Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discuss/Define: Group Provisioning and Deprovisioning #21

Open
jischr opened this issue Dec 16, 2024 · 2 comments
Open

Discuss/Define: Group Provisioning and Deprovisioning #21

jischr opened this issue Dec 16, 2024 · 2 comments

Comments

@jischr
Copy link

jischr commented Dec 16, 2024

topic should cover:

  • set up group provisioning and deprovisioning between a customer's workforce IdP and my application
@jischr jischr changed the title Create section: Group Provisioning and Deprovisioning Discuss/Define: Group Provisioning and Deprovisioning Dec 16, 2024
@jischr jischr mentioned this issue Dec 16, 2024
Open
@2MarkMaguire
Copy link

One problem I frequently encounter when managing groups is the "Cartesian Product of Groups" within individual business applications.

A Common Example: Imagine "Business App A" which is built on top of a RACF system. For an end user to perform their job in Business App A, they need both a RACF Group and a RACF Profile assigned to them.

->Today, this situation is reasonably complex for an IAM system to manage. To support access requests or access certifications we either need to:

  • Abstract with Roles: Ensure that groups and profiles are invisible to end users by building "roles" on top of them. Assigning or removing a role automatically assigns/removes both the required group and profile.
  • User Education: Educate end users that they need both a RACF Group and a RACF Profile and ensure they always request them together.
  • IAM Side Scripting: Create a Cartesian product of all possible combinations of groups and profiles in the IAM system, adding metadata to explain each combination. Then, implement logic to ensure that provisioning or de-provisioning assigns/removes the correct group-profile pair.

Honestly, all 3 of these options are ugly. (I would argue Option 1 is best, but it still requires unnecessary leg work by the IAM team to create and define roles with the correct business logic). While I used RACF to illustrate the problem, I have seen this same issue with other on-prem apps and also some SaaS apps.

As part of the IPSIE standard, we should fix this. To achieve IPSIE compliance, applications should provide a clear interface—such as an API endpoint, stored procedure, or similar mechanism—that allows IAM systems to seamlessly manage their internal access models without forcing IAM teams to "hack" solutions.

@dhs-BI
Copy link
Contributor

dhs-BI commented Jan 21, 2025

@2MarkMaguire you're poking at an interesting problem, which is that IdPs and RPs manage entitlements in different ways. Imagine the scenario below:

  1. RP uses direct assignment of privileges
  2. RP uses RBAC
  3. RP uses ABAC
  4. RP uses a JIT model based on RBAC + external information (e.g. the ticket being worked by the user) to dynamically assign permissions

How would you propose an IdP obtains a consistent interface to manage this complex environment? Is such an interface possible?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jischr @2MarkMaguire @dhs-BI