Summary

To be able to login to IM and do either self service or delegated administration you need to authenticate and have one or more roles assigned.

With IM 5.2.0 we rewrote and added a new way to work with roles. This will cover many more ways to assign a role and also greatly improve using nested groups when assigning roles.
With  LDAP query-based role selector you assign the IM role based on an LDAP query.

The LDAP query-based role selector will check if the authenticated user matches the LDAP query that is configured in the IM-role. This will be done for each IM-role.

Some examples:

• Assign roles to LDAP groups (the most common way in previous versions of IM). Many implementation of IM are Active Directory using groups to assign to IM roles. This is still supported and will probably still be the most common way to assign roles. You will need to adjust your configuration a little bit different to support the new way though.
• If you like to assign a role to any user having a specific value in an attribute. For example title=Sales
• Active Directory (AD) support quires to look for user in nested groups.

System Requirements

• PhenixID Identity Manager (IM) 5.2.0 or later.

Configuration

Configure LDAP query-based

Open DSEditor.properties.

Add (at the bottom om the file) the following text:

# Settings for role selector ROLESELECTOR_CLASS=se.nordicedge.rolemanagement.LDAPBasedRoleSelector

Save DSEditor.properties and restart the IM service.

Assign an role to a user

Open the DSEditor.properties for the role you like to assign a role.

Add the following text: (this example will map the role to all members of the PhenixID_ServiceDesk_Role group. (see more examples in the next section)

# Group in LDAP Directory that will be associated with this role.
AUTH_ROLE_QUERY=memberOf=CN=PhenixID_ServiceDesk_Role,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local

Examples

Assign an IM role to a user using LDAP groups. This is the most common way in previous versions of IM. Now it is a new policy and you add the attribute and value that is located on the user.

Example 1 – Member of group

Map a role to an group called ServiceDesk

AUTH_ROLE_QUERY=memberOf=CN=ServiceDesk,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local

Example 2 – Attribute value

Map a role to user with attribute title equals A
AUTH_ROLE_QUERY=title=A

Example 3 – LDAP query using wildcard

Map a role to user with attribute title including A
AUTH_ROLE_QUERY=title=*A*
Note: Start with would be title=A* and end with would be title=*A

Example 4 – LDAP query using OR 

Map a role to users with attribute title equals A OR B
AUTH_ROLE_QUERY=(|(title=A)(title=B))

Example 5 – LDAP query using AND

Map a role to users with attribute title equals A AND carLicense equals B
AUTH_ROLE_QUERY=(&(title=A)(carLicense=B))

Example 6 – LDAP query using AND and OR

Map a role to users with attribute title equals A OR B and user must be member of group ServiceDesk.
AUTH_ROLE_QUERY=(&(|(title=A)(title=B))(memberOf=CN=ServiceDesk,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local))

Example 7 – LDAP query using wildcard and AND

Map a role to users with attribute title includes manager and is member of group ServiceDesk.
AUTH_ROLE_QUERY=(&(title=*manager*)(memberOf=CN=ServiceDesk,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local))

Nested groups

If your AUTH_ROLE_QUERY is a group that your are NOT directly member of but indirectly because you are membership of a group that is member of the AUTH_ROLE_QUERY group. Then you need to add a bit of weird looking filter (1.2.840.113556.1.4.1941) which is an OID called LDAP_MATCHING_RULE_IN_CHAIN.
See example below.

Example 8 – Nested groups

AUTH_ROLE_QUERY=memberOf:1.2.840.113556.1.4.1941:=CN=Nested_Group_1,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local

Upgrading from earlier version of IM

Open DSEditor.properties.

If you’ve been using roles in previous versions of IM, your DSEditor.properties will probably look something like this:

# Settings for role selector
NordicEdge_USE_ROLESELECTION=true
ROLESELECTOR_CLASS=se.nordicedge.rolemanagement.FileBasedRoleSelector
USE_DEFAULT_ROLE_MANAGEMENT=false

Remove or remark the lines above and replace them with:

# Settings for role selector
ROLESELECTOR_CLASS=se.nordicedge.rolemanagement.LDAPBasedRoleSelector

If following two rows exist in your DSEditor.properties, they can be removed since they are not used anymore.

# What attribute is used to map users to a role
GROUPMEMBER_ATTRIBUTE=memberOf

Assign an role to a user after upgrade

Below shows how to replace the old way to assign roles with the new way. As an example I use an LDAP group to assign to an IM role.

Open the DSEditor.properties for the role you like to assign a role to.

If you been using roles in previous versions of IM your DSEditor.properties would probably look something like this:

# Group in LDAP Directory that will be associated with this role.
MEMBER=CN=PhenixID_GroupAdmin_Role,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local

Replaces above with:

# Group in LDAP Directory that will be associated with this role.
AUTH_ROLE_QUERY=memberOf=CN=PhenixID_ServiceDesk_Role,OU=Roles,OU=Demo_IM_Roles,DC=phenixid2019,DC=local