Introduction
The CoreOne Suite offers different types of how you can ways to create and manage resources , - see Resource Type. In the beginning of implementing Approaching the CoreOne Suite, you have to decide, what type of resources you would like to useSuite’s access management features, it is important to understand which type of resource best suit your needs. This article should help you to decide between Linked Resources and Managed Resources. The behaviour of these resource types are pretty similiar in the different we do support. We decided to focus in In this article on , the target system Active Directory is used as a basis, as this is one of the most used commonly use case amongst the supported target systems by our customers.
Resources in the CoreOne Suite are nothing else than a group the equivalent of groups in an Active Directory. Due to different terminations terminologies in all our supported the target systems , we decided to use the termination “resources”. Simple saidsupported by the CoreOne Suite, we’ve settled on the terminology “resources”.
Simply put: A resource is a right you can assign permission that is assignable to an Identity in identity within a target system. In an Active Directory it terms, this is a group (resource) where you add a user (identity) as member. This nesting results most commonly in a right.
How-To decide between Linked Resources and Managed Resources
Info |
---|
The described behaviour implies, that on you’re CoreOne Suite Instance the following configuration is enabled:
|
users (identities) are added into as members.
Step 1 - Understand
, whatthe differences
arebetween
theseresource types
In general, you should read the following documentations. They will give you a good overview The following documentation is recommended for a better understanding of what resource types are and how they are connected to what the cleanup task can do:
Linked Resources
With Linked Resources you’re using existing groups in your target system and only map them In this scenario, existing resources within a target system are mapped into the CoreOne Suite and each of them is available in the CoreOne Admin UI as a “Linked Resource” so you can use them . These Linked Resources can then be used to add members through from the CoreOne SuiteAdmin UI. As the name already explains: You only link it. You can compare that with a shortcut (would be the Linked Resource) to a folder (AD-Group) on your desktop. If you delete the folder itself, the shortcut is still there. If you then click on the shortcut, it will thow you an error message. If you rename the shortcutsuggests, the resources themselves are only “linked”. This is comparable to a shortcut within a filesystem. Using this example, if the folder iteself is deleted, the shortcut will remain unaffected, and trying to access it will result in an error. If the shortcut is renamed, the name of the folder itself won’t will not be changed. If you delete affected. Neither will deleting the shortcut , affect the folder will still be thereitself in any way.
Managed Resources
Managed Resources are the way to go, if you start with a target system This scenario is recommended whenever a new target system is integrated into the CoreOne Suite that is built up from scratch. With Managed Resources, you will create a newly needed AD-Group directly within the CoreOne Suite. The CoreOne Suite will then create the needed AD-Group automatically and link them. You can define templates for the creation of new Managed Resources which will help you to propagate a naming concept for examplemaintain data sovereignity and automatically provision any changes into the target system. To facilitate creating new Managed Resources, Resource Definition Templates are available to help with following a naming concept for example.
In addition to managing access to Resources for Identities, like Linked Ressources allows you to do, Managed Resource allow for attribute values of the resources themselves to be managed.
With the CleanUp Task enabled, using Managed Ressources make sure, the will ensure consistency of both the resource memberships, as well as the resource’s attribute values between the CoreOne Suite and the target system attributes of a Managed Resource/target system Group will converge. Like a Linked Ressource, it will also controll the memberships for all known entities but also controll attribute values of the Managed Resource itself. For Example: Within the creation process of a Managed Resource you define the OU-Path (it also can be given by the template). If someone by accident moves the AD-Group directly in the target system into a new OU-Path, the CoreOne Suite will move back the AD-Group to it’s correct place. This also means: All defined attributes for creating a ressource you are only able to change them in the CoreOne Suite.
Info |
---|
Example with Active Directory: In a Managed Resources scenario, any changes made to groups within AD, like moving them into other OUs or changing their names, will be reverted by the CoreOne Suite’s CleanUp Task, if enabled. |
Step 2 - Understand, what the limitations are
They won’t be added automatically as resource in the CoreOne Suite, if you create them directly in the target system.
