Configuring LDAP or SAML RBAC properties
RBAC uses tags, if you are not familiar with tagging please see What is tagging for an explanation of tags and their creation.
Configure the following properties for either SAML and LDAP based upon the value of com.unraveldata.login.mode. You can exempt end-users from RBAC by adding them to the read-only admin group as shown. See LDAP and SAML for property definitions.
LDAP
// Required
com.unraveldata.login.admins.ldap.groups=admin1,admin2,admin3 com.unraveldata.rbac.ldap.tags.find=proj,dept com.unraveldata.rbac.ldap.proj.regex.find=proj-(.*) com.unraveldata.rbac.ldap.dept.regex.find=dept-(.*)
// Optional
com.unraveldata.login.admins.readonly.ldap.groups=RO-admin4,RO-admin5,RO=admin6
SAML
// Required
com.unraveldata.login.admins.saml.groups=admin1,admin2,admin3 com.unraveldata.rbac.saml.tags.find=proj,dept com.unraveldata.rbac.saml.proj.regex.find=proj-(.*) com.unraveldata.rbac.saml.dept.regex.find=dept-(.*)
// Optional
com.unraveldata.login.admins.readonly.saml.groups=RO-admin4,RO-admin5,RO=admin6
Example
When a user logs on, their LDAP or SAML group is read and used to create their tags, if any. This example uses the LDAP definitions above to parse the LDAP groups each user belongs to.
User | LDAP Groups | Tags | Key | Value |
|---|---|---|---|---|
user1 | ["dept-hr,"dept-sale","dept-finance"] | {"dept":["hr","sale","finance"]} | dept | hr, sales, finance |
user2 | ["proj-group1","proj-group2", "proj-group3"] | {"proj":["group1","group2", "group3"]} | proj | group1, group2, group3 |
user3 | ["proj-group1","proj-group2", "proj-group3", "dept-hr,"dept-sale","dept-finance"] | {"proj":["group1","group2", "group3"]} | proj | group01, group02, group03 |
user4 | ["div-div1","div-div2", "div-div3"] | n/a | n/a | n/a |
user1 and user2 LDAP groups each have one valid key with three values.
user3 LDAP groups has two valid keys, but Unravel stops parsing the when it finds a match. In this case the key proj which has three values is used to generate the RBAC tags.
user4 LDAP groups has one key, div which has not been specified therefore no RBAC tags are created for them.