Subject: COmanage Users List
Re: [comanage-users] Provisioning for People with Multiple Accounts
- From: Scott Koranda <>
- To: Randall Smith <>
- Cc: Benn Oshrin <>,
- Subject: Re: [comanage-users] Provisioning for People with Multiple Accounts
- Date: Fri, 1 Oct 2021 15:08:12 -0500
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=illinois.edu; dmarc=pass action=none header.from=illinois.edu; dkim=pass header.d=illinois.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UCc3YjcUEGl7DQWKPJIUxb4jPRAaPT870SLH3oBiec4=; b=Q6zp7hTkU+5EqmspO5w/AqG6fdfROSPaLEL/qKEASEtpvH9lSDKfOzUMmVzcrRqBLIUm0eOcjhzF2YvbY4H75hZ2OGXrKFinABASyFajqUct51TWi5HUDH5OUwPRXa7c4CDyt9sGuWeEIvO4A6SuurXZV9HnOHqLDG1hQW3SLFthW5C//FfnhH+Q/YPgu9jhaQ4bGAHGJV8dydPyYipSPn56oglGUHm6DiyzD53M+oloEPxOGBbe/7BRtz5pnlnM/13J4oDtKuYfQQxFGdMdJIu/3crZxVitA7aBWPD//gGxwLeJSs5GJHBOi3eLV8CiGGBKzgHjtUK9q/fjmL6EEw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KaYV161jFV6qxj4E5VgPlSZk0IcAqd2goA6QjxJaKAo0T5kUN9li5LnZ+zT4nR9HofSc7IZdnAngbLfcIPr6yWCQ6nwJHwG181UOK89Gwz0h362+MGyOriMhEs8qYcFRIjORmyTAbTn8oPrCEdBsmMMbCKg0vwrLqKUyx0bgk4cuRq3ML7oQgk4VXFv8GkMCGiI/xdYOi+Ei4bM3ApUbI1ufRy9FZGLLiQPYJeVdBbL4CJmopO0pk2YOPaA2EpsyiyM4Wm1OcsKoWBO+ZCFPORIW52aDofNcbtVWJh3n+TdctipZ8nlN5y8wELk5yaKmablpNtT3P9EkiTQntOx5Nw==
> Setting up separate provisioners for the different account types is easy
> enough. We already have separate account entries in LDAP (Active Directory,
> in our case) when a person has both student and staff accounts. Mapping
> those accounts into separate Grouper subjects is just fine.
> We're a small university. It has been a lot easier for us to manage access
> control if we give people separate student and staff accounts, as needed.
> I was hoping to use COUs and other groups in Comanage to provide some basic
> grouping (such as department, en) to feed into Grouper as basis groups
> before more fine-grained grouping is done for provisioning.
That is a common deployment pattern.
> I still have to
> write the integration from our ERP and SIS systems into Comanage to provide
> that information. Would it make more sense to forgo that and write those
> integrations to target Grouper directly?
Since this is the COmanage mailing list, you will not be surprised that
I think that integrating the upstream SOR systems with COmanage Registry is
the best approach. I think you will have flexibility with how the
Organizational Identity Source (OIS) ingests the information, how
Pipelines translate it into CO Person records, and then how the other
Registry tooling allows you to mint identifiers and the like before
provisioning into Grouper.
That being said, I usually think about the question like this: COmanage
Registry is a person registry with some group management capabilities.
Grouper is a group registry with some person registry capabilities. So
you need to decide if your primary goal/issue/task requires a person
registry or a group registry.
Depending on the particular details I have made different choices over
> On Wed, Sep 29, 2021 at 1:05 PM Scott Koranda <> wrote:
> > > You can add types via "Extended Types" in the CO Configuration.
> > >
> > > In terms of Grouper, others might be better able to chime in on the
> > Grouper
> > > side, but it sounds like what you're trying to do is map a single CO
> > Person
> > > to multiple Grouper subjects. The immediate question would be how to
> > > populate a Grouper subject source in a way that would permit this.
> > >
> > > While we typically see LDAP as the Grouper subject source, I'm not sure
> > this
> > > would be the best option. AIUI, you would need to provision two LDAP
> > records
> > > for the same CO Person, one with each uid. Although technically possible
> > > (probably using two LdapProvisioners, one with a Provisioning Group
> > > associated with a CO Group holding the students, and another associated
> > with
> > > a CO Group holding the staff), I don't think we've seen anyone do that,
> > and
> > > it might be more trouble than it's worth.
> > >
> > > Another option could be to use the SqlProvisioner, and then build a view
> > on
> > > top of the provisioned tables that generates one row per uid using
> > > appropriate JOINs.
> > >
> > > We could also consider an RFE to the GrouperProvisioner if we could
> > figure
> > > out what exactly the enhancement would be.
> > The GrouperProvisioner has a configuration option to specify which
> > COmanage Registry Identifier should be used to label the user when it
> > invokes the Grouper web service (WS) call. As a deployer you need to
> > coordinate that Identifier with your Grouper subject source.
> > For example, if you provision CO Person records to LDAP and put the UID
> > Identifier value into the LDAP uid attribute, then you would want to
> > configure a Grouper subject source that reads from LDAP and uses uid as
> > the primary key, and also configure your GrouperProvisioner to use UID
> > when it invokes WS calls.
> > The same idea can work with SQL.
> > If you want a single CO Person record with two Identifier values to be
> > treated as two different subjects in Grouper then as Benn notes, you
> > basically need two different LDAP records or two different rows in an
> > SQL table so that the Grouper subject source sees them as two distinct
> > subjects. Then you could probably play the same trick with the
> > GrouperProvisioner that Benn mentions for the LDAP Provisioner (two
> > different provisioning groups configured for the two different
> > provisioner configurations).
> > Again, we have not seen it done.
> > I think an enhancement to the GrouperProvisioner could be functionality
> > so that it chooses which Identifier value to use when invoking Grouper
> > WS calls based on something like CO Group membership?
> > Just a quick thought...
> > Scott
> Randall Smith
> Sr. Systems Administrator / Architect
> Adams State University
- Re: [comanage-users] Provisioning for People with Multiple Accounts, Scott Koranda, 10/01/2021
Archive powered by MHonArc 2.6.24.