Let me try to answer even I know that is not really a solution to your problem.
If you just add a new service that can only see the groups (using the group base point of the OU where they are located) and having the same default base point for users there will problems as the same accounts will pop up in your existing service and you would need a process to handle that overlap which is not simple nor advisable. So I do not think creating a new service is a solution to manage groups/a solution is what you need.
The whole point in the previous discussion was that separating users and groups in OUs in the AD can reduce the complexity in ISIM to provide an RBAC provisioning scheme - that means that the service is in "correct compliance" mode and all groups in scope are governed by policies.So designing and mange your AD and IGA solution as a cooperative thing can reduce the complexity - but there is no "one solution fits all" IMHO available.
This is NOT a solution when you need to manage some groups as RBAC and some as request based (allowed but not mandatory) - for that you need what we back in the 2000s called a "hybrid provisioning" scheme.
A hybrid provisioning scheme can be implemented using a naming scheme (all groups matching e.g. a prefix are by default disallowed and can be allowed through explicit roles/policies) or based on an attribute (e.g. AD OU - all groups in a specific OU is disallowed in a scripted policy).
It is probably something like that you will need. IBM Expert Labs has done this many places and can help you if needed as professional services. If you are already engaging with Expert Labs and they are not sure what this means you can ask them to contact me internally in IBM :-)
There are of course a lot of details in how to design a specific solution that is needed - but I hope this outlines what is needed.
------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------
Original Message:
Sent: Wed June 26, 2024 06:55 AM
From: Abdullah Khan
Subject: Active Directory based Application Integration with ISIM
Thank you Franz for the response.
We currently have an existing Active Directory (AD) service configured with a root level of "Users/Groups" for the Base Point DN. This service successfully synchronizes users and groups residing within the OU and sub-OUs in ISIM.
I am looking for a solution to manage groups specifically associated with e.g. two AD-based applications: App-A and App-B. These application groups reside within a distinct OU in our AD structure.
My understanding is that creating separate services in ISIM for App-A and App-B, leveraging the existing AD profile as Service Type and specifying the dedicated OU path for each application's groups in the service creation form would be an appropriate approach? Since all users are already being created in the specific single OU different than the OU of groups, so reconciling the service for App-A won't bring any accounts as OU in the service form only has groups defined for the App-A. Furthermore, what if user has groups assigned from both App-A and App-B, how would ISIM be managing the accounts/accesses within Service(s).
AD based integration means that the App-A/App-B takes authentication from the AD (user account exists and enabled in AD) and authorization is catered by the AD groups created specifically for those apps.
------------------------------
Abdullah Khan
Original Message:
Sent: Thu June 20, 2024 04:52 AM
From: Franz Wolfhagen
Subject: Active Directory based Application Integration with ISIM
I cannot answer on behalf of Jordan - but let me explain how this can be organized.
In AD you can have users and groups organized in OUs (actually a tree). When you create an AD service you can provide both a user and group entry point in the service form that will limit what the service will be able to see. Users and groups reconciled will in ISVG IM (aka ISIM) be local to that service.
The challenge here is to get the tree structure "right" - you may want to run with local users bot global groups but that is depending on what you want to achieve. As users and groups are unique within AD you would try to avoid overlap between services if possible - else you need to understand the consequences (you may risk an endless loop of provisioning/de-provisioning if not careful).
Also be aware that the entities in AD that are reconciled back to ISIM is also dependent on the ACL and the account running the adapter - this is especially important if you need access to enterprise forest groups....
HTH
------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Thu June 20, 2024 02:19 AM
From: Abdullah Khan
Subject: Active Directory based Application Integration with ISIM
Hi Jordan,
Here you are talking about the respective OU of an AD based application where the AD groups with certain prefix to identify that app in the Active Directory?
In this case to integrate such application, the Service Type is ISIM would be the same (AD profile), but the Service(s) will be newly created to identify the managed application(s)?
How you managed the reconciliation for such integrated apps in ISIM? is it one time activity once app is integrated?
TIA!
------------------------------
Abdullah Khan
Original Message:
Sent: Mon June 17, 2024 04:08 PM
From: Jordan Boncz
Subject: Active Directory based Application Integration with ISIM
We have implemented a couple hundred AD integrations with other applications by splitting role basing into 'realms' where each realm is essentially treated as a separate service, and they require specific AD Group prefixes, that coupled with some custom provisioning policies we have been able to achieve a great deal of success. The path your going down requires lots of customization but if done properly up front can ease the process with additional applications afterwards.
------------------------------
Jordan Boncz
Original Message:
Sent: Mon June 10, 2024 02:59 AM
From: Franz Wolfhagen
Subject: Active Directory based Application Integration with ISIM
Managing AD is not a simple task and is not something I can give any definitive answers to - especially in a forum like this. My recommendation is to partner with IBM Security Expert Labs as we have extensive experience in this kind of integration.
Though I do not want to get into details there ar a couple of high level things to be aware of that I will try to describe briefly here :
- Managing AD from an external system like ISVG IM means that you want to design you AD structure for this - this could e.g. be to provide an OU setup in AD that puts specific accounts (standard employee, service, RPA , administrative etc.) in separated OUs so that you can handle them as separate services in ISVG IM.
- It is not realistic to provide a full RBAC setup for managing all groups in the AD - some can be split into separate OUs - but it is probably important that all groups are visible in ISVG IM so what is needed is a "hybrid provisioning" approach - some groups must be mandatory (birthrights and RBAC business/project assigned entitlements) and some allowed (optional) with approval. This is a not simple to build/maintain this
- It is important to establish a Role Governance process to ensure that policies are maintained of time - it is not enough to rely on Identity life cycle management
This is bare scratching the surface - but I hope it gives you a starting point...
------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
Original Message:
Sent: Wed June 05, 2024 05:41 PM
From: Abdullah Khan
Subject: Active Directory based Application Integration with ISIM
For account management processes, to integrate an application which utilizes MS Active Directory for authentication and authorization, with IBM Security Identity Manager. Considering the fact that IBM offers an out of the box AD adapter which already have deployed and being used for AD Service for user accounts & service accounts management through ISIM. As mentioned, application has AD groups which are going to be onboarded as Application Accesses on ISIM self-service console so the users could Request Access. Anyone could suggest the best practice on the integration method leveraging the AD adapter? I am exploring such an integration approach where the account management and reconciliation process for application can be automated in ISIM.
------------------------------
Abdullah Khan
------------------------------