Role Management


(Felipe Cembranelli) #1

Is there any way to use Active Directory for authentication, however, continue to use the roles only inside ELK ? (without to map ELK roles with AD groups)

Based on the documentation, it seems the default is to have the roles managed by AD:

" Since with the active_directory realm the users are managed externally in the Active Directory server, the expectation is that their roles are managed there as well. In fact, Active Directory supports the notion of groups, which often represent user roles for different systems in the organization. "


(Ioannis Kakavas) #2

Hi Felipe

Roles are only used within the Elastic stack context so I guess you are referring to role mapping i.e. assigning those roles to users. If you are using AD for authentication and user information retrieval then it makes sense that you use this information to do the role mapping. If it's not the group membership, then something else.

Can you share an example of what you have in mind?


(Felipe Cembranelli) #3

Hi

Thanks for the help.

Yes, I am referring to role mapping.

What I would like to do:

  1. Authenticate the users using AD
  2. Manage the user roles on the ELK side: I want to move the user A from role 1 to role 2

As far as I understood, it is not possible: the user role should be defined on the AD side (using role X group mapping). Enabling the AD authentication I don't have anymore the user created on the ELK side, so I will not be able to manage the user roles on the ELK side.

Please let me know if I have misunderstood.


(Ioannis Kakavas) #4

Correct, this is not possible. We don't have a notion of shadow users or shadow accounts in elasticsearch so you can't statically manage role memberships of users that reside in external realms, as you describe.

To perform the same action now an equivalent would be to have a role mapping using the distinguished name of User A from AD to map them to role 1 and update that role mapping when you want to map them to role 2. Static role management tends to not scale well for anything above a handful of users though, so this - as well as your original intention - might not be a good strategy in the long run.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.