Managing Security Groups

CONTENTS

Home

Security Groups (SG) provide an efficient way to assign access to resources on your network. Security Groups require Lightweight Directory Access Protocol (LDAP) and Microsoft Active Directory (AD) groups. bipp’s Security Group enables integration of the Active Directory Security Group for the bipp platform.

Tenant Administrators must create the bipp Security Groups with the same name as the Active Directory group to successfully integrate LDAP / AD groups as an authorization mechanism.

Security Groups Overview

  • Active Directory: learn about Active Directory groups
  • Authentication: see the bipp authentication process
  • Request Processing: understand the request process flow

Active Directory

Before you create a Security Group, it is important to understand Active Directory groups.

Active Directory groups collect user accounts, computer accounts, and other groups into manageable units. Working with groups simplifies network maintenance and administration.

Active Directory uses two types of groups:

  • Distribution Groups are used with email applications to send email to collections of users. Distribution Groups are not listed in Discretionary Access Control Lists (DACLs).
  • Security Groups - are used to assign permissions to shared resources.

There are two major functions for security groups:

1. Assign user rights to security groups in Active Directory

User rights are assigned to a Security Group to determine what actions group members can perform in the domain or forest. User rights are automatically assigned to some security groups when Active Directory is installed, to help administrators define a user’s administrative role in the domain.

For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories located on each domain controller in the domain.

2. Assign permissions to security groups for resources

Permissions are different from user rights. Permissions are assigned to the Security Group for the shared resource. They determine who can access the resource and the level of access, such as Full Control. Administrators assign the resource permissions to a security group rather than to individual users. Each account added to a group receives/inherits the rights that are assigned to that group in Active Directory, and the user receives the permissions defined for that group.

Authentication

Here is the process when you use LDAP or SSO authentication with bipp Security groups:

  1. The bipp Identity and Access Management (IAM) module receives a list of all the LDAP/AD groups for the user, from either the LDAP server or the respective Identity Provider (IdP).
  2. The IAM module searches for matching security groups configured in the tenant.
  3. For every matching security group, the IAM module finds the mapped Group and verifies the user is a member.

If the user is member, no further action is required. For new users, the user is automatically added to the bipp user Group.

Request Processing

Security Group membership verification happens at every API call. If a user is a member of a user group and the user’s security group membership is not found, requests fail with an authorization error.

This situation occurs if the user’s security group membership has been revoked. In this case, the user’s membership from the User Group is not automatically removed.

The tenant administrator should periodically review the Groups and Security Group mapping to ensure everything is up-to-date.

Adding Security Groups

  1. Click Settings > Security Groups from the main menu. The Security Groups pane opens showing the list of defined Security Groups. Adding Security Groups

  2. Click New Security Group. New Security Group

  3. Enter the Security group name and a Description.

    The Security group name must match the actual LDAP / Active Directory group name.

  4. Click Save.

Once you have created a Security group, you can map it to your defined Tenant Groups. The resource level permission/role assignments are performed in the platform using the bipp Groups, which mirror the LDAP / AD groups through the mapped Security Group. Security Groups act as the source of authorization when enabled in a tenant.

To map a Security Group to a group:

  1. Click Groups from the main menu. The Groups pane opens.
  2. Click dropdown to the right of the name.
  3. Click Security Group.
    Security Group
    Groups can only be mapped to a single Security Group. You must delete the currently associated security group before selecting a new one. ClickDeleteIconthe icon to unmap the existing group.
  4. Select the Security Group from the list. Security Groups are defined from Home > Settings > Security Groups.
  5. Click Update.
  6. After the security groups are created, map those groups to the User Groups (UG) of the Tenant.
  7. You can map one SG to only one UG. Actual resource level permission/role assignments are performed in the platform using the User Groups which are a mirror of the actual LDAP / AD groups through the Security Groups. Security Groups act as the source of authorization when enabled in a tenant.

Editing Security Groups

  1. Click Settings > Security Groups from the main menu. The Security Groups pane opens showing the list of defined Security Groups.
  2. Click dropdown to the right of the security group Name and select Edit.
  3. Modify the security group name and/or description.
  4. Click Update.

Deleting Security Groups

  1. Click Settings > Security Groups from the main menu. The Security Groups pane opens showing the list of defined Security Groups.
  2. Click dropdown to the right of the security group Name and select Delete.
  3. Click Delete again to confirm the removal of the security group.