Thanks, its great. But may be someone can provide step-by-step manual how to implement typical installation for typical organization. For newbie.
Best regards, Oleg Suslov Head of Audit and Control Information Systems Team Information Security Department Lamoda | Letnikovskaya 10, bldg. 5 | Moscow | Russia +7(495) 640-80-65, Ext. 3241 +7(915) 022-84-82 Skype:oleg.suslov www.lamoda.ru Download our FREE App! [image: http://i59.tinypic.com/5n6q7n.jpg] <http://app.adjust.io/vsrgp5?deep_link=lamoda://ru&fallback=http://www.lamoda.ru/apps/?utm_source=nl&utm_medium=em&utm_campaign=external_mails> [image: http://i59.tinypic.com/1608l75.jpg] <http://app.adjust.io/buqyv2?deep_link=lamoda://ru&fallback=http://www.lamoda.ru/apps/?utm_source=nl&utm_medium=em&utm_campaign=external_mails> *From:* Massimiliano Perrone [mailto:[email protected]] *Sent:* Wednesday, January 27, 2016 5:58 PM *To:* [email protected] *Subject:* Re: best practice for typical middle range organisation Il 27/01/2016 14:57, Oleg Suslov ha scritto: Hi again! Ø *) You have to configure an HR resource with a custom connector (to develop from scratch) based on, for example, the REST layer of the HR system (if it has one). Where I can read documentation/recommendation how to do it? You could try following [1] and taking a look to https://github.com/Tirasa/ConnId* repository to figure out how to write a custom connector, BTW the first step is: mvn archetype:generate \ -DarchetypeGroupId=net.tirasa.connid \ -DarchetypeArtifactId=connector-archetype \ -DarchetypeRepository= https://oss.sonatype.org/content/repositories/snapshots/ \ -DarchetypeVersion=1.4.3.0-SNAPSHOT and then, remember to add the below code to the generated pom.xml <repositories> <repository> <id>sonatype</id> <url>https://oss.sonatype.org/content/repositories/snapshots/</url> <snapshots> <enabled>true</enabled> </snapshots> </repository> </repositories> But write a new connector is NOT so simple for a newbie and I will not recommend to do it. I suggest you to outsource [2] this kind of activities. Ø Can you provide more details about this requirement? Because I don't understand which kind of grant you have to manage, anyway the idea is to use the Syncope role to check the position and division. For me permission – membership of AD group. For example: for all PMs in IT department Syncope must grant permission “Confluence user”, whih is membership of group “g_confluence_users”. And this permission must be granted automatically, without requests and approval. In this example division is “IT department”, position – “project manager”. To achieve this requirement you only have to configure the Active Directory resource to manage also the AD group (mapped as Syncope roles) and then you will have to configure the membership attributes or the role attributes but without a detailed analysis I can't suggest you the right way to achieve your requirement. Ø Syncope provides a complete and exhaustive tool to manage the reports and the audit, but also in this case, I need more information. What do you mean with access management process? Access management process – process of create users accounts, grant/revoke permission, lock accounts after employee leave company. It cover full live circle user account and it permission. We need reports: Ø When and why account was created Ø When and why account get permission (membership in AD groups) Ø When and why account was locked Every requirement can be achieved configuring (or developing) a simple report; Audit: Ø Automatic find unknown accounts in AD Ø Automatic find not approved (in Syncope) permission (membership in AD groups) Ø Automatic find not locked accounts of fired users Every requirements can be achieved configuring the audit tab provided by the Syncope console. Ø But, IMHO, I think you can already achieve every your requirements with the 1.2 version and the actual documentation. Ok ,we will try Syncope 1.2.7 great choice! Massi [1] https://connid.atlassian.net/wiki/display/BASE/Create+new+connector [2] http://syncope.apache.org/professional-services.html Best regards, Oleg Suslov Head of Audit and Control Information Systems Team Information Security Department Lamoda | Letnikovskaya 10, bldg. 5 | Moscow | Russia +7(495) 640-80-65, Ext. 3241 +7(915) 022-84-82 