AIOps

 View Only
  • 1.  LDAP - How to implement Dynamic Groups?

    Posted Fri April 12, 2024 07:51 AM
    We are trying to configure Dynamic Groups in AIOps.
     
    LDAP Server is Microsoft Active Directory.
     
    We defined four new groups in AD:
    1. GRP_NETCOOL-AIOPS_PROJECT,
    2. GRP_NETCOOL-AIOPS_OPERATION,
    3. GRP_NETCOOL-AIOPS_DEVELOPMENT and
    4. GRP_NETCOOL-AIOPS_AUTOMATION.
     
    The idea is to concentrate on AD both authentication and the definition of groups that define authorization information, that is, using these groups to dynamically define permissions for users who authenticate in LDAP.
     
    For example, GRP_NETCOOL_AIOPS_OPERATION will have the equivalent privileges as the AIOps Application Operator.
     
    Unfortunately, the documentation on how to define a dynamic group is poor and does not present examples of how to carry out this type of definition.
     
    The question is how to configure dynamic groups so that AIOps permissions are assigned to users who log into AIOps?
     
    We want to avoid pre-registering users in AIOps with possible permissions.
    Thanks in advance for any suggestions.


    ------------------------------
    Antonio Gadelha
    ------------------------------


  • 2.  RE: LDAP - How to implement Dynamic Groups?

    Posted Fri April 12, 2024 09:03 AM
    Hi Antonio,

    From my understanding of the documentation (https://www.ibm.com/docs/en/cloud-paks/cloud-pak-aiops/4.5.0?topic=control-managing-user-groups), it doesn't look like "LDAP Dynamic Groups" are supported. HOWEVER, you can create a dynamic group of LDAP users based on attribute values within AIOps itself.

    Based on the documentation, what you need to do is create a user group in AIOps using the Dynamic option. In that group definition, you specify the Membership rule or rules that will determine which LDAP users are automatically added to the group. So the "dynamic groups" only exist in AIOps itself, not in AD.

    You won't create any Dynamic Groups in Active Directory itself, and I think that's why you feel that the documentation is poor. It's a case where the term "dynamic group" is implemented differently than you're expecting.

    Frank

    Frank Tate
    MBA, PMP, CISSP





  • 3.  RE: LDAP - How to implement Dynamic Groups?

    Posted Fri April 12, 2024 09:18 AM
    Frank, 
    First of all thanks for your message.
    We are trying to create Dynamic Groups in AIOps.

    The problem we are facing is the difficulty of how we can define the selection criteria.

    There are four criteria: Location, Nationality, Organization, User Type.

    We are defining the association with the Organization criterion. The basic question is how to define the Organization.

    For example, OU=Company?

    Or CN=NETCOOL_ADMINISTRATOR,OU=Company,DC=com?
    Thanks


    ------------------------------
    Antonio Gadelha
    ------------------------------



  • 4.  RE: LDAP - How to implement Dynamic Groups?

    Posted Fri April 12, 2024 09:48 AM
    I believe you specify the Organization with the "o" attribute, which won't be part of the DN. So an entry for a user will be something like:

    dn: CN=NETCOOL_ADMINISTRATOR,OU=Company,DC=com
    o: Your_Organization

    Then you can create a rule that specifies "Organization" "Equals" "Your_Organization" to include this user in your AIOps dynamic group.

    I hope this makes sense to you - trying to convey information about LDAP DIT entries can be difficult. 

    Frank

    Frank Tate
    MBA, PMP, CISSP





  • 5.  RE: LDAP - How to implement Dynamic Groups?

    Posted Fri April 12, 2024 10:07 AM
    We appreciate your attention.
     
    Let's test your proposal


    ------------------------------
    Antonio Gadelha
    ------------------------------



  • 6.  RE: LDAP - How to implement Dynamic Groups?

    Posted Mon April 15, 2024 07:21 AM

    Hi,

    Originally, we thought that associating Active Directory groups with AIOps groups should be implemented using Dynamic Groups.
     
    But, we were wrong.
     
    The solution is to use Assigned Group instead of Dynamic Group.
     
    With the invaluable support of Santhi Kumar (IBM Support), we found a solution, much simpler than we thought, to our problem.
     
    "You can use "Assigned" group option - https://www.ibm.com/docs/en/cloud-paks/cloud-pak-aiops/4.4.1?topic=control-managing-user-groups#to- create-a-user-group-using-the-assigned-option to create a new user group named "NETCOOL_ADMINISTRATOR" and assign your AD group NETCOOL_ADMINISTRATOR to this group using "Identity provider groups" option. to assign to this new group."
     
    We would like to thank everyone who helped us, especially Sahnthi Kumar, to clarify our doubts.
     
    Good luck for all of us !!!


    ------------------------------
    Antonio Gadelha
    ------------------------------



  • 7.  RE: LDAP - How to implement Dynamic Groups?

    Posted Mon April 15, 2024 08:18 AM
    Thanks for the update, Antonio.

    Frank

    Frank Tate
    MBA, PMP, CISSP
    CEO, Gulfsoft Consulting
    Frank.Tate@gulfsoft.com
    http://www.gulfsoft.com
    https://calendly.com/frank_tate/
    ph: 304-376-6183