Integration
This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
Participation in single LDAP group can be linked with more than one user role, so there is no need for multiple groups for multiple roles.
However, since 9.2.30 the membership in multiple groups with different permissions will also be merged to sum of all the permissions from all of them. There is new flag 'Inherit Role From User Provisioning' when if checked, the user permissions will always be inherited based on LDAP groups and their LMT permissions as defined in User Provisioning and so the user roles will not be possible to be set in normal way in LMT when editing particular user.
Thanks for the information. What if the ILMT user has a few roles? ILMT allows to tick few checkboxes corresponding to the ILMT roles. That is why the membership in more than one AD group is needed to allow the user to have more that one role.
We managed to deliver this capability in ILMT 9.2.30 in full scope. This means that not only user may not login if he was removed from LDAP groups basd on which it was provisioned, but also that user is in fact inheriting highest permissions based on all the LDAP groups he is a member of. The permissions are evaluated and re-assessed during each login.
Hi Jacek, thanks for your testing and reporting the conclusions.
We are looking into improving the functionality by addressing scenario 3) from your commment - namely to validate LDAP group membership during each login and not allow for that if user is no longer a member of the group. Hopefully we can include this in nearest release - although no commitment here.
However, at this stage we do not plan to extend this functionality to assign user highest permissions based on membership in multiple groups and monitoring and adjusting teh permissions dynamically when LDPT groups' membership changes. If this functionality is needed, please open an independent idea and describe more details about rationale and scenarios for which this is needed. For now we will document this as limitation so that this is clear to all the ILMT users.
Thanks again for reporting and your feedback.
Please find the result of tests I conducted while I was testing usage of AD groups to grant AD users roles in ILMT application:
1) If a domain user logs in to ILMT application for the first time and he or she is also a member of only one AD group, corresponding to one ILMT role, then the user can log in to ILMT because the new user profile is created during first logon and the new profile has the correct role allocated to the profile (this is correct and does not require any fix);
2) If the domain user logs in to ILMT application for the first time and he or she is a member of MORE THAN ONE AD group, where each AD group corresponds to separate ILMT role, then the user can log in to ILMT because the new user profile is created during logon but the created user profile has only one ILMT role assigned instead of many (software bug - needs to be fixed).
3) If the existed user is added to another AD group(s), corresponding to another ILMT role(s), or the user is removed from such AD group(s), it has no impact on the existing user profile until the user profile is manually deleted by ILMT administrator (software bug - needs to be fixed)..
Please find the result of tests I conducted while I was testing usage of AD groups to grant AD users roles in ILMT application:
1) If the user logs in to ILMT application for the first time as a domain and he or she is also a member of only one AD group, corresponding to one ILMT role, then the user can log in to ILMT because the new user profile is created during first logon and the new profile has the correct role allocated to the profile (this is correct and does not require any fix);
2) If the user logs in to ILMT application for the first time as a domain the user and the user is also a member of MORE THAN ONE AD group, where each AD group corresponds to separate ILMT role, then the user can log in to ILMT because the new user profile is created during logon but the created user profile has only one ILMT role assigned instead of many (software bug - needs to be fixed).
3) If the existed user is added to another AD group(s), corresponding to another ILMT role(s), or the user is removed from AD group(s), it has not impact on the existing user profile until the user profile is manually deleted by ILMT administrator.