Il 27/01/2016 14:57, Oleg Suslov ha scritto:
Hi again!
Ø*) You have to configure an HR resource with a custom connector (to
develop from scratch) based on, for example, the REST layer of the HR
system (if it has one).
Where I can read documentation/recommendation how to do it?
You could try following [1] and taking a look to
https://github.com/Tirasa/ConnId* repository to figure out how to write
a custom connector, BTW the first step is:
|
mvn archetype:generate \|
|||-DarchetypeGroupId=net.tirasa.connid \|
|||-DarchetypeArtifactId=connector-archetype \|
|||-DarchetypeRepository=|
|https://oss.sonatype.org/content/repositories/snapshots/ \|
|||-DarchetypeVersion=||1.4||.||3.0-SNAPSHOT|
and then, remember to add the below code to the generated pom.xml
<repositories>
<repository>
<id>sonatype</id>
<url>https://oss.sonatype.org/content/repositories/snapshots/</url>
<snapshots>
<enabled>true</enabled>
</snapshots>
</repository>
</repositories>
But write a new connector is NOT so simple for a newbie and I will not
recommend to do it. I suggest you to outsource [2] this kind of activities.
ØCan you provide more details about this requirement? Because I don't
understand which kind of grant you have to manage, anyway the idea is
to use the Syncope role to check the position and division.
For me permission – membership of AD group.
For example: for all PMs in IT department Syncope must grant
permission “Confluence user”, whih is membership of group
“g_confluence_users”. And this permission must be granted
automatically, without requests and approval.
In this example division is “IT department”, position – “project manager”.
To achieve this requirement you only have to configure the Active
Directory resource to manage also the AD group (mapped as Syncope roles)
and then you will have to configure the membership attributes or the
role attributes but without a detailed analysis I can't suggest you the
right way to achieve your requirement.
ØSyncope provides a complete and exhaustive tool to manage the reports
and the audit, but also in this case, I need more information. What do
you mean with access management process?
Access management process – process of create users accounts,
grant/revoke permission, lock accounts after employee leave company.
It cover full live circle user account and it permission.
We need reports:
ØWhen and why account was created
ØWhen and why account get permission (membership in AD groups)
ØWhen and why account was locked
Every requirement can be achieved configuring (or developing) a simple
report;
Audit:
ØAutomatic find unknown accounts in AD
ØAutomatic find not approved (in Syncope) permission (membership in AD
groups)
ØAutomatic find not locked accounts of fired users
Every requirements can be achieved configuring the audit tab provided by
the Syncope console.
ØBut, IMHO, I think you can already achieve every your requirements
with the 1.2 version and the actual documentation.
Ok ,we will try Syncope 1.2.7
great choice!
Massi
[1] https://connid.atlassian.net/wiki/display/BASE/Create+new+connector
[2] http://syncope.apache.org/professional-services.html
Best regards,
Oleg Suslov
Head of Audit and Control Information Systems Team
Information Security Department
Lamoda | Letnikovskaya 10, bldg. 5 | Moscow | Russia
+7(495) 640-80-65, Ext. 3241
+7(915) 022-84-82
Skype:oleg.suslov
www.lamoda.ru <http://www.lamoda.ru/>
Download our FREE App!
http://i59.tinypic.com/5n6q7n.jpg
<http://app.adjust.io/vsrgp5?deep_link=lamoda://ru&fallback=http://www.lamoda.ru/apps/?utm_source=nl&utm_medium=em&utm_campaign=external_mails>http://i59.tinypic.com/1608l75.jpg
<http://app.adjust.io/buqyv2?deep_link=lamoda://ru&fallback=http://www.lamoda.ru/apps/?utm_source=nl&utm_medium=em&utm_campaign=external_mails>
*From:*Massimiliano Perrone [mailto:[email protected]
<mailto:[email protected]>]
*Sent:* Wednesday, January 27, 2016 2:12 PM
*To:* [email protected] <mailto:[email protected]>
*Subject:* Re: best practice for typical middle range organisation
Hi Oleg,
thanks for your interesting mail.
Il 27/01/2016 09:12, Oleg Suslov ha scritto:
Hi All!
Is it possible to get best practice for typical middle range
organization?
It means:
·My organisation have about 5000 employees now
With this amount of users should be sufficient a single installation
mode to achieve your requirements with good performance, but if you
want also an high availability environment you need to install a cluster.
·Active Directory as a storage of authentication and authorization
information (Identity Store)
You only have to configure an Active Directory resource with the
Active Directory bundle [1] [2] to link the Syncope core with your AD.
·HR system (“1C”, Russian standard for HR systems)
Here two choices:
*) You have to configure an HR resource using the DB bundle [3];
*) You have to configure an HR resource with a custom connector (to
develop from scratch) based on, for example, the REST layer of the HR
system (if it has one).
I want to get more step by step recommendation, how to implement
Syncope as Provisioning Engine and Identity management.
At list:
·Automatic create accounts in Active Directory for new employees
You can still follow [2] to achieve your requirements.
