you must set the groupComparisonMethod if you are using pass-through authentication with an LDAP directory.

Note

To control access to external systems, use provisioning roles and assignments, as described in "Use Assignments to Provision Users".

Read a different version of :