In an enterprise deployment staff get access to different assets, objects and secrets based on which AD groups they are a member of.
1) Adding AD users to an AD group should grant access to certain Device42 objects.
2) Removing AD users from an AD group should remove access to certain Device42 objects.
Basic functionality for 1) is implemented through the current scheduled AD/LDAP autodiscovery feature that puts matching local AD authenticated accounts into local admin groups . 2) is not implemented. I think there is a misunderstanding about what sync normally means.
An excellent feature would be to implement proper AD/LDAP integration.
Conceptually this works as follows.
When an AD user logs into an application its membership of AD groups is saved by the application. When attempting access the users AD group membership is referenced (instead of local admin group membership)
Means that no scheduled synchronization is required.
Other products call this feature "transparent LDAP".
Please sign in to leave a comment.