Use Roles to Control Access to External Systems

Role-Based Access Control (RBAC) governs access to external systems, based on one or more provisioning roles. Provisioning roles can be granted to users in a number of ways. Provisioning roles are cumulative, and are calculated for a user object in the following order:

  1. Roles set specifically in the user's userRoles property

  2. Group roles—based on group membership in the external system

    Group roles are controlled with the following properties in the authentication configuration:

    • groupMembership: the property on the external system that represents group membership. In a DS directory server, that property is ldapGroups by default. In an Active Directory server, the property is memberOf by default. For example:

      "groupMembership" : "ldapGroups"

      Note that the value of the groupMembership property must be the ICF property name defined in the provisioner file, rather than the property name on the external system.

    • groupRoleMapping: a mapping between an IDM role and a group on the external system. Setting this property ensures that if a user authenticates through pass-through authentication, they are given specific IDM roles depending on their membership in groups on the external system. In the following example, users who are members of the group cn=admins,ou=Groups,dc=example,dc=com are given the internal openidm-admin role when they authenticate:

      "groupRoleMapping" : {
          "internal/role/openidm-admin" : ["cn=admins,ou=Groups,dc=example,dc=com"]
      }
    • groupComparisonMethod: the method used to check whether the authenticated user's group membership matches one of the groups mapped to an IDM role (in the groupRoleMapping property).

      The groupComparisonMethod can be one of the following:

      • equals: a case-sensitive equality check

      • caseInsensitive: a case-insensitive equality check

      • ldap: a case-insensitive and whitespace-insensitive equality check. Because LDAP directories do not take case or whitespace into account in group DNs, you must set the groupComparisonMethod if you are using pass-through authentication with an LDAP directory.

Read a different version of :