Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-533

Is it possible to map multiple AD groups to a AAP team like in LDAP config?

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Is it possible to map multiple AD groups to a AAP team like in LDAP config and if not (and It seems we cannot because I read python code and it does not do it) - is there any other better way to map all those AD groups (20+) to various teams. The current mapping for teams only is around 500 lines of json. Group mapping is around 200.
      Can splitting into multiple LDAPs should work with different team mappings? 
      OR
      The group on the AD side in a list format and pass it to LDAP Team Mapping as below? 

      { "My Team":

      { "organization": "Test Org", "users": ["CN=Domain Users,CN=Users,DC=example,DC=com"], "remove": "True" }

      ,
      "Other Team":

      { "organization": "Test Org 2", "users": "CN=Other Users,CN=Users,DC=example,DC=com", "remove": "False"  }

      }

      However, if exceed that limit(The current mapping for teams only is around 500 lines of json. Group mapping is around 200.), we can't do anything about it? 
      If it's not possible, do we have a workaround or a RFE for a permanent solution?

                               

      FYI...Below is for test....    
      The documentation does not provide sufficient information on how to configure team mapping. 

      I have over 20 Azure AD groups and I need to map them to the team_aliases. 
      I know the following configuration works: 
      {
        "saml_attr": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
        "remove": true,
        "team_org_map": [
         

      {       "team_alias": "team-SharedInventory-users",       "organization": "SharedInventory",       "team": "834f2915-b892-478d-83c6-123456abcd"     }

      }

      I have multiple groups that have to be mapped to team-SharedInventory-users team. 
      The following configuration is invalid: 
      {
        "saml_attr": "http://example.com/ws/2008/06/identity/claims/groups",
        "remove": true,
        "team_org_map": [
         

      {       "team_alias": "team-SharedInventory-users",       "organization": "SharedInventory",       "team": "123f2915-b892-478d-83c6-123ab56d610a",       "team": "123f2915-b892-478d-83c6-123ab56d6212"     }

      }

      Similarily, the following config does not work, even though it is correct json syntax: 

      {
        "saml_attr": "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups",
        "remove": true,
        "team_org_map": [
         

      {       "team_alias": "team-SharedInventory-users",       "organization": "SharedInventory",       "team": [                 "123f2915-b892-478d-83c6-123ab56d610a",                  "123f2915-b892-478d-83c6-123ab56d610a"                  ]     }

      }

      How can I map multiple Azure AD Groups to the same team? 

      In LDAP config it was easy: 

      {
       "SharedInventory":

      {    "admins": [    "CN=team-cloud-ops-devops-lead-priv,OU=Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au",    "CN=team-cloud-ops-devops-member-priv,OU=Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au"   ],   "remove_admins": true,   "remove_users": true,   "users": [    "CN=team-cloud-ops-devops-excel-squad-priv,OU=Azure Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au",    "CN=team-cloud-devops-site-reliability-engineering-priv,OU=Azure Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au",    "CN=WGHS Azure BPF,OU=Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au",    "CN=team-cloud-engineering-privileged,OU=Azure Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au"      ]  }

      ,

       

      And team mapping: 

      {
       "team-SharedInventory-admins":

      {   "users": [    "CN=team-cloud-ops-devops-lead-priv,OU=Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au",    "CN=team-cloud-ops-devops-member-priv,OU=Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au"   ],   "remove": true,   "organization": "SharedInventory"  }

      ,
       "team-SharedInventory-users":

      {   "users": [    "CN=team-cloud-ops-devops-excel-squad-priv,OU=Azure Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au",    "CN=team-cloud-devops-site-reliability-engineering-priv,OU=Azure Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au"   ],   "remove": true,   "organization": "SharedInventory"  }

      ,
       "team-SharedInventory-readers":

      {   "users": [    "CN=WGHS Azure BPF,OU=Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au",    "CN=team-cloud-engineering-privileged,OU=Azure Groups,OU=Groups,OU=aaa,DC=bbb,DC=com,DC=au"    ],   "remove": true,   "organization": "SharedInventory"  }

      ,

      The only solution I can see is this. Is it going to work or everytime someone logs in, it will remove the users or group? 

      {
        "saml_attr": "http://example.com/ws/2008/06/identity/claims/groups",
        "remove": true,
        "team_org_map": [
         

      {       "team_alias": "team-SharedInventory-users",       "organization": "SharedInventory",       "team": "abc12345-b892-478d-83c6-420cd56d610a"     }

      ,
         

      {       "team_alias": "team-SharedInventory-users",       "organization": "SharedInventory",       "team": "123451d-d9e7-4e03-aeb3-203ac61262e6"     }

      ,
         

      {       "team_alias": "team-SharedInventory-readers",       "organization": "SharedInventory",       "team": "abc12345-a4ea-4691-8784-98c03cc91257"     }

      ,
         

      {       "team_alias": "team-MOS-Windows-admins",       "organization": "MOS-Windows",       "team": "abc12345-5be5-4d6c-9eca-b2b0c81282bc"     }

        ]
      }

      users affected. Cannot progress to full PROD sign-off without configuration. Testing cannot be started. 

            rhn-sa-pgriffiths Phil Griffiths
            rhn-support-seokim kevin kim
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: