We are building a service in catalog that we would like to limit access to only members of management. We are looking for ways to accomplish that in Catalog, so far we have tried creating a sub business unit but haven't figured out a way to automate adding and deleting people as needed. Another thought was to use PAM to read the SD contact record (since those are already synced with AD) and if possible modify the contact record in EEM to grant access to the sub business unit.
Is PAM capable of updating EEM?
Or is there a better/easier way to do this?
Any ideas are welcome
You can define access to the service on offering level.
On the permission tab you have a group tab where you just search for the AD group (search groups link) you want to grant permission to, and access will be limited to that group (or groups).
You can very well control permissions(access) to services using LDAP Groups. I am sure your EEM has be configured with your organization's Active Directory.
I agree that you'd probably want the AD group defined first, then make sure your users are part of it and it shows up in EEM. Then you set the permissions as shown in the screenshot above.
I you do want to play around with PAM and setting business units to users in Catalog directly then I suggest you take a look at the SOAP operator to invoke web service calls like "assignBusinessUnitRoles".
As Sankar is saying you can use LDAP groups. Just be careful your EEM isn't linked to more than one AD as that removes the group membership in Catalog for some reason.
You can also set permissions in Catalog based on user role (e.g. Catalog User vs Request Manager). Not the best way to go, but an option regardless. Remember that the catalog roles all have different functions available to them so using this method needs proper validation in your setup.
If you are thinking to use PAM and the data from the CA contact table then that is possible too. You'd have to schedule a PAM process. My advise would be to have that PAM process directly set the default business unit on the Catalog user records instead of trying to do something in EEM.
Thank you for your help, this looks like a nice solution!
I do have one small difficulty though, we are currently using Catalog 12.7 which doesn't have this feature, I looked at our 14.1 environments that we have set up for testing and migration and they have it. In the mean time though the WSDL for 12.7 doesn't seem to provide the ability to modify business units or groups.
Are there any other options in Cat 12.7 and PAM 4.1?
At this point we could create a temporary solution using the secondary business unit and manually adding the necessary users then switch to the solution above or an LDAP group when we migrate to 14.1.
Thank you for sharing your knowledge!
I would like to use an LDAP group to control access I assume we probably already have one that would work and that this would be the best way to handle this. Do you have some instructions or is there a tech doc on the subject?
I may need to use a pam process and the catalog user records for the time being until our server engineers have time to figure out the AD group piece. How do I go about accessing the user records in catalog using PAM, I didn't see any operators in PAM that intuitively seem like the logical place to start?