OpenIDM 4 introduces a new type of Managed Object: Relationships (amongst other things). They enable the easy creation of relations between managed objects, and will surely be a key component in the newer field of Identity Relationship Management (IRM).
So what do we mean by “Group Hierarchy” here?
Simply that groups in LDAP can be defined under other groups, or rather, using other groups as parent containers in the LDAP DIT.
In this example, the DN of the “Payroll Admins” group is: “cn=Payroll Admins,cn=HR Admins,cn=Admins,ou=Groups,dc=example,dc=com”, it has 2 parent groups, as explicit in its DN.
So then to create Group hierarchies with OpenIDM 4, we can create “Parent” –> “Child” relationships between group Managed Objects and thus leverage all the out-of-the-box functionality surrounding relationships (including the new UI features. More on that later). Here’s how…
1. Update the Group Schema
Add a new “parent” attribute to the ‘Group’ Managed Object.
This new attribute is a 2-way relationship (i.e., is has a reverse relationship) to another managed/group object. The new property could be defined as follows (in conf/managed.json):
Add another property to Managed/group, to store a group’s children. This will hold an array of relationships to other group objects, and will constitute the reverse of the parent relationship defined above. This new property could be defined as follows (again, in conf/managed.json):
2. onCreate Script
3. Resulting UI Experience
Given the relationships defined above, OpenIDM will render the UI with the appropriate widgets to select Children and Parent groups.
The new UI also provides are real relationship graphical view of the same data:
The above should work for any LDAP directory, using the LDAP OpenICF connector, including AD.
In addition to the ‘onCreate’ JS event script detailed above, you will also need to create an ‘onUpdate’ script to handle the cases where the parent-child relationships need to change.