By: Ole Kristian user 17 Feb 2021 at 3:09 a.m. CST

1 Response
Ole Kristian gravatar
Hi. We have a general question regarding how to do certain management of users in gluu. We have users from different organizations. We want each organization to have a set of groups under them. Users will be associated with an organization, and could be part of one or more groups under this organization. We are planning to create these organizations ourself (as administrators) and add initial users to them. But we also want to be able to add an user to this organization as an "moderator". What this would mean is that they would be able to access a page somewhere where they are able to add new members to this organization, create groups under this organization, add users to groups under this organization, and give those users the ability to add others in those groups. So basically the "organization" is a group with a number of "sub-groups" under it. And both this main group and each of them could have moderators. We wanted to create a panel/page where this can be managed, while the gluu admin panel and creation of organization is restricted to admins. The reason for all of this is because we have gluu as the SSO for several applications. If we could handle this management of organizations and groups in gluu, then the apps that use it for SSO can also get the organization and groups of users from gluu instead of having to have a completely different group setup for each application. Is there anything in gluu that would allow us to achieve something like this? Anything in core gluu or a plugin / extension that supports something such as this? I know gluu has organization and groups but I'm not sure if that can be used for this. Any assistance would be appreciated. edit: could gluu gateway / kong be used for this purpose?

By Michael Schwartz staff 28 Feb 2021 at 3:07 p.m. CST

Michael Schwartz gravatar
So what you are asking for is really "delegated administration". It's a requirement about how to manage the data about users (like with what organization a person is affiliated), and how to enable an organization administrator to manage a sub-set of user's data. At a high level, delegated administration is an "Identity Management" (i.e. "IDM") requirement, while the Gluu Server is an "Identity and Access Management" (i.e. "IAM") platform. You probably also need some governance features, like a periodic review of which users have which permissions ("access certification"). These features are know as "IAG"--identity and access governance. These three systems, IDM, IAM, and IAG work together, but each system addresses different (but related) requirements. IAM