Votes

6

Need for grouping AD permissions into application specific groups

by: Ken W. | over a year ago | Configuration
Cast your vote or comment ...
return to idea list

AD is used as the authorization and authentication source for many applications via federation.

A typical setup is that a number of security groups are created in AD to mirror the relevant entitlements in a specific application. Users that need access to the application become members of the relevant mirrored security groups in AD.

The exchange of authentication and authorization data between AD and the application is either done by synchronization via e.g. DirSync (both AD and the application holds a set of users and entitlements) or via true federation (only AD holds a set of users and entitlements).

In relation to Identity Governance is would be beneficial to be able to group permission from an application source that acts as an authorization source for other applications like AD.

It will help the approver and the reviewer to understand to which system an AD security group grants access if the application is labeled by its real name instead of by €œActive Directory.

In the below example it would in some cases be beneficial if the application Filr had its own application instead of being a part of AD.

In Denmark the municipalities has made a federation framework for all new applications for municipalities. For them it would be essential to see in IG to which federated application an AD security group grants access to.

If the idea of "Ned for grouping AD permissions into application specific groups" is implemented a related issues need to be handled.

If it get possible to group permission in AD in relation to which application a number of security groups grants access, it would be beneficial if the grouping could have an owner, so approvals and reviews could be routed to that owner.

The possiblility to govern reviews, approvals etc. on the "virtual" application level, without having to put the owner on every individual permission.

by: Ken W. | over a year ago | Configuration

Comments

  • Customers are looking for a way to group any assortment of catalog permissions as an IG 'entity'. The entity must be displayable upon a User Access Review. If a user has one or more of the entity permissions, the entity/collection/group of existing permissions should be displayed as part of that entity along with the details of the permission. They would not require all permissions of the entity for their permission(s) to be identified with the entity.

    by: Jim M. | over a year ago

  • Added as a portfolio item for consideration in next release of IG

    by: Patrick Gookin | over a year ago
    official response