0 votes

I am trying to see if I can implement this in Adaxes somehow to support role-based provisioning to external apps (using appropriate Powershell scripts) but struggling to work out how to implement chages properly.

I create a container - e,g Roles - and then create gropus below this to represent each role, These in turn contain sub-groups to represent application access and further sub-gropus for the permissions within each app.

e.g.

OU=Roles

|_Role 1 |_Application A |_Permission A1 |_Permission A2 |_Permission A3 |_Application B |_Permission B1 |_Permission B2 |_Application C |_Permission C1 |_Role 2 |_Application A |_Permission A2 |_Application B |_Permission B2 |_Permission B3

Assuming that I have suitable AIPs then when a user is added to a Role group I can use a business role triggered by a change in group membership to initiate workflow to call application provisioning APIs to create accounts in each of the applications with the associated permission sets.

However, if a user changes role in the organisation I need to be apply 'delta' changes to the provisioning rather than completely deprovisioning application accounts and then recreating them.

So in the case above, if a user changes role from Role 1 to Role 2 I need to be able to determine that the resultant api calls are to:

  • Remove Permissions A1 and A3 from Application A
  • Remove Permission B1 from Application B and add Permission B3
  • Deprovision from Application C

However, I am struggling to work out if itwould be possible/practical to be able implement this model in Adaxes or whether I need to invest in a full-blown role-based provisioning platform (would rather not!).

by (310 points)

1 Answer

0 votes
by (216k points)

Hello Bernie,

Do we understand correctly that in your model the permission groups (e.g. Permission A1, Permission A2 and Permission A3) will be members of a relevant application group (e.g. Application A), which will be a member of role groups (e.g. Role 1 and Role 2)? If we do, it will be impossible to distinguish the permissions over Application A in Role 1 from the ones in Role 2 because the Application A group will have the same membership for the both role groups. We would suggest you to use separate application groups whose membership should correspond to the relevant roles (e.g. Application A R1 with groups Permission A1/2/3 as members for Role 1 and Application A R2 with Permission A2 member for Role 2) to distinguish the permissions. Then you could use a PowerShell script to perform only necessary updates. The script should determine differences between the role group memberships (including indirect) and perform only the necessary changes. If the approach meets your needs, for an example of membership comparison, please, have a look at the last script in the following article from our repository: https://www.adaxes.com/script-repository/copy-group-membership-s32.htm. Should you have any difficulties writing the script, we will help you.

0

Hi support and thanks for your response.

To clarify, permissions will be specific to apps so permission A'n' will only exist within Application A.

However, role to application relationship is many-to-many.

My idea was that when processing a 'remove from role X' operation, the logic would iterate through the applications and permissions that this role provides (by traversing the app/permission sub-groups) and see if (first) the same application is also granted by another role membership - and if so iterate through the permissions to make the same check.

At the end of this process it would then be possible to build a 'delta' command to request de-provisioning at the permission or application level as appropriate.

(I was deliberately choosing to duplicate the RDNs of the applications to make it easier to search the directory and make the model more human-readable but I guess it could be done in another way).

Many thanks Bernie

Related questions

0 votes
1 answer

As part of offboarding a user I need to generate a report of all AD groups, Entra groups and all Azure / M365 roles and licenses the user has before they ... about keeping a record of the leavers configured profile to simplify cloning them onto new starters.

asked Jun 24 by dhardyuk (20 points)
0 votes
1 answer

The checkbox is not selected (False) by default.

asked May 30, 2022 by john.harding (70 points)
0 votes
1 answer

I need to send an e-mail to the owner ("managed by") for each group. The e-mail should contain a list of group members. What is the best way to do that?

asked May 9 by akindy (40 points)
0 votes
1 answer

I have tried it using the Custom Commands Action "Add the user to a group", which only allows me to add the user to one group at a time, and can't use the multiple DNs that the ... I can't get it to work. Could you assist me in finding the best way to do this?

asked Jan 16 by dominik.stawny (280 points)
0 votes
1 answer

This is for license purposes and we do not want them visible in the Adaxes portal.

asked Oct 22, 2021 by jfrederickwl (20 points)
3,588 questions
3,277 answers
8,303 comments
548,082 users