Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Introduction

The CoreOne Suite offers different

...

ways to create and manage resources

...

Resources in the CoreOne Suite are nothing else than a group in an Active Directory. Due to different terminations in all our supported target systems, we decided to use the termination “resources”. Simple said: A resource is a right you can assign to an Identity in a target system. In an Active Directory it is a group (resource) where you add a user (identity) as member. This nesting results most commonly in a right.

How-To decide between Linked Resources and Managed Resources

Step 1 - Understand, what the differences are between these resource types

In general, you should read the following documentations. They will give you a good overview of what resource types are and how they are connected to the cleanup task:

Linked Resources

With Linked Resources you’re using existing groups in your target system anf only map them in the CoreOne Admin UI as “Linked Resource” so you can use them to add members through the CoreOne Suite.

As the name already explains: You only link it. You can compare that with a shortcut (would be the Linked Resource) to a folder (AD-Group) on your desktop. If you delete the folder itself, the shortcut is still there. If you then click on the shortcut, it will thow you an error message. If you rename the shortcut, the name of the folder itself won’t be changed. If you delete the shortcut, the folder will still be there.

Managed Resources

Managed Resources are the way to go, if you start with a target system from scratch. With Managed Resources, you will create a newly needed AD-Group directly within the CoreOne Suite. The CoreOne Suite will then create the needed AD-Group automatically and link them. You can define templates for the creation of new Managed Resources which will help you to propagate a naming concept for example.

With the CleanUp Task enabled, Managed Ressources make sure, the CoreOne Suite and the target system attributes of a Managed Resource/target system Group will converge. Like a Linked Ressource, it will also controll the memberships for all known entities but also controll attribute values of the Managed Resource itself.

For Example: Within the creation process of a Managed Resource you define the OU-Path (it also can be given by the template). If someone by accident moves the AD-Group directly in the target system into a new OU-Path, the CoreOne Suite will move back the AD-Group to it’s correct place. This also means: All defined attributes for creating a ressource you are only able to change them in the CoreOne Suite.

Step 2 - Understand, what the limitations are

  • They won’t be added automatically as resource in the CoreOne Suite, if you create them directly in the target system.

    • Linked Resources: You have to link the newly created AD-Group in the CoreOne Suite Admin UI to be able, to assign it to a Core-Identity. See: /wiki/spaces/IKB/pages/1796997245

    • Managed Resources: You’ve chosen the wrong way. It is not possible to use this group. You have to delete it in the target system and recreate it in the CoreOne Suite Admin UI and the CoreOne Suite creates the group in the target system automatically. See: /wiki/spaces/IKB/pages/1796997245

  • Only the creation of the resources is not enough. You need to make sure, that the corresponding system-Features are enabled and also the CleanUp-Task runs on a schedule.

Step 3 - Compare the Pro’s & Con’s

It’s not that easy, that you can decide easily, what type of resource it’s the right one for you. You will gain expirience with time and working with these different resource types. In some cases it can help you, to compare the Pro’s a& Con’s:

Managed Resources

Pro’s

  • You can centralize the create process of AD-Groups into the CoreOne Suite. Your powe users can create them by theirself → Decentralization of dutie’s.

  • You can define templates for creating Resources

  • The CoreOne Suite and the target system will converg as long the CleanUp Task is running

Con’s

  • More efforts needed for taking over existing groups from your target system as Managed Resource.

Linked Resources

Pro’s

  • You can easily reuse your existing groups

Con’s

  • Can be irritating for power users to deprovision a linked resource

  • In the most cases the CoreOne Suite and the target system will diverge

Step 4 - Make your decision

...

. Approaching the CoreOne Suite’s access management features, it is important to understand which features will be the best match for the use case.

Due to different terminologies used in the target systems supported by the CoreOne Suite, we’ve settled on the terminology “resources”. A resource is a permission that is assignable to an identity within a target system. In the target system Active Directory for example, groups are the equivalent of resources.

This article should aid in deciding between the use of Linked Resources versus Managed Resources.

