In IDM, there is a plethora of customers who implement Attribute Based Access Policies. So by just assigning a resource (rather than a role that maps to a group membership) to a user, we could then evaluate against policy that evaluates access based on an attribute being present.
NAM has recently implemented ABAC capabilities to align our capabilities in same way. Today we already check external groups by checking "memberof" attribute I believe. enchancement would be relatively simple and benefit would be that we simplify the way we manage policies by centralizing access criteria in the metadirectory (checking anything from groups, resource, role assignments to arbitrary user attributes to make decisions on access control.
by: Jean-Paul G. | over a year ago | Configuration
Comments
I would like to make sure I understand what you are asking for. You would like it if we could leverage Attributes of an user, where the attributes are stored in an LDAP repository, or in local authentication DB, that would then be used for Group memberships within PAM, which would, in turn, manage access? Do I have this right or is there something more?
Yes. So if you have seen how we work with IDM Standard, the most common way that group membership is deployed is through resource assignment. This is just an attribute in user. If we can match against resources attributes in IDM, it would make life much simpler for many people in our organization who want to start their PAM projects from IDM bases. (they don't have to re-do or re-think how they deploy membership to a group...)
Ok - This makes sense and is something that we should consider for a future release, At this time we will accept the idea as a candidate. This means that when we get to release planning for our next release, currently Fall '18 / Winter '19 time frame we will review for consideration.