You can translate the question and the replies:

Managing Roles

Our database is set for LDAP Authentication. We use a model where we have one giant database with all of our data views instead of many separate databases. We have been importing LDAP roles, but as we add more views and people request unique permissions it gets hard to manage. For example we have group denodo.helpdesk which provides view access to all the *helpdesk* views in the database. One specific application has requested update access to one of the views, but I don't want to give the entire group update access. This now requires that I create another group called denodo.helpdesk.update (or something similar). Ultimately I'd like to use LDAP for authentication, but be able to define permissions on a user level. It seems from the guide that setting up an LDAP user is deprecated. Is there any easy way to do permissions on a user level, but leverage LDAP for authentication?
28-10-2014 11:56:50 -0400

3 Answers

Hi, if you really really need to use permissions on a user level then you always can change the LDAP query to search for roles (the field "Role search pattern" in the Edit Database dialog). I'll try to explain it with an example: let's suppose I have my users and groups in the same LDAP container, for example "CN=Users,DC=denodo,DC=loc", and I have a user "John Smith" (jsmith) who is member of "Director" group: - A first typical configuration will be: User base: CN=Users,DC=denodo,DC=loc Attribute with user name: sAMAccountName User search pattern: (&(objectClass=person)) Role base: CN=Users,DC=denodo,DC=loc Attribute with role name: cn Role search pattern: (&(member=@{USERDN})) ========> this user will have the "director" role in VDP - But you can edit the role search pattern and use something similar to: Role search pattern: (|(distinguishedName=@{USERDN})(member=@{USERDN})) ========> this query will return groups containing "jsmith" user as member OR nodes having as distinguishedName "CN=John Smith, CN=Users,DC=denodo,DC=loc" (the jsmith node itself!). So in this case, the user jsmith will have "director" and "John Smith" as roles in VDP (you will have to create this role for this specific user).
Denodo Team
29-10-2014 11:58:33 -0400
Very interesting - That sounds like it could work actually and would do exactly what I needed. Let me play around with this and see if I can get it working!
29-10-2014 12:10:55 -0400
Took me a few times, but this worked perfectly. I can't thank you enough for the help - I'd like to recommend this as a Knowledge Base article. Maybe it's specific to our situation, but I'd like to think someone else out there has to do the same thing.
29-10-2014 17:24:53 -0400
You must sign in to add an answer. If you do not have an account, you can register here