We have a set of user groups which represent combinations of different privileges AND subsets of data, e.g. can do XXXX for users in America, can do XXXX for users in Europe, etc. These groups are collected from Active Directory along with their memberships. The membership attribute (i.e. the AD DN) is used to match to AD accounts already collected via a separate ADC.
We also have a set of IGL custom app-roles that grant internal IGL privileges relevant to the "can do XXXX" capability above - the key differences being that a) these are purely internal to IGL so can be identical across environments (which the AD groups cannot) and b) there is no data constraints.
So the two things complement each other - the groups allow some functions on a subset of data, the app-roles allow other related functions but on all data. This means that we can have the following type of combinations:
- User A in groups XXXX-America and XXXX-Europe; has app-role XXXX
- User B in group XXXX-America; has app-role XXXX
- User C in group XXXX-Europe; has app-role XXXX
This all works, but has the potential to get out of line, as users end up in groups but without the app-role or vice-versa. What I would really like to be able to do is automatically assign the app-role whenever a user is granted access to one of the associated groups.
We looked at this under IMG v6 with no success, but have now upgraded to IGL 7.0.2 and wondering whether there are any new options/facilities that might support this?