Home

Configuring LDAP/SAML for RBAC

RBAC uses tags, if you are not familiar with tagging please see What is tagging for an explanation of tags and their creation.

Configure the following properties for either SAML and LDAP based upon the value of com.unraveldata.login.mode. You can exempt end-users from RBAC by adding them to the read-only admin group as shown. See LDAP and SAML for property definitions.

  1. Stop Unravel

    <Unravel installation directory>/unravel/manager stop
    
  2. Set the following properties

    • LDAP

      ## Required
      <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.admins.ldap.groups admin1,admin2,admin3 
      <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tags.find proj,dept 
      <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tag.proj.regex.find proj-(.*)
      <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tag.dept.regex.find dept-(.*)
      ## Optional
      <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.admins.readonly.ldap.groups RO-admin4,RO-admin5,RO admin6 
    • SAML

      ## Required
      <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.admins.saml.groups admin1,admin2,admin3 
      <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tags.find proj,dept 
      <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tag.proj.regex.find proj-(.*)
      <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.tag.dept.regex.find dept-(.*)
      ## Optional
      <Unravel installation directory>/unravel/manager config properties set com.unraveldata.login.admins.readonly.saml.groups RO-admin4,RO-admin5,RO admin6 
  3. Apply the changes.

    <Unravel installation directory>/unravel/manager config apply
    
  4. Start Unravel

    <Unravel installation directory>/unravel/manager start
Example

When a user logs on, their LDAP or SAML group is read and used to create their tags, if any. This example uses the LDAP definitions above to parse the LDAP groups each user belongs to.

User

LDAP Groups

Tags

Key

Value

user1

["dept-hr,"dept-sale","dept-finance"]

{"dept":["hr","sale","finance"]}

dept

hr, sales, finance

user2

["proj-group1","proj-group2", "proj-group3"]

{"proj":["group1","group2", "group3"]}

proj

group1, group2, group3

user3

["proj-group1","proj-group2", "proj-group3", "dept-hr,"dept-sale","dept-finance"]

{"proj":["group1","group2", "group3"]}

proj

group01, group02, group03

user4

["div-div1","div-div2", "div-div3"]

n/a

n/a

n/a

user1 and user2 LDAP groups each have one valid key with three values.

user3 LDAP groups have two valid keys but Unravel stops parsing them when it finds a match. In this case, the key proj which has three values is used to generate the RBAC tags.

user4 LDAP groups have one key, div which has not been specified therefore no RBAC tags are created for them.