·Automatic grant permission depending on the position and division of
employee
Can you provide more details about this requirement? Because I don't
understand which kind of grant you have to manage, anyway the idea is
to use the Syncope role to check the position and division.
·Approval process to grant additional permision
Maybe last ML discussion [4] could help you in this case. Remember to
read also [5].
·Audit & Report to find exception in access management process
Syncope provides a complete and exhaustive tool to manage the reports
and the audit, but also in this case, I need more information. What do
you mean with access management process?
One of my problem is documentation is not actual.
For example I read how to configure Active Directory resource
(https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+an+Active+Directory+resource),
but there is no “Resources tab” in my Syncope stand (version 2.0.0-M1).
You are right, because the 2.0.0-M1 release is NOT production ready.
We are working to close the last console issues and writing the
documentation to align the latter with the 2.0.0 release.
My suggestion is: the 2.0.0 release is a wonderful one because it has
several new features [6], so if you have time to wait the new release
and you need something provided by the 2.0.0 and not provided by the
1.2 you can wait.
But, IMHO, I think you can already achieve every your requirements
with the 1.2 version and the actual documentation.
Can someone help me, pls?
I hope I was helpful but, as I wrote above, I would like to have more
information about your requirements and your environment to be more
useful.
Regards,
Massi
[1] https://github.com/Tirasa/ConnIdADBundle
[2]
http://blog.tirasa.net/configure-active-directory-external-resource.html
[3] https://github.com/Tirasa/ConnIdDBBundle
[4] http://www.mail-archive.com/[email protected]/msg01363.html
[5] http://blog.tirasa.net/approval-process-syncope.html
[6]
http://syncope.tirasa.net/news/apache-syncope-2.0-resource-management.html
Best regards,
Oleg Suslov
Head of Audit and Control Information Systems Team
Information Security Department
Lamoda | Letnikovskaya 10, bldg. 5 | Moscow | Russia
+7(495) 640-80-65, Ext. 3241
+7(915) 022-84-82
Skype:oleg.suslov
www.lamoda.ru <http://www.lamoda.ru>
Download our FREE App!
http://i59.tinypic.com/5n6q7n.jpg
<http://app.adjust.io/vsrgp5?deep_link=lamoda://ru&fallback=http://www.lamoda.ru/apps/?utm_source=nl&utm_medium=em&utm_campaign=external_mails>http://i59.tinypic.com/1608l75.jpg
<http://app.adjust.io/buqyv2?deep_link=lamoda://ru&fallback=http://www.lamoda.ru/apps/?utm_source=nl&utm_medium=em&utm_campaign=external_mails>
__________________________________________________________________________
CONFIDENTIALITY NOTICE: The information contained in the present
message (including any information contained in attachments herein)
may be confidential and privileged. It may be read, copied and used
only by the intended recipient. If you have received it in error
please contact the sender (by return e-mail) immediately and delete
this message. Any unauthorized use or dissemination of this message in
whole or in parts is strictly prohibited. Print this message only if
sharp necessary.
УВЕДОМЛЕНИЕ О КОНФИДЕНЦИАЛЬНОСТИ: Информация, содержащаяся в настоящем
сообщении (включая любое вложение) может быть конфиденциальной и
охраняться действующим законодательством. Сообщение может быть
прочитано, скопировано и использовано исключительно лицом, которому
сообщение предназначается. Если Вы получили настоящее сообщение по
ошибке, пожалуйста, незамедлительно сообщите об этом отправителю
(ответным письмом по электронной почте). Любое несанкционированное
использование или распространение информации, содержащейся в настоящем
сообщении в целом или в части, строго запрещены. Не распечатывайте
настоящее сообщение, если в этом нет крайней необходимости.
--
Massimiliano Perrone
Tel +39 393 9121310
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)
__________________________________________________________________________
CONFIDENTIALITY NOTICE: The information contained in the present
message (including any information contained in attachments herein)
may be confidential and privileged. It may be read, copied and used
only by the intended recipient. If you have received it in error
please contact the sender (by return e-mail) immediately and delete
this message. Any unauthorized use or dissemination of this message in
whole or in parts is strictly prohibited. Print this message only if
sharp necessary.
УВЕДОМЛЕНИЕ О КОНФИДЕНЦИАЛЬНОСТИ: Информация, содержащаяся в настоящем
сообщении (включая любое вложение) может быть конфиденциальной и
охраняться действующим законодательством. Сообщение может быть
прочитано, скопировано и использовано исключительно лицом, которому
сообщение предназначается. Если Вы получили настоящее сообщение по
ошибке, пожалуйста, незамедлительно сообщите об этом отправителю
(ответным письмом по электронной почте). Любое несанкционированное
использование или распространение информации, содержащейся в настоящем
сообщении в целом или в части, строго запрещены. Не распечатывайте
настоящее сообщение, если в этом нет крайней необходимости.
--
Massimiliano Perrone
Tel +39 393 9121310
Tirasa S.r.l.
Viale D'Annunzio 267 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
"L'apprendere molte cose non insegna l'intelligenza"
(Eraclito)
