Introduction
The CoreOne Suite offers different ways to create and manage resources
...
. Approaching the CoreOne Suite’s access management features, it is important to understand which
...
features will be the best match for the use case.
Due to different terminologies used in
...
the target systems supported by the CoreOne Suite, we’ve settled on the terminology “resources”.
...
A resource is a permission that is assignable to an identity within a target system. In the target system Active Directory
...
for example, groups are the equivalent of resources.
This article should aid in deciding between the use of Linked Resources versus Managed Resources.
Step 1 - Understand the differences between resource types
The following documentation is recommended for a better understanding of what resource types are and what the
...
Cleanup Tasks can do:
...
...
Linked Resources
In this scenario, existing resources within a target system are mapped into the CoreOne Suite and each of them is available in the CoreOne Admin UI as a “Linked Resource”. These Linked Resources can then be used to add members from the CoreOne Admin UI. As the name suggests, the resources themselves are only “linked”. This is comparable to a shortcut within a filesystem. Using this example, if the folder iteself is deleted, the shortcut will remain unaffected, and trying to access it will result in an error. If the shortcut is renamed, the name of the folder will not be affected. Neither will deleting the shortcut affect the folder itself in any way.
Managed Resources
This scenario is recommended whenever a new target system is integrated into the CoreOne Suite that is built up from scratch. With Managed Resources, the CoreOne Suite will maintain data sovereignity and automatically provision any changes into the target system. To facilitate creating new Managed Resources, Resource Definition Templates are available to help with following a naming concept for example.
In addition to managing access to Resources for Identities, like Linked Ressources allows you to do, Managed Resource allow for attribute values of the resources themselves to be managed.
With the CleanUp Task enabled, using Managed Ressources will ensure consistency of both the resource memberships, as well as the resource’s attribute values between the CoreOne Suite and the target system.
Info |
---|
Example with Active Directory: In a Managed Resources scenario, any changes made to groups within AD, like moving them into other OUs or changing their names, will be reverted by the CoreOne Suite’s CleanUp Task, if enabled. |
Step 2 - Understand, what the limitations are
They won’t be added automatically as resource in the CoreOne Suite, if you create them directly in the target system.
Linked Resources: You have to link the newly created AD-Group in the CoreOne Suite Admin UI to be able, to assign it to a Core-Identity. See: /wiki/spaces/IKB/pages/1796997245
Managed Resources: You’ve chosen the wrong way. It is not possible to use this group. You have to delete it in the target system and recreate it in the CoreOne Suite Admin UI and the CoreOne Suite creates the group in the target system automatically. See: /wiki/spaces/IKB/pages/1796997245
Only the creation of the resources is not enough. You need to make sure, that the corresponding system-Features are enabled and also the CleanUp-Task runs on a schedule.
Step 3 - Compare the Pro’s & Con’s
It’s not that easy, that you can decide easily, what type of resource it’s the right one for you. You will gain expirience with time and working with these different resource types. In some cases it can help you, to compare the Pro’s a& Con’s:
Managed Resources
Pro’s
You can centralize the create process of AD-Groups into the CoreOne Suite. Your powe users can create them by theirself → Decentralization of dutie’s.
You can define templates for creating Resources
The CoreOne Suite and the target system will converg as long the CleanUp Task is running
Con’s
More efforts needed for taking over existing groups from your target system as Managed Resource.
Linked Resources
Pro’s
You can easily reuse your existing groups
Con’s
Can be irritating for power users to deprovision a linked resource
In the most cases the CoreOne Suite and the target system will diverge
Step 4 - Make your decision
...
Step 2 - Understand the limitations when creating new resources
Resources created in within the target system will not be added as resources in the CoreOne Suite automatically. New resources will require some setup before they can be assigned to any Identities, depending on their Management Mode. See: /wiki/spaces/IKB/pages/1796997245 for more information on what these steps are
Linked Resources are created in the target system and have to be linked in the CoreOne Suite Admin UI before any membership assignement is possible
Managed Resources must not be created in the target system, but rather using the CoreOne Suite Admin UI. Any resources created in the target system should be deleted and then recreated within the CoreOne Suite Admin UI, so that the CoreOne Suite may provision the resource into the target system automatically
Task features for resources can be enabled / disabled
on the Target System
on the Resource Type
The task features for Cleanup Tasks to consolidate memberships can be enabled / disabled
on the Target System
on the Resource Type
The Cleanup Tasks should be configured to run on a schedule in order to consolidate memberships
Not every System Connector provides every Management Mode
Step 3 - Identify the use case
Where is the resource lifecycle going to be managed?
Target System → Linked Resources
CoreOne Suite Meta Directory → Managed Resources
Using both Management Modes at the same time is also possible. It might be necessary to mange already existing resources as Linked Resources and new ones as Managed Resources, for example.
Frequently Asked Questions
Expand | ||
---|---|---|
|
...
Yes |
...
. |
Logically: It’s not that simple. We recommend, to focus on one type per target system and type of Group. We observed, that new IAM Manager’s are often confused, if there are different ways, of how they have to handle rights.
For Example: The IAM Manager’s goal is to create a new Active Directory Group. In some OU-Path’s where you work with Linked Resources he have to do that directly in the target system Active Directory. For an another OU-Path where you work with Managed Resources he have to get the job done through the Admin UI of the CoreOne Suite. It makes sense, to define one type of resource per OU-Path for example. And not for technical reason, this ist just because of manageability for IAM Manager.
Expand | ||
---|---|---|
|
...
|
The CoreOne Suite Cleanup Task only controlls known objects/entities. In the context of an Active Directory that means:
Active Directory Group-Memberships of an Active Directory User are not handled, if the user wasn’t created by the CoreOne Suite.
Active Directory Groups at all, which are not recognised as Linked Resource or are not created directly through the CoreOne Suite as Managed Resource, are not handled.
Example 1:
Group “Application_Read-Write” is a Linked Ressource. The Group has two members. The first User “Diego Testoni” was created and added to this group by the CoreOne Suite. The other User “Thomas Gruti” is a manually, directly in the Active Directory created user and not recognized by the CoreOne Suite. The CoreOne Suite CleanUp Task will only manage the membership of Diego Testoni. The membership of Thomas Gruti won’t be touched by the CoreOne Suite.
Example 2:
The Active Directory User “Diego Testoni” was created through the CoreOne Suite and has 5 group-memberships. The CoreOne only recognises 3 of these groups. The CoreOne Suite will only controll these 3 groups. The other 2 grou-memberships won’t be touched by the CoreOne Suite.
...
title | If I delete a Linked Ressource directly in the Target System, what will happen with the Linked Ressource? |
---|
...
No. Objects that are not present in the CoreOne Suite Meta Directory remain untouched during the Cleanup Tasks. See Reconciliation / Cleanup for more details. |
Expand | ||
---|---|---|
| ||
The change is not visible to the CoreOne Suite Meta Directory. This will lead to errors in the application. See: System monitoring / Health Check for more details. |
Expand | |
---|---|
|
...
|
...
| |
Remove any memberships, delete the resource withing the CoreOne Suite Meta Directory, and finally delete the resource in the target system. |
Expand | ||
---|---|---|
|
...
| |
The change is not visible to the CoreOne Suite Meta Directory. This will lead to errors in the application. |