Skype:oleg.suslov www.lamoda.ru Download our FREE App! [image: http://i59.tinypic.com/5n6q7n.jpg] <http://app.adjust.io/vsrgp5?deep_link=lamoda://ru&fallback=http://www.lamoda.ru/apps/?utm_source=nl&utm_medium=em&utm_campaign=external_mails> [image: http://i59.tinypic.com/1608l75.jpg] <http://app.adjust.io/buqyv2?deep_link=lamoda://ru&fallback=http://www.lamoda.ru/apps/?utm_source=nl&utm_medium=em&utm_campaign=external_mails> *From:* Massimiliano Perrone [mailto:[email protected]] *Sent:* Wednesday, January 27, 2016 2:12 PM *To:* [email protected] *Subject:* Re: best practice for typical middle range organisation Hi Oleg, thanks for your interesting mail. Il 27/01/2016 09:12, Oleg Suslov ha scritto: Hi All! Is it possible to get best practice for typical middle range organization? It means: · My organisation have about 5000 employees now With this amount of users should be sufficient a single installation mode to achieve your requirements with good performance, but if you want also an high availability environment you need to install a cluster. · Active Directory as a storage of authentication and authorization information (Identity Store) You only have to configure an Active Directory resource with the Active Directory bundle [1] [2] to link the Syncope core with your AD. · HR system (“1C”, Russian standard for HR systems) Here two choices: *) You have to configure an HR resource using the DB bundle [3]; *) You have to configure an HR resource with a custom connector (to develop from scratch) based on, for example, the REST layer of the HR system (if it has one). I want to get more step by step recommendation, how to implement Syncope as Provisioning Engine and Identity management. At list: · Automatic create accounts in Active Directory for new employees You can still follow [2] to achieve your requirements. · Automatic grant permission depending on the position and division of employee Can you provide more details about this requirement? Because I don't understand which kind of grant you have to manage, anyway the idea is to use the Syncope role to check the position and division. · Approval process to grant additional permision Maybe last ML discussion [4] could help you in this case. Remember to read also [5]. · Audit & Report to find exception in access management process Syncope provides a complete and exhaustive tool to manage the reports and the audit, but also in this case, I need more information. What do you mean with access management process? One of my problem is documentation is not actual. For example I read how to configure Active Directory resource ( https://cwiki.apache.org/confluence/display/SYNCOPE/Configure+an+Active+Directory+resource), but there is no “Resources tab” in my Syncope stand (version 2.0.0-M1). You are right, because the 2.0.0-M1 release is NOT production ready. We are working to close the last console issues and writing the documentation to align the latter with the 2.0.0 release. My suggestion is: the 2.0.0 release is a wonderful one because it has several new features [6], so if you have time to wait the new release and you need something provided by the 2.0.0 and not provided by the 1.2 you can wait. But, IMHO, I think you can already achieve every your requirements with the 1.2 version and the actual documentation. Can someone help me, pls? I hope I was helpful but, as I wrote above, I would like to have more information about your requirements and your environment to be more useful. Regards, Massi [1] https://github.com/Tirasa/ConnIdADBundle [2] http://blog.tirasa.net/configure-active-directory-external-resource.html [3] https://github.com/Tirasa/ConnIdDBBundle [4] http://www.mail-archive.com/[email protected]/msg01363.html [5] http://blog.tirasa.net/approval-process-syncope.html [6] http://syncope.tirasa.net/news/apache-syncope-2.0-resource-management.html Best regards, Oleg Suslov Head of Audit and Control Information Systems Team Information Security Department Lamoda | Letnikovskaya 10, bldg. 5 | Moscow | Russia +7(495) 640-80-65, Ext. 3241 +7(915) 022-84-82 Skype:oleg.suslov www.lamoda.ru Download our FREE App! [image: http://i59.tinypic.com/5n6q7n.jpg] <http://app.adjust.io/vsrgp5?deep_link=lamoda://ru&fallback=http://www.lamoda.ru/apps/?utm_source=nl&utm_medium=em&utm_campaign=external_mails> [image: