How do I use CalGroups to provision different levels of access to my application?
Services / Tools You Provide
- Access request and approval form and workflow
Solution
Whichever way you handle access requests and approvals (manually or programmatically), you can use CalGroups to centrally store your approved requesters into role groups so that this information may be consumed by your application for access control purposes. In addition, it allows you to automatically de-provision users from your role groups when they leave their employment.
Basic
Creating ad hoc groups and manually adding membership
- Request an applications folder. You will be creating your groups within your application folder.
- Create a group for each role that you have in your application.
- Add members to your role groups manually.
- Look up your role groups in LDAP
Advanced
Automating group population and user deprovisioning
- Request an applications folder. You will be creating your groups within your application folder.
- Create a group for each role that you have in your application. These role groups will not initially have any members. These will be the “first factor” groups that you will use in the access groups (see #3 below) from which your application will derive membership information.
- For automated access-deprovisioning, create an access group for each “first factor” group you created in #2 above. Each access group you create is a composite group which will be the intersection of:
-
- First Factor Group: your role group
- Second Factor Group: an official group (ex. All Staff or All Employees)
The intersection means that a person has to be a member of both groups. Since official groups are programmatically derived and updated, any changes in the official groups you use will be reflected in your access group automatically.
- Update your groups manually or using CalGroups APIs
- Retrieve your role group membership information via CalGroups API or LDAP and soon, Active Directory.