COmanage Users List

[Benn Oshrin <>]

My first question is where are you assigning the UIDs? Are they 
generated in COmanage, or are they being generated elsewhere and then 
pushed into COmanage?

If the former, identifiers generated by COmanage should be attached to 
the CO Person record, from where they can be provisioned.

If the latter, there are a couple of different patterns for loading the 
identifiers. You could attach them directly to the CO Person record, 
though then you'd probably want to flag them with different identifier 
types (eg: "uid-student", "uid-staff") so you can tell them apart.

Alternately, another solution would be to use Org Identity Sources 
connected to Pipelines (which would copy the Org Identity Identifier to 
the CO Person record). This would require treating the identifier 
assignment mechanism as a System of Record, which is technically 
accurate if that's what you're doing, but does impose a heavier 
integration burden.

Note there are some options for provisioning directly from the Org 
Identity record (the LdapProvisioner supports this for identifiers), but 
I'd try to avoid them if possible. Over time, we expect to deprecate 
that approach as it's something of a holdover from the early days.

Thanks,

-Benn-

On 9/27/21 1:35 PM, Randall Smith wrote:
> Greetings,
>
> I'm setting up Comanage for Identity management and provisioning. I've 
> run into a problem and I'm trying to understand some of the thought 
> process and expectations for Comanage.
>
> Here's the deal. I'm looking at how to manage people. Adding an 
> individual is pretty simple. Where it gets problematic is people that 
> are both employees and students. We provision a separate account for 
> each type with different UIDs. For example, John Smith might have a 
> staff account "jsmith" and a student account "smithj002". Each account 
> needs to be provisioned separately.
>
> My first thought was to create an organizational identity for each with 
> the different UIDs set as an identifier. So the person would have an OID 
> for the employee account and one for the student account.
>
> The problem comes with provisioning. The Grouper provisioner operates at 
> the CO Person level which means that it completely ignores the OIDs. I 
> believe the same is true when it comes to the LDAP provisioner.
>
> I have two questions: How should I be approaching this so that I can 
> provision the different accounts? What are the expectations within 
> Comanage for dealing with people who have multiple accounts?
>
> Thanks
>
> --
> Randall Smith
> Sr. Systems Administrator / Architect
> Adams State University
> http://www.adams.edu/ <http://www.adams.edu/>
> 719-587-7741