Configuring LDAP/SAML for RBAC
RBAC uses tags, if you are not familiar with tagging please see What is tagging for an explanation of tags and their creation.
Configure the following properties for either SAML and LDAP based upon the value of com.unraveldata.login.mode. You can exempt end-users from RBAC by adding them to the read-only admin group as shown. See LDAP and SAML for property definitions.
Stop Unravel
<Unravel installation directory>/unravel/manager stop
Set the following properties
LDAP
## Required <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.admins.ldap.groups admin1,admin2,admin3 <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tags.find proj,dept <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tag.proj.regex.find proj-(.*) <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tag.dept.regex.find dept-(.*)
## Optional <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.admins.readonly.ldap.groups RO-admin4,RO-admin5,RO admin6
SAML
## Required <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.admins.saml.groups admin1,admin2,admin3 <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tags.find proj,dept <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tag.proj.regex.find proj-(.*) <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tag.dept.regex.find dept-(.*)
## Optional <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.admins.readonly.saml.groups RO-admin4,RO-admin5,RO admin6
Apply the changes.
<Unravel installation directory>/unravel/manager config apply
Start Unravel
<Unravel installation directory>/unravel/manager start
Example
When a user logs on, their LDAP or SAML group is read and used to create their tags, if any. This example uses the LDAP definitions above to parse the LDAP groups each user belongs to.
User | LDAP Groups | Tags | Key | Value |
---|---|---|---|---|
user1 | ["dept-hr,"dept-sale","dept-finance"] | {"dept":["hr","sale","finance"]} | dept | hr, sales, finance |
user2 | ["proj-group1","proj-group2", "proj-group3"] | {"proj":["group1","group2", "group3"]} | proj | group1, group2, group3 |
user3 | ["proj-group1","proj-group2", "proj-group3", "dept-hr,"dept-sale","dept-finance"] | {"proj":["group1","group2", "group3"]} | proj | group01, group02, group03 |
user4 | ["div-div1","div-div2", "div-div3"] | n/a | n/a | n/a |
user1 and user2 LDAP groups each have one valid key with three values.
user3 LDAP groups have two valid keys but Unravel stops parsing them when it finds a match. In this case, the key proj
which has three values is used to generate the RBAC tags.
user4 LDAP groups have one key, div
which has not been specified therefore no RBAC tags are created for them.