comanage-users - Re: [comanage-users] Provisioning for People with Multiple Accounts
Subject: COmanage Users List
List archive
- From: Benn Oshrin <>
- To: Randall Smith <>
- Cc:
- Subject: Re: [comanage-users] Provisioning for People with Multiple Accounts
- Date: Wed, 29 Sep 2021 14:51:31 -0400
You can add types via "Extended Types" in the CO Configuration.
In terms of Grouper, others might be better able to chime in on the Grouper side, but it sounds like what you're trying to do is map a single CO Person to multiple Grouper subjects. The immediate question would be how to populate a Grouper subject source in a way that would permit this.
While we typically see LDAP as the Grouper subject source, I'm not sure this would be the best option. AIUI, you would need to provision two LDAP records for the same CO Person, one with each uid. Although technically possible (probably using two LdapProvisioners, one with a Provisioning Group associated with a CO Group holding the students, and another associated with a CO Group holding the staff), I don't think we've seen anyone do that, and it might be more trouble than it's worth.
Another option could be to use the SqlProvisioner, and then build a view on top of the provisioned tables that generates one row per uid using appropriate JOINs.
We could also consider an RFE to the GrouperProvisioner if we could figure out what exactly the enhancement would be.
Thanks,
-Benn-
On 9/27/21 5:30 PM, Randall Smith wrote:
Thanks for the response.
The UIDs are currently being generated outside of Comanage though that may change in the future. I didn't see the option to create new identifier types. That will help quite a bit.
The next issue will be adding the people to groups. When syncing the groups to Grouper (or anything else for that matter), what tools do I have to say whether it's the uid-student or uid-staff that should be added to that group. We do have groups that have mixed memberships of students and employees.
On Mon, Sep 27, 2021 at 1:19 PM Benn Oshrin < <>> wrote:
My first question is where are you assigning the UIDs? Are they
generated in COmanage, or are they being generated elsewhere and then
pushed into COmanage?
If the former, identifiers generated by COmanage should be attached to
the CO Person record, from where they can be provisioned.
If the latter, there are a couple of different patterns for loading the
identifiers. You could attach them directly to the CO Person record,
though then you'd probably want to flag them with different identifier
types (eg: "uid-student", "uid-staff") so you can tell them apart.
Alternately, another solution would be to use Org Identity Sources
connected to Pipelines (which would copy the Org Identity Identifier to
the CO Person record). This would require treating the identifier
assignment mechanism as a System of Record, which is technically
accurate if that's what you're doing, but does impose a heavier
integration burden.
Note there are some options for provisioning directly from the Org
Identity record (the LdapProvisioner supports this for identifiers),
but
I'd try to avoid them if possible. Over time, we expect to deprecate
that approach as it's something of a holdover from the early days.
Thanks,
-Benn-
On 9/27/21 1:35 PM, Randall Smith wrote:
> Greetings,
>
> I'm setting up Comanage for Identity management and provisioning.
I've
> run into a problem and I'm trying to understand some of the thought
> process and expectations for Comanage.
>
> Here's the deal. I'm looking at how to manage people. Adding an
> individual is pretty simple. Where it gets problematic is people
that
> are both employees and students. We provision a separate account for
> each type with different UIDs. For example, John Smith might have a
> staff account "jsmith" and a student account "smithj002". Each
account
> needs to be provisioned separately.
>
> My first thought was to create an organizational identity for
each with
> the different UIDs set as an identifier. So the person would have
an OID
> for the employee account and one for the student account.
>
> The problem comes with provisioning. The Grouper provisioner
operates at
> the CO Person level which means that it completely ignores the
OIDs. I
> believe the same is true when it comes to the LDAP provisioner.
>
> I have two questions: How should I be approaching this so that I can
> provision the different accounts? What are the expectations within
> Comanage for dealing with people who have multiple accounts?
>
> Thanks
>
> --
> Randall Smith
> Sr. Systems Administrator / Architect
> Adams State University
> http://www.adams.edu/ <http://www.adams.edu/>
<http://www.adams.edu/ <http://www.adams.edu/>>
> 719-587-7741
--
Randall Smith
Sr. Systems Administrator / Architect
Adams State University
http://www.adams.edu/ <http://www.adams.edu/>
719-587-7741
- [comanage-users] Provisioning for People with Multiple Accounts, Randall Smith, 09/27/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Benn Oshrin, 09/27/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Randall Smith, 09/27/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Benn Oshrin, 09/29/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Scott Koranda, 09/29/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Randall Smith, 09/29/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Scott Koranda, 09/29/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Benn Oshrin, 09/29/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Randall Smith, 09/27/2021
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Benn Oshrin, 09/27/2021
Archive powered by MHonArc 2.6.24.