Courion Tip – Roles and existing accounts

I had originally thought, now that we have generated a role, to simply shove all that into the “shopping cart”. Any account or membership creations that a user ALREADY had would simply fail.

Well, it occurred to me this morning that we can query the IdentityMap and/or the “role mining master” and we will know what accounts that user already has – avoiding unnecessary processing overhead and/or confusing the end user.

More later…

Thought about it some more. Basically, I think I need:

  • A view of what the user has  – I have this
  • A view of what the role says the user should have – again, I have this
  • A view of what the user’s role says he should have AND he does have
  • A view of what the users’ role says he should have and he DOESN’T have
  • A view of what the user has above and beyond what the role says he should have – more for auditing and possibly refining the definition of the role. Could also be a list of latent permissions – stuff they had access to in a previous job..

As far as Active Directory goes… Well, for you to be a member of an AD group, you have to have an account in AD. This isn’t a problem for us, everyone gets an AD account when on-boarded. If this were an issue, however, it should be possible do to a cross join of some sort between the identity map and group membership defined in the role and determine that the user ALSO needs to have an AD account. Anyway, not a problem for us, but I did think of it.


Posted August 8, 2010 by mmdmurphy in Courion Tip

Tagged with

%d bloggers like this: