So in our use case, other than normal LDAP groups.. client has list of actions to be taken based on a role provided. this mainly because the unix authentication is managed by LDAP.
For example if I assign enterprise role "host1" to the user, it should add "host1" in the "host" field of LDAP and also should update UID etc.
Similarly some other enterprise role, a different set of fields needs to be updated in LDAP with specific values.
What is the best way to achieve this. Since it's not direct entitlement, not sure how can I link these "actions" with enterprise roles.
Why you have to use enterprise roles to provision certain attributes? why not dynamic attributes or other ways to do this?
Can you please explain your use case? why you want to use enterprise role to update LDAP attributes?
In this scenario LDAP servers has a list of UNIX Profiles. If a user has this profile listed under multivalued attribute "host", he/she would have authentication access to that specific unix machine.
For different hostprofiles there could be some additional attributes also needs to be populated… like if it is a Database server profile then ldap attribute related to DB home needs to be populated.
It is a normal linux server profile .. Then "homedirectory",'Shell" etc needs to be populated.
We need to link these provisions with roles in Saviynt, so if a user requests for a particular role, the required access policy should invoke to populate different fields in LDAP.
How would I achieve this with dynamic role ? We are not going to expose account farm to user.
They will have only enterprise roles to request for.
Directly you can’t fetch enterprise roles in JSON
create actionable report for update account task and build your logic to pass required additional attributes to ldap / target