How to map AD group to Ivy role?

1

We like to manage the rights for our ivy applications over the Microsoft Active Directory. According the AD groups, ivy roles should automatically added to the ivy user. We have in mind to build some technical processes to do that. But we have some questions...

Is it possible to read (lower) OU's of a user?
If we have the OU "ivy" to import all users and there is a OU "admin" under the OU "ivy", can we find out which users are in the OU "admin"? How can we get this information. Maybe some how like reading AD attributes?

Is it possible to listen to the LDAP synchronisation of the ivy server?
Every times when the user synchronisation is finished, our code should be executed to add specified ivy roles to the user based on the AD OU's.

Thank you for your support

asked 23.07.2015 at 12:24

Adrian%20Imfeld's gravatar image

Adrian Imfeld
(suspended)
accept rate: 77%

2 Answers:
active answersoldestnewestmost voted
0

If you read the User.getExternalSecurityName() you get the fully qualified LDAP Name like: CN=User Name,CN=Users,OU=Management,OU=Swiss,DC=company,DC=com

This means the user is "under" the Organisation Units "Management" and "Swiss".

link

answered 23.07.2015 at 16:26

Christian%20Strebel's gravatar image

Christian St... ♦
3.2k31338
accept rate: 88%

0

You can map either an group or an Organisation Unit (OU) to an ivy role.

See dokumentation about External Security Name:

If you are using an external security system (e.g. Microsoft Active Directory) then you can link an Axon.ivy role to a group or another structural node (e.g. Organisation Unit) on the directory server. If a group is selected then all users that are members of this group will automatically receive the associated Axon.ivy role. If a structural node is selected then all users located below the structural node will automatically receive the associated Axon.ivy role.

Press External security name to edit or browse the name of the group or structural node whose users should receive the selected Axon.ivy role.

link

answered 23.07.2015 at 16:18

Christian%20Strebel's gravatar image

Christian St... ♦
3.2k31338
accept rate: 88%

Thank you. Is it also possible to define more than one structural node for one Axon.ivy role? If not, I have still the need to listen for the user synchronisation job of the Axon.ivy Engine.

(23.07.2015 at 17:04) Adrian Imfeld Adrian%20Imfeld's gravatar image

Organisation Units are hierarchical:

DC=company
|-OU=Swiss (FQN: OU=Swiss,DC=company)
 |-OU=Management (FQN: OU=Management,OU=Swiss,DC=company)
 |-OU=IT (FQN: OU=IT,OU=Swiss,DC=company)

So if you have the OU "Management" or "IT" you have always also "Swiss".

(23.07.2015 at 17:20) Christian St... ♦ Christian%20Strebel's gravatar image

I mean two different OU's of the same hierarchical level. For example we have units "backoffice", "sales" and "it". All units ar hirarchical under the enterprise unit. Backoffice- and IT-users need the right for a time tracking tool (Axon.ivy role "RAP"). Sales-Users should not have this rights or rather Axon.ivy role.

(23.07.2015 at 17:37) Adrian Imfeld Adrian%20Imfeld's gravatar image

A solution could be designed as follows with the ivy roles:

Everybody
|-IT+Management
 |-Management (Mapped to: OU=Management,OU=Swiss,DC=company)
 |-IT (Mapped to: OU=IT,OU=Swiss,DC=company)

So if you have the OU "Management" or "IT" you get the corresponding ivy role and also the ivy role IT+Management (inherited).

Because I think you don't want to change/add the sub roles in RAP project you could add the roles per API (See Q&A) on the server of your client.

(24.07.2015 at 08:22) Christian St... ♦ Christian%20Strebel's gravatar image

Because of that, I asked the second question. Is it possible to listen to the user synchronisation job in Axon.ivy Engine? After the job is running i could map all the requestet (and additional) IRoles to the users.

(27.07.2015 at 08:40) Adrian Imfeld Adrian%20Imfeld's gravatar image

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×40
×26
×19
×16

Asked: 23.07.2015 at 12:24

Seen: 6,052 times

Last updated: 27.07.2015 at 08:40

Related questions

LDAP API call cache

Get all users for an application

Can we configure multiple external security systems (e.g. LDAP)?

Troubleshoot ActiveDirectory user import to my ivy 3.9 webApp

More permissions for test user in the Designer

How can I specify additional properties/attributes for an External Security System?

Changed passwords from Active Directory still work in Ivy

Can not login with synchronized user from active directory

Change password of an AD user in Ivy

Local and AD Users