Step 1 - Understand the differences between resource types

The following documentation is recommended for a better understanding of what resource types are and what the Cleanup Tasks can do:

Step 2 - Understand the limitations when creating new resources

  • Resources created in within the target system will not be added as resources in the CoreOne Suite automatically. New resources will require some setup before they can be assigned to any Identities, depending on their Management Mode. See: /wiki/spaces/IKB/pages/1796997245 for more information on what these steps are

  • Linked Resources are created in the target system and have to be linked in the CoreOne Suite Admin UI before any membership assignement is possible

  • Managed Resources must not be created in the target system, but rather using the CoreOne Suite Admin UI. Any resources created in the target system should be deleted and then recreated within the CoreOne Suite Admin UI, so that the CoreOne Suite may provision the resource into the target system automatically

  • Task features for resources can be enabled / disabled

    • on the Target System

    • on the Resource Type

  • The task features for Cleanup Tasks to consolidate memberships can be enabled / disabled

    • on the Target System

    • on the Resource Type

  • The Cleanup Tasks should be configured to run on a schedule in order to consolidate memberships

  • Not every System Connector provides every Management Mode

Step 3 - Identify the use case

Where is the resource lifecycle going to be managed?

  • Target System → Linked Resources

  • CoreOne Suite Meta Directory → Managed Resources

Using both Management Modes at the same time is also possible. It might be necessary to mange already existing resources as Linked Resources and new ones as Managed Resources, for example.

Frequently Asked Questions

Expand
titleCan I use Linked and Managed Resources at the same time?

...

Yes

...

Logically: It’s not that simple. (smile) We recommend, to focus on one type per target system and type of Group. We observed, that new IAM Manager’s are often confused, if there are different ways, of how they have to handle rights.

...

.

Expand
titleDoes the CoreOne Suite also cleanup unknown

...

Expand
titleIf I delete a Linked Ressource directly in the Target System, what will happen with the Linked Ressource?

The Linked Ressource will still be available in the CoreOne Suite. You will see a lot of errors in the application log of the CoreOne Suite. You will have to remove all Linked Resource members in the CoreOne Suite first and then delete the Linked Resource. After that, you can delete the AD-Group directly in the target system. See: System monitoring

...

titleIf I delete a Managed Ressource directly in the Target System, what will happen?

...

objects?

The CoreOne Suite Cleanup Task only controlls known objects/entities. In the context of an Active Directory that means:

  • Active Directory Group-Memberships of an Active Directory User are not handled, if the user wasn’t created by the CoreOne Suite.

  • Active Directory Groups at all, which are not recognised as Linked Resource or are not created directly through the CoreOne Suite as Managed Resource, are not handled.

Example 1:

Group “Application_Read-Write” is a Linked Ressource. The Group has two members. The first User “Diego Testoni” was created and added to this group by the CoreOne Suite. The other User “Thomas Gruti” is a manually, directly in the Active Directory created user and not recognized by the CoreOne Suite. The CoreOne Suite CleanUp Task will only manage the membership of Diego Testoni. The membership of Thomas Gruti won’t be touched by the CoreOne Suite.

Example 2:

The Active Directory User “Diego Testoni” was created through the CoreOne Suite and has 5 group-memberships. The CoreOne only recognises 3 of these groups. The CoreOne Suite will only controll these 3 groups. The other 2 grou-memberships won’t be touched by the CoreOne Suite.

No. Objects that are not present in the CoreOne Suite Meta Directory remain untouched during the Cleanup Tasks. See Reconciliation / Cleanup for more details.

Expand
titleWhat will happen if a Linked Ressource is deleted within the Target System?

The change is not visible to the CoreOne Suite Meta Directory. This will lead to errors in the application. See: System monitoring / Health Check for more details.

Expand
titleWhat are the necessary steps to delete a Linked Ressource?

Remove any memberships, delete the resource withing the CoreOne Suite Meta Directory, and finally delete the resource in the target system.

Expand
titleWhat

...

will happen if a Managed Ressource is deleted in the Target System?

The change is not visible to the CoreOne Suite Meta Directory. This will lead to errors in the application.