PhenixID

PSD1111 – Roles in previous IM versions

Summary

From IM 5.2.0 we have updated and changed the way to assign roles, please read PSD1021. This is now the recommended way to configure roles.

To be able to login to IM and do either self service or delegated administration you need to authenticate and have one or more roles assigned to you.

System Requirements

  • PhenixID Identity Manager (IM) 5.1.2 or earlier.
  • From IM 5.2.0 we have updated and changed the way to assign roles, please read PSD1021

Overview

We will use the most common scenario when describing how to use the three different ways to connect a user to a role. Most customers using IM has an Active Directory (AD) and uses AD groups to connect a user to a role. This is done by group membership.

In the main DSEditor.properties, set the policy:  (C:\Program Files\PhenixID\IM\customer\config)

GROUPMEMBER_ATTRIBUTE=memberOf

1. Connect user to a role through group membership

If you have a group in your LDAP (AD in this example) that you like to use to connect user to an IM role. Get the distinguished name (DN) for the group.

For example, if you have an AD called demo.phenixid.local and the group is called ServiceDesk and is located in OU IM_roles. Then the DN for this group would be:
CN=ServiceDesk,OU=IM_roles,DC=demo,DC=phenixid,DC=local

In the DSEditor.properties for this role, set the policy: (C:\Program Files\PhenixID\IM\customer\role\servicedesk)

MEMBER=CN=ServiceDesk,OU=IM_roles,DC=demo,DC=phenixid,DC=local

2. Make a role available to all user in an LDAP directory

If you have an role, for example an Self Service role, that you like to make available to all users then simply open the DSEditor.properties for that role and set the policy to:

MEMBER=*

3. Make a role available to all user in an OU of an LDAP directory

If you have a role for all users in a specific OU, for example an all Swedish user role, where all those users are stored in your AD in an OU with the DN of:

OU=sweden,OU=countries,DC=demo,DC=phenixid,DC=local

Then open the DSEditor.properties for that role and set the policy to:

MEMBER=OU=sweden,OU=countries,DC=demo,DC=phenixid,DC=local

4. Use roles with nested groups

Scenario:
You have a role which is linked to an LDAP group. A user that should be part of this role is not directly member of the group in question. The user is member of a group that is member of the group in question. This is not supported by default in IM but it can be enabled with two polices.

AUTH_USE_NESTED_GROUPS=true
AUTH_NESTED_GROUPS_LEVEL=10

These two policies must be added to the main DSEditor.properties (drive:\..\PhenixID\IM\customer\config)

 

 

DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.

PhenixID - support.phenixid.se