Turbot Groups and Group Profiles

Turbot Groups

Through our directories model, Turbot supports integration with groups defined in Turbot, AD (via LDAP) and SAML. This allows groups to be permitted in Turbot and users added to those groups, either directly in Turbot, or after syncing with AD/SAML during login.

Getting started

First, you will require an existing Turbot directory to source the groups from; either Turbot, LDAP or SAML.

All 3 directory types require you to set the Group URN Template. This produces a unique identifying URN for your groups in Turbot, which are represented as Group Profiles. This model of representing groups from a source directory as group profiles is consistent with the model used for directory users and profiles.

Go to the level in Turbot that your directory is defined at (e.g. Turbot, Cluster or Account), navigate to Advanced -> Directories and click the Edit pencil symbol next to the directory.

LDAP Directory:

Set Group URN Template

Look for the Group URN Template section:

The value should have defaulted to something like the above (the prefix will vary depending on the level that your directory is defined at). A typical identify for a group in AD would be {{group.$source.cn}}.

Set Groups Base [Optional]

This is an optional parameter that allows you to specify a different base for LDAP groups queries. You only need to provide this if the existing Base does not have sufficient scope to retrieve your required groups


Set Group Object Filter [Optional]

This optional filter is used to identify a group in your environment. In most cases, the default of (objectCategory=group) should suffice.


Set Group Search Filter [Optional, but recommended]

This optional filter is used to find groups during searches (e.g. granting permissions to a group). Set this according to your requirements, ensuring that you are searching the correct attributes on your group objects and that the fields are properly indexed.


Set Group Sync Filter [Optional]

This optional filter is used to identify groups that a user is a member of that should be synced during login. This is to allow a subset of groups to be synced for a user, which would prevent us from creating a large number of unnecessary group profiles in Turbot in a larger AD environment. By combining the optional Groups Base with this filter will ensure that only the required groups are in scope.

Please note: LDAP group sync is disabled by default - the required policies to enable this is covered later in this document.


Set Group Canonical Name Attribute [Optional]

This optional attribute is used to identify the canonical name attribute on your group objects. Defaults to cn if not specified.

 

SAML Directory:

Set Profile Groups Attribute

This is the attribute on the SAML assertion that contains the list of groups that the user is a member of.

Set Group URN Template

Look for the Group URN Template section:

The value should have defaulted to something like the above (the prefix will vary depending on the level that your directory is defined at) and is set up ready. The {{groupName}} variable is obtained from each group name in the Profile Groups Attribute above. This means that it is important to only map through required groups in the SAML assertion and for the name to be well-formed.

Set Group URN Template

Look for the Group URN Template section:

The value should have defaulted to something like the above (the prefix will vary depending on the level that your directory is defined at). For Turbot directories, we recommend that the identifier for the group is left as {{group.name}}.

 

Group Profile Sync during Login:

For LDAP and SAML groups, we have functionality that will:

 

  • Obtain the list of groups the user is a member of during login (subject to the specific filtering configured in the directories)
  • Create a group profile for each group
  • Ensure the user is added as a member of that group profile in Turbot

 

To enable this functionality, please set the following policy to Enabled (either at the level of or above your directory):

Turbot > Directory > Groups Sync - This will enable the sync functionality for all directories in the scope of that policy setting.

After login, the user will have been added to the relevant groups in Turbot and any permissions assigned to those groups in Turbot will now be active.

 

Group Profile Directories Sync:

Using the previous policy will ensure that users are synced into their respective groups during login, however, this doesn’t cater for ensuring that nested groups in AD are synced in and relationships between them set up in Turbot.

To enable this functionality, please set the following policy to Enforce: Group profile in sync with directories (either at the level of or above your directory)


Turbot > Directory > Group Profile Directories Sync

This will enable a control per group profile in Turbot that will:

  • Ensure that the source group for this Group Profile exists
    • Currently, only group profiles linked to an LDAP directory group support this.
  • Delete the group profile in Turbot if it does not exist in its directory source
    • Currently, only group profiles linked to an LDAP directory group support this.
  • Remove any users from the group profile in Turbot if they are not members in its directory source
    • Currently, only group profiles linked to an LDAP directory group support this.
  • Remove any nested group profiles from the group profile in Turbot if there is not a matching nested group in its directory source
    • Currently, only group profiles linked to an LDAP directory group support this.
  • Check for any nested groups in the group profile’s directory source and create an equivalent group profile in Turbot and add it as a member of this group
    • Currently, only group profiles linked to an LDAP directory group support this.

This control will also check for any cyclic nested groups in LDAP and avoid that relationship in Turbot e.g.

 

  • Group A in AD has a member Group B
  • Group B in AD has a member Group A

 

Assuming that Group A was synced into Turbot by a login when this Group Profile Directories Sync control runs, it will create the nested group profile Group B and create the relationship. However, when the control runs against Group B, it will discover this cyclic relationship and will not add Group A as a member.

 

This is an example of groups imported in from LDAP in the Turbot > Advanced > Group Profiles page.

 

group_profiles.PNG

Here is an example of Turbot grants being applied to a group, all users in the CloudOps group will inherit all of these permissions granted to the group.

groupgrants.PNG



Was this article helpful?
0 out of 0 found this helpful