http://i59.tinypic.com/1608l75.jpg] <http://app.adjust.io/buqyv2?deep_link=lamoda://ru&fallback=http://www.lamoda.ru/apps/?utm_source=nl&utm_medium=em&utm_campaign=external_mails> __________________________________________________________________________ CONFIDENTIALITY NOTICE: The information contained in the present message (including any information contained in attachments herein) may be confidential and privileged. It may be read, copied and used only by the intended recipient. If you have received it in error please contact the sender (by return e-mail) immediately and delete this message. Any unauthorized use or dissemination of this message in whole or in parts is strictly prohibited. Print this message only if sharp necessary. УВЕДОМЛЕНИЕ О КОНФИДЕНЦИАЛЬНОСТИ: Информация, содержащаяся в настоящем сообщении (включая любое вложение) может быть конфиденциальной и охраняться действующим законодательством. Сообщение может быть прочитано, скопировано и использовано исключительно лицом, которому сообщение предназначается. Если Вы получили настоящее сообщение по ошибке, пожалуйста, незамедлительно сообщите об этом отправителю (ответным письмом по электронной почте). Любое несанкционированное использование или распространение информации, содержащейся в настоящем сообщении в целом или в части, строго запрещены. Не распечатывайте настоящее сообщение, если в этом нет крайней необходимости. -- Massimiliano Perrone Tel +39 393 9121310 Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 0859111173 http://www.tirasa.net "L'apprendere molte cose non insegna l'intelligenza" (Eraclito) __________________________________________________________________________ CONFIDENTIALITY NOTICE: The information contained in the present message (including any information contained in attachments herein) may be confidential and privileged. It may be read, copied and used only by the intended recipient. If you have received it in error please contact the sender (by return e-mail) immediately and delete this message. Any unauthorized use or dissemination of this message in whole or in parts is strictly prohibited. Print this message only if sharp necessary. УВЕДОМЛЕНИЕ О КОНФИДЕНЦИАЛЬНОСТИ: Информация, содержащаяся в настоящем сообщении (включая любое вложение) может быть конфиденциальной и охраняться действующим законодательством. Сообщение может быть прочитано, скопировано и использовано исключительно лицом, которому сообщение предназначается. Если Вы получили настоящее сообщение по ошибке, пожалуйста, незамедлительно сообщите об этом отправителю (ответным письмом по электронной почте). Любое несанкционированное использование или распространение информации, содержащейся в настоящем сообщении в целом или в части, строго запрещены. Не распечатывайте настоящее сообщение, если в этом нет крайней необходимости. -- Massimiliano Perrone Tel +39 393 9121310 Tirasa S.r.l. Viale D'Annunzio 267 - 65127 Pescara Tel +39 0859116307 / FAX +39 0859111173 http://www.tirasa.net "L'apprendere molte cose non insegna l'intelligenza" (Eraclito) -- __________________________________________________________________________ CONFIDENTIALITY NOTICE: The information contained in the present message (including any information contained in attachments herein) may be confidential and privileged. It may be read, copied and used only by the intended recipient. If you have received it in error please contact the sender (by return e-mail) immediately and delete this message. Any unauthorized use or dissemination of this message in whole or in parts is strictly prohibited. Print this message only if sharp necessary. УВЕДОМЛЕНИЕ О КОНФИДЕНЦИАЛЬНОСТИ: Информация, содержащаяся в настоящем сообщении (включая любое вложение) может быть конфиденциальной и охраняться действующим законодательством. Сообщение может быть прочитано, скопировано и использовано исключительно лицом, которому сообщение предназначается. Если Вы получили настоящее сообщение по ошибке, пожалуйста, незамедлительно сообщите об этом отправителю (ответным письмом по электронной почте). Любое несанкционированное использование или распространение информации, содержащейся в настоящем сообщении в целом или в части, строго запрещены. Не распечатывайте настоящее сообщение, если в этом нет крайней необходимости.
