0 votes

I am trying to see if I can implement this in Adaxes somehow to support role-based provisioning to external apps (using appropriate Powershell scripts) but struggling to work out how to implement chages properly.

I create a container - e,g Roles - and then create gropus below this to represent each role, These in turn contain sub-groups to represent application access and further sub-gropus for the permissions within each app.

e.g.

OU=Roles

|_Role 1 |_Application A |_Permission A1 |_Permission A2 |_Permission A3 |_Application B |_Permission B1 |_Permission B2 |_Application C |_Permission C1 |_Role 2 |_Application A |_Permission A2 |_Application B |_Permission B2 |_Permission B3

Assuming that I have suitable AIPs then when a user is added to a Role group I can use a business role triggered by a change in group membership to initiate workflow to call application provisioning APIs to create accounts in each of the applications with the associated permission sets.

However, if a user changes role in the organisation I need to be apply 'delta' changes to the provisioning rather than completely deprovisioning application accounts and then recreating them.

So in the case above, if a user changes role from Role 1 to Role 2 I need to be able to determine that the resultant api calls are to:

  • Remove Permissions A1 and A3 from Application A
  • Remove Permission B1 from Application B and add Permission B3
  • Deprovision from Application C

However, I am struggling to work out if itwould be possible/practical to be able implement this model in Adaxes or whether I need to invest in a full-blown role-based provisioning platform (would rather not!).

by (310 points)

1 Answer

0 votes
by (215k points)

Hello Bernie,

Do we understand correctly that in your model the permission groups (e.g. Permission A1, Permission A2 and Permission A3) will be members of a relevant application group (e.g. Application A), which will be a member of role groups (e.g. Role 1 and Role 2)? If we do, it will be impossible to distinguish the permissions over Application A in Role 1 from the ones in Role 2 because the Application A group will have the same membership for the both role groups. We would suggest you to use separate application groups whose membership should correspond to the relevant roles (e.g. Application A R1 with groups Permission A1/2/3 as members for Role 1 and Application A R2 with Permission A2 member for Role 2) to distinguish the permissions. Then you could use a PowerShell script to perform only necessary updates. The script should determine differences between the role group memberships (including indirect) and perform only the necessary changes. If the approach meets your needs, for an example of membership comparison, please, have a look at the last script in the following article from our repository: https://www.adaxes.com/script-repository/copy-group-membership-s32.htm. Should you have any difficulties writing the script, we will help you.

0

Hi support and thanks for your response.

To clarify, permissions will be specific to apps so permission A'n' will only exist within Application A.

However, role to application relationship is many-to-many.

My idea was that when processing a 'remove from role X' operation, the logic would iterate through the applications and permissions that this role provides (by traversing the app/permission sub-groups) and see if (first) the same application is also granted by another role membership - and if so iterate through the permissions to make the same check.

At the end of this process it would then be possible to build a 'delta' command to request de-provisioning at the permission or application level as appropriate.

(I was deliberately choosing to duplicate the RDNs of the applications to make it easier to search the directory and make the model more human-readable but I guess it could be done in another way).

Many thanks Bernie

Related questions

0 votes
1 answer

I'm in the process of creating a Web interface for requesting IT accounts. Upon submission, I want to run a Powershell script that will create an item in a Sharepoint task list.

asked May 14 by sandramnc (730 points)
0 votes
0 answers

We are looking for a tool that can support a blacklist for password resets and that will enforce this blacklist to certain OU groups but not others, or potentially use a whitelist of users that it will not be enforced upon.

asked Mar 2, 2020 by zachThankYou (20 points)
0 votes
1 answer

I would like to add a parameter for country to a custom command. Since the country has to be entered correctly in order for Active Directory to accept it, I would like to ... ? I didn't find it in the documentation and the sample scripts didn't use parameters.

asked Jun 4, 2020 by mark.it.admin (1.6k points)
0 votes
1 answer

Using the built in 'Deprovision' Custom Command, I would like the person that is trying to Deprovision a user (Help Desk member) be asked who (from a list of existing active ... to leave the question 'blank', which means that no one gets access to the mailbox.

asked Apr 22, 2020 by RayBilyk (180 points)
0 votes
1 answer

When we deprovision a user the member of groups are deleted and the power shell scrips only runs as removing all memberships. I can't see what was removed. Is there a scrips I can run prior to removing those memberships that will e-mail what they are?

asked Oct 15, 2019 by meyerm (50 points)
2,518 questions
2,263 answers
6,059 comments
487,311 users