Linked Resources: You have to link the newly created AD-Group in the CoreOne Suite Admin UI to be able, to assign it to a Core-Identity. See: /wiki/spaces/IKB/pages/1796997245
Managed Resources: You’ve chosen the wrong way. It is not possible to use this group. You have to delete it in the target system and recreate it in the CoreOne Suite Admin UI and the CoreOne Suite creates the group in the target system automatically. See: /wiki/spaces/IKB/pages/1796997245
Only the creation of the resources is not enough. You need to make sure, that the corresponding system-Features are enabled and also the CleanUp-Task runs on a schedule.
Step 3 - Compare the Pro’s & Con’s
It’s not that easy, that you can decide easily, what type of resource it’s the right one for you. You will gain expirience with time and working with these different resource types. In some cases it can help you, to compare the Pro’s a& Con’s:
Managed Resources
Pro’s
You can centralize the create process of AD-Groups into the CoreOne Suite. Your powe users can create them by theirself → Decentralization of dutie’s.
You can define templates for creating Resources
The CoreOne Suite and the target system will converg as long the CleanUp Task is running
Con’s
More efforts needed for taking over existing groups from your target system as Managed Resource.
Linked Resources
Pro’s
You can easily reuse your existing groups
Con’s
Can be irritating for power users to deprovision a linked resource
In the most cases the CoreOne Suite and the target system will diverge
Step 4 - Make your decision
Now you should be able to make a well considered decision. Make your own Pro’s & Con’s list. Think wisely and keep an eye in the future. Is the chosen resource type also feasable for your requirements in five years?
Frequently Asked Questions
Expand | ||
---|---|---|
| ||
Technically: Yes you can. Logically: It’s not that simple. We recommend, to focus on one type per target system and type of Group. We observed, that new IAM Manager’s are often confused, if there are different ways, of how they have to handle rights. For Example: The IAM Manager’s goal is to create a new Active Directory Group. In some OU-Path’s where you work with Linked Resources he have to do that directly in the target system Active Directory. For an another OU-Path where you work with Managed Resources he have to get the job done through the Admin UI of the CoreOne Suite. It makes sense, to define one type of resource per OU-Path for example. And not for technical reason, this ist just because of manageability for IAM Manager. |
Expand | ||
---|---|---|
| ||
The CoreOne Suite Cleanup Task only controlls known objects/entities. In the context of an Active Directory that means:
Example 1: Group “Application_Read-Write” is a Linked Ressource. The Group has two members. The first User “Diego Testoni” was created and added to this group by the CoreOne Suite. The other User “Thomas Gruti” is a manually, directly in the Active Directory created user and not recognized by the CoreOne Suite. The CoreOne Suite CleanUp Task will only manage the membership of Diego Testoni. The membership of Thomas Gruti won’t be touched by the CoreOne Suite. Example 2: The Active Directory User “Diego Testoni” was created through the CoreOne Suite and has 5 group-memberships. The CoreOne only recognises 3 of these groups. The CoreOne Suite will only controll these 3 groups. The other 2 grou-memberships won’t be touched by the CoreOne Suite. |
Expand | ||
---|---|---|
| ||
The Linked Ressource will still be available in the CoreOne Suite. You will see a lot of errors in the application log of the CoreOne Suite. You will have to remove all Linked Resource members in the CoreOne Suite first and then delete the Linked Resource. After that, you can delete the AD-Group directly in the target system. See: System monitoring / Health Check |
Expand | ||
---|---|---|
| ||
The CoreOne Suite will recreate the AD-Group and add all known entities. In the case of an AD-Group mostly the assigned rights to the old group won’t be taken over, you will have to grant permissions to the newly created groups still manually. |
Expand | ||
---|---|---|
| ||
Managed Ressources are the way to go. This will centralize the identity and access management into the CoreOne Suite. |