COmanage Users List

[Randall Smith <>]

Thanks for the response.

The UIDs are currently being generated outside of Comanage though that may change in the future. I didn't see the option to create new identifier types. That will help quite a bit.

The next issue will be adding the people to groups. When syncing the groups to Grouper (or anything else for that matter), what tools do I have to say whether it's the uid-student or uid-staff that should be added to that group. We do have groups that have mixed memberships of students and employees.

On Mon, Sep 27, 2021 at 1:19 PM Benn Oshrin <> wrote:

My first question is where are you assigning the UIDs? Are they
generated in COmanage, or are they being generated elsewhere and then
pushed into COmanage?

If the former, identifiers generated by COmanage should be attached to
the CO Person record, from where they can be provisioned.

If the latter, there are a couple of different patterns for loading the
identifiers. You could attach them directly to the CO Person record,
though then you'd probably want to flag them with different identifier
types (eg: "uid-student", "uid-staff") so you can tell them apart.

Alternately, another solution would be to use Org Identity Sources
connected to Pipelines (which would copy the Org Identity Identifier to
the CO Person record). This would require treating the identifier
assignment mechanism as a System of Record, which is technically
accurate if that's what you're doing, but does impose a heavier
integration burden.

Note there are some options for provisioning directly from the Org
Identity record (the LdapProvisioner supports this for identifiers), but
I'd try to avoid them if possible. Over time, we expect to deprecate
that approach as it's something of a holdover from the early days.

Thanks,

-Benn-

On 9/27/21 1:35 PM, Randall Smith wrote:
> Greetings,
>
> I'm setting up Comanage for Identity management and provisioning. I've
> run into a problem and I'm trying to understand some of the thought
> process and expectations for Comanage.
>
> Here's the deal. I'm looking at how to manage people. Adding an
> individual is pretty simple. Where it gets problematic is people that
> are both employees and students. We provision a separate account for
> each type with different UIDs. For example, John Smith might have a
> staff account "jsmith" and a student account "smithj002". Each account
> needs to be provisioned separately.
>
> My first thought was to create an organizational identity for each with
> the different UIDs set as an identifier. So the person would have an OID
> for the employee account and one for the student account.
>
> The problem comes with provisioning. The Grouper provisioner operates at
> the CO Person level which means that it completely ignores the OIDs. I
> believe the same is true when it comes to the LDAP provisioner.
>
> I have two questions: How should I be approaching this so that I can
> provision the different accounts? What are the expectations within
> Comanage for dealing with people who have multiple accounts?
>
> Thanks
>
> --
> Randall Smith
> Sr. Systems Administrator / Architect
> Adams State University
> http://www.adams.edu/ <http://www.adams.edu/>
> 719-587-7741

--

Randall Smith

Sr. Systems Administrator / Architect
Adams State University
http://www.adams.edu/
719-587-7741