Changes between Version 2 and Version 3 of ALL__security_ismemberof


Ignore:
Timestamp:
11/26/14 16:37:26 (9 years ago)
Author:
lttoth@…
Comment:

Revised from Original text. Revised isMemberOf to eduIsMemberOf

Legend:

Unmodified
Added
Removed
Modified
  • ALL__security_ismemberof

    v2 v3  
    1 = ISMEMBEROF and Associated Group Records = 
     1= EDUISMEMBEROF and Associated Group Records = 
    22    Original author:  Beth Mercer - 20081103  
    33 
    4 The isMemberOf is an attribute of the eduMember objectClass.  The eduMember objectClass 
    5 is granted to every ou=people directory record when created.  isMemberOf is  
    6 provisioned with individual group memberships that are in turn used by external  
    7 applications to make authorization based decisions. 
     4''Note:'' Originally, the ''isMemberOf'' attribute of the ''eduMember'' objectClass was used for Group Memberships.  That attribute became intricately bound into the inner workings of the SUN LDAP product.  For that reason, the following documentation now refers to ''isEduMemberOf'', the attribute that is used by University of Alaska to establish membership. 
    85 
    9 isMemberOf values are expected to tie to ou=group records of the same name although  
    10 there is currently no mechanism within the directory that forces that relationship. 
    11 So, it is currently possible to provision an isMemberOf value that matches no  
    12 group name. 
     6The ''eduIsMemberOf'' is an attribute of the ''eduMember'' objectClass.    At creation, the ''eduMember'' objectClass is granted to every directory record defined by 'people' organizational unit (ou=people).  Provisioning ''isMemberOf'' is based upon individual group memberships that are in turn used by external applications to make authorization based decisions. 
    137 
    14 The mechanism by which ou=group records are created is the AUTHSERV Seed Group page: 
     8''Note:''  While ''eduIsMemberOf'' values are expected to tie to ou=group records of the same name although  
     9there is currently no mechanism within the directory that forces that relationship.  So, it is currently possible to provision an ''eduIsMemberOf'' value that does not match any existing group name. 
    1510 
    16         https://authserv.alaska.edu/cgi-bin/seed_group 
     11== Creating Group Records == 
     12The mechanism by which group organizational unit (ou=group) records are created is the AUTHSERV Seed Group page: 
     13 
     14        * https://authserv.alaska.edu/cgi-bin/seed_group 
    1715 
    1816That CGI script creates both the directory group record as well as a registry  
    1917record to track the group. 
    2018 
    21 The mechanism by which isMemberOf values are provisioned is presently ZUAUSR. 
    22 However, ZUAUSR is an application that performs provisioning for administrative  
     19== Provisioning Group Membership == 
     20The mechanism by which ''eduIsMemberOf'' values are provisioned is presently ZUAUSR. 
     21The limitation with that tool is that ZUAUSR is an application that performs provisioning for administrative  
    2322users which historically have been only employees and select vendors.   
    2423 
    25 If/when the use of group records and the isMemberOf attribute is extended to serve a  
     24=== Provisioning Strategies Not Reliant on ZUAUSR === 
     25If/when the use of group records and the ''eduIsMemberOf'' attribute is extended to serve a  
    2626population of non-employees, then other mechanisms for provisioning will need to be 
    2727created.  When that comes to pass, it is recommended that different consituent groups  
    2828be protected from each other's activities by creating security objects that scope  
    29 access to group record creation and isMemberOf provisioning. 
     29access to group record creation and ''eduIsMemberOf'' provisioning. 
    3030 
    3131That can be accomplished as follows: 
    3232 
    33 1) Create new EDIRrole values specific to particular applications/provisioning processes 
    34  
    35         EDIRrole: groupAdmin<pattern> 
    36  
    37 2) Create new iPlanet roles specific to each new EDIRrole 
    38  
    39 3) Create ACIs tied to the new iPlanet roles in which the scope of the access  
     331. Create new EDIRrole values specific to particular applications/provisioning processes 
     34        * EDIRrole: groupAdmin<pattern> 
     351. Create new iPlanet roles specific to each new EDIRrole 
     361. Create ACIs tied to the new iPlanet roles in which the scope of the access  
    4037   is defined in a targattrfilters clause which limits access to group names  
    4138   beginning with <pattern> 
    4239 
    4340EXAMPLE: 
    44  
     41{{{ 
    4542        # EDIRrole value 
    4643        groupAdminAppA 
     
