“The old RBAC…” Role Based Access Control. When done right, pretty awesome! Am I right??? Get it wrong and you’re in a world of pain!
With RBAC, a user is given access to multiple resources using group nesting. It also helps when revoking said access (just remove user from group). I’ve seen many RBAC implementations that started off good, only to be derailed by exceptions. RBAC is an all-or-nothing kinda deal.
There’s a catch to RBAC, while it is awesome, you won’t be able to derive how a user gained access to a resource just by looking at a user’s memberof AD property. Luckily for us there are ways to find out! 😉
Use LDAPFilter, specifically LDAP_MATCHING_RULE_IN_CHAIN
If you need to do a quick assessment of all the resources a user has access to either direct or nested then this will get the job done! Another advantage or disadvantage depending on your perspective, is that this approach doesn’t suffer from circular group nesting, but it doesn’t report it either…
I did notice however that I couldn’t derive the relationship of the groups. Was the group directly linked or is it nested in another group? Using the LDAPFilter technique will get you all the unique groups the user is a member of, direct or nested.
This could lead to misinterpretations:
- Was the group a direct member?
- Was the group nested via another group?
- Was the group nested via multiple groups?
I decided to give it another try!
This will get you all the groups, direct and nested, no filter!
The user has access to APL-FTP-Client twice! The user will still have access even if APL-FTP-Client is removed from ROL-Technisch Consultant. APL-FTP-Client is also nested via APL-Total-Commander.
Aha! So that’s why a user still has access…
Now you can do fun stuff like figuring out multiple entry points a user has access…
This is my take on how to get a report on a user’s nested group membership.
I don’t think I need to point out that the script does nothing for reporting where the user is granted access directly, eh? 😉 This is why you always manage resources using groups even for just one user…
Hope it’s worth something to you…