Re: Temporarily assign attribute in OpenLDAP / membership in AD

Mon, 21 Jun 2021 02:44:26 -0700 

Hi Philip,

glad of your interest in Apache Syncope.

Il 21/06/21 10:08, Philip Brusten ha scritto:

Hi Syncope
we are evaluating Syncope to provision certain accounts to an OpenLDAP & AD directory service.
We managed to provision an account to OpenLDAP and populate a certain LDAP-attribute with the value of a privilege. The privileges are linked to a role and the user is assigned to that role.
This is all working fine, however we would like to add a start & end time constraint to such a role assignment. Well in fact we want the (privilege)attribute in OpenLDAP to be present for a certain amount of time (can be different for each user) and then be removed. How can we add this time constraint to Syncope (via a group or role or custom policy, etc)
We would like to achieve the same this for membership of Active Directory groups. We would like to make accounts temporarily a member of an AD group. 

There are several options:

 * Group and membership attributes: not use roles but only groups to
   define your privileges. Through the assignment of a group to a user,
   you can define membership attributes that indicate privileges, date
   of start and end of assignment [1].
 * User and AnyObject: use anyobjects to represent privileges. Each
   user can have one or more anyobjects assigned. In addition to the
   attributes that describe the privileges, the ANYOBJECT also will
   have a start date and end assignment [2].
 * User and Role: you cannot define a start and end date inside a role.
   The only thing you can do is use a json type attribute (of the user)
   in which models this information.

{"privilege" : {
"RoleA": { "start": "01-07-2021", "end": "01-07-2021" },
"RoleB": { "start": "06-07-2021", "end": "01-08-2021" },
"RoleC": { "start": "01-07-2021", "end": "01-12-2022" }
}}
For each option, you will need to implement a scheduled task that checks the assignment and removal of privileges based on the start or end date. In addition, it may also be necessary to implement a propagation action.
[1] https://syncope.apache.org/docs/2.1/reference-guide.html#users-groups-and-any-objects [2] https://syncope.apache.org/docs/2.1/reference-guide.html#relationshiptype 

Regards
M



Thank you for the feedback & advice!

Philip






--
Dott. Marco Di Sabatino Di Diodoro
Tel. +39 3939065570

Tirasa S.r.l.
Viale Vittoria Colonna, 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net

Apache Syncope PMC Member
http://people.apache.org/~mdisabatino/

Reply via email to