Hi Ilgrasso, Use Case is: Organizational Role: "IDM Developers" LDAP Groups: "svn_user", "domain_user"....5 more === Total 7 roles
ASK: User who belong to "IDM Developers" role should be automatically provisioned to above 7 LDAP groups. As per my understanding, if I were to implement above requirement in Syncope, I will have to: a) reconcile LDAP groups into Syncope which would be established as role with LDAP resource b) User will have to then request for all those 7 roles Please let me know if I am missing anything or there is better way to get it done. Also, can you please point me to some documentation which explains about "Role template" and how to use them. Thanks On Wed, Nov 19, 2014 at 11:45 PM, Francesco Chicchiriccò < [email protected]> wrote: > On 19/11/2014 21:08, Manish Baid wrote: > >> Hello, >> We are evaluating Syncope to be our provisioning engine, I could not find >> a way to achieve following MUST HAVE requirement in our project: >> >> Associate MULTIPLE target resource entitlements (ex. ldap groups) to a >> ROLE: such that user assigned to the role will be provisioned corresponding >> resource entitlements. >> > > Hi, > with Syncope you can assign external resource(s) to a role; this will > > 1. provision any user assigned to that role to the related external > resource(s) - if such resource(s) have user mapping defined > 2. provision such role to the related external resource(s) - if such > resource(s) have role mapping defined and support group provisioning > (currently only Active Directory, LDAP and possibly scripted SQL) > 3. (only for LDAP & Active Directory) maintain Syncope membership (e.g. > Syncope user is assigned to Syncope role) to external membership (e.g. LDAP > user is in LDAP group) > > Coming to your question: could you please provide an example of Syncope > role mapped to several LDAP groups? > A role can be assigned to multiple external resource(s) and you can of > course define multiple LDAP resources using the same LDAP connector > instance, but I am not sure of what you are trying to achieve. > > Observation: Single Resource entitlement can be synchronized (reconciled) >> as ROLE in syncope and assigned to the user. >> >> Corresponding feature in proprietory software --> >> Oralce Identity Manager: Access Policy >> IBM Tivoli Identity Manager: Provisioning Policy >> > > Could you please clarify the use case you would like to replicate with > Syncope? > > Regards. > > -- > Francesco Chicchiriccò > > Tirasa - Open Source Excellence > http://www.tirasa.net/ > > Involved at The Apache Software Foundation: > member, Syncope PMC chair, Cocoon PMC, Olingo PMC > http://people.apache.org/~ilgrosso/ > > > -- Manish Baid Security Architect, CISSP - ISSAP, ConfluxSys Work: (510) 516 1115 Email: [email protected] IM: Google: mmbaid | Yahoo: baid_manish
