How can I implement a model to support role-based provisioning operations using AD groups as roles?

Question

I am trying to see if I can implement this in Adaxes somehow to support role-based provisioning to external apps (using appropriate Powershell scripts) but struggling to work out how to implement chages properly.

I create a container - e,g Roles - and then create gropus below this to represent each role, These in turn contain sub-groups to represent application access and further sub-gropus for the permissions within each app.

e.g.

OU=Roles

|_Role 1 |_Application A |_Permission A1 |_Permission A2 |_Permission A3 |_Application B |_Permission B1 |_Permission B2 |_Application C |_Permission C1 |_Role 2 |_Application A |_Permission A2 |_Application B |_Permission B2 |_Permission B3

Assuming that I have suitable AIPs then when a user is added to a Role group I can use a business role triggered by a change in group membership to initiate workflow to call application provisioning APIs to create accounts in each of the applications with the associated permission sets.

However, if a user changes role in the organisation I need to be apply 'delta' changes to the provisioning rather than completely deprovisioning application accounts and then recreating them.

So in the case above, if a user changes role from Role 1 to Role 2 I need to be able to determine that the resultant api calls are to:

• Remove Permissions A1 and A3 from Application A
• Remove Permission B1 from Application B and add Permission B3
• Deprovision from Application C

However, I am struggling to work out if itwould be possible/practical to be able implement this model in Adaxes or whether I need to invest in a full-blown role-based provisioning platform (would rather not!).

Answer 1

Hello Bernie,

Do we understand correctly that in your model the permission groups (e.g. Permission A1, Permission A2 and Permission A3) will be members of a relevant application group (e.g. Application A), which will be a member of role groups (e.g. Role 1 and Role 2)? If we do, it will be impossible to distinguish the permissions over Application A in Role 1 from the ones in Role 2 because the Application A group will have the same membership for the both role groups. We would suggest you to use separate application groups whose membership should correspond to the relevant roles (e.g. Application A R1 with groups Permission A1/2/3 as members for Role 1 and Application A R2 with Permission A2 member for Role 2) to distinguish the permissions. Then you could use a PowerShell script to perform only necessary updates. The script should determine differences between the role group memberships (including indirect) and perform only the necessary changes. If the approach meets your needs, for an example of membership comparison, please, have a look at the last script in the following article from our repository: https://www.adaxes.com/script-repository/copy-group-membership-s32.htm. Should you have any difficulties writing the script, we will help you.

Comments

Hi support and thanks for your response.

To clarify, permissions will be specific to apps so permission A'n' will only exist within Application A.

However, role to application relationship is many-to-many.

My idea was that when processing a 'remove from role X' operation, the logic would iterate through the applications and permissions that this role provides (by traversing the app/permission sub-groups) and see if (first) the same application is also granted by another role membership - and if so iterate through the permissions to make the same check.

At the end of this process it would then be possible to build a 'delta' command to request de-provisioning at the permission or application level as appropriate.

(I was deliberately choosing to duplicate the RDNs of the applications to make it easier to search the directory and make the model more human-readable but I guess it could be done in another way).

Many thanks Bernie