    5653        nsRoleFilter: (&(EDIRROLE=*)(EDIRrole=groupAdminAppA)(eduPersonAffiliation=Employee)(assignmentCount=*)(!(assignmentCount=0))) 
    5754        Description: filtered role for entities allowed to define groups and provision membership for AppA 
     55}}}      
     56 
     57=== ACI Snippet for Group Record !Creation/Deletion === 
     58 
     59        (targattrfilters="add=cn:(cn=appusers:AppA:*), del=cn:(cn=appusers:AppA:*)") 
     60        allow (compare,read,write,search) (roledn="ldap:///cn=groupAdminAppARole,ou=people,dc=alaska,dc=edu" and (ip=<''iPlanet LDAP server''>);) 
    5861         
    59         # ACI snippet for group record creation/deletion 
    60         (targattrfilters="add=cn:(cn=appusers:AppA:*), del=cn:(cn=appusers:AppA:*)") 
    61         allow (compare,read,write,search) (roledn="ldap:///cn=groupAdminAppARole,ou=people,dc=alaska,dc=edu" and (ip="137.229.9.17 || 137.229.9.68 || 137.229.9.71 || 137.229.9.75"));) 
    62          
     62===  ACI Snippet for ''eduIsMemberOf'' Updates === 
     63        (targattrfilters="add=isMemberOf:(isMemberOf=cn=appusers:AppA:*), del=isMemberOf:(isMemberOf=cn=appusers:AppA:*)") 
     64        allow (compare,read,write,search) (roledn="ldap:///cn=groupAdminAppARole,ou=people,dc=alaska,dc=edu" and (ip=<''iPlanet LDAP server''>);) 
    6365 
    64         # ACI snippet for isMemberOf updates 
    65         (targattrfilters="add=isMemberOf:(isMemberOf=cn=appusers:AppA:*), del=isMemberOf:(isMemberOf=cn=appusers:AppA:*)") 
    66         allow (compare,read,write,search) (roledn="ldap:///cn=groupAdminAppARole,ou=people,dc=alaska,dc=edu" and (ip="137.229.9.17 || 137.229.9.68 || 137.229.9.71 || 137.229.9.75"));) 
     66=== Pattern of Group Names and ''eduIsMemberOf'' Values to Which ACIs Apply === 
    6767 
    68         # pattern of group names and isMemberOf values to which ACIs apply 
    6968        cn=appusers:AppA:*,ou=group,dc=alaska,dc=edu 
    7069 
    71  
    72 In the example, the assumption is still that group and isMemberOf maintenance for  
     70In the example, the assumption is still that group and ''eduIsMemberOf'' maintenance for  
    7371AppA is being delegated to a univeristy employee who's account can be provisioned  
    7472via ZUAUSR.  If instead responsibility is to be delegated to an application, then  
    7573the iPlanet role needs to be stuctured for use by ou=resource records.  
    7674 
    77 Should applications have a need to independently delgate group and isMemberOf  
     75Should applications have a need to independently delgate group and ''eduIsMemberOf''  
    7876maintenance for their own pattern of group names, then iPlanet roles should be created  
    79 that rely on a specific **isMemberOf** values rather than EDIRrole values.  Then who  
    80 ever was granted a key isMemberOf value could in turn grant other users the same  
    81 isMemberOf value, there by delgating group/isMemberOf maintenance authority. 
     77that rely on a specific ''eduIsMemberOf'' values rather than EDIRrole values.  Then who  
     78ever was granted a key ''eduIsMemberOf'' value could in turn grant other users the same  
     79''eduIsMemberOf'' value, there by delgating !group/eduIsMemberOf maintenance authority. 
    8280 
    83 NOTE: EDIRrole values can not be used to facilitate delegation of delegated authority  
     81''NOTE:'' EDIRrole values can not be used to facilitate delegation of delegated authority  
    8482as only users with EDIRadmin can provision EDIRrole values and EDIRadmin will  
    85 **NOT** be granted to individuals managing group/isMemberOf for specific applications. 
    86  
    87 # eof 
     83**NOT** be granted to individuals managing !group/eduIsMemberOf for specific applications.