comanage-users - Re: [comanage-users] Provisioning for People with Multiple Accounts
Subject: COmanage Users List
List archive
- From: Benn Oshrin <>
- To: Randall Smith <>
- Cc:
- Subject: Re: [comanage-users] Provisioning for People with Multiple Accounts
- Date: Mon, 27 Sep 2021 15:18:50 -0400
My first question is where are you assigning the UIDs? Are they generated in COmanage, or are they being generated elsewhere and then pushed into COmanage?
If the former, identifiers generated by COmanage should be attached to the CO Person record, from where they can be provisioned.
If the latter, there are a couple of different patterns for loading the identifiers. You could attach them directly to the CO Person record, though then you'd probably want to flag them with different identifier types (eg: "uid-student", "uid-staff") so you can tell them apart.
Alternately, another solution would be to use Org Identity Sources connected to Pipelines (which would copy the Org Identity Identifier to the CO Person record). This would require treating the identifier assignment mechanism as a System of Record, which is technically accurate if that's what you're doing, but does impose a heavier integration burden.
Note there are some options for provisioning directly from the Org Identity record (the LdapProvisioner supports this for identifiers), but I'd try to avoid them if possible. Over time, we expect to deprecate that approach as it's something of a holdover from the early days.
Thanks,
-Benn-
On 9/27/21 1:35 PM, Randall Smith wrote:
Greetings,
I'm setting up Comanage for Identity management and provisioning. I've run into a problem and I'm trying to understand some of the thought process and expectations for Comanage.
Here's the deal. I'm looking at how to manage people. Adding an individual is pretty simple. Where it gets problematic is people that are both employees and students. We provision a separate account for each type with different UIDs. For example, John Smith might have a staff account "jsmith" and a student account "smithj002". Each account needs to be provisioned separately.
My first thought was to create an organizational identity for each with the different UIDs set as an identifier. So the person would have an OID for the employee account and one for the student account.
The problem comes with provisioning. The Grouper provisioner operates at the CO Person level which means that it completely ignores the OIDs. I believe the same is true when it comes to the LDAP provisioner.
I have two questions: How should I be approaching this so that I can provision the different accounts? What are the expectations within Comanage for dealing with people who have multiple accounts?
Thanks
--
Randall Smith
Sr. Systems Administrator / Architect
Adams State University
http://www.adams.edu/ <http://www.adams.edu/>
719-587-7741
- [comanage-users] Provisioning for People with Multiple Accounts, Randall Smith, 09/27/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Benn Oshrin, 09/27/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Randall Smith, 09/27/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Benn Oshrin, 09/29/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Scott Koranda, 09/29/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Randall Smith, 09/29/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Scott Koranda, 09/29/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Benn Oshrin, 09/29/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Randall Smith, 09/27/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Benn Oshrin, 09/27/2021
Archive powered by MHonArc 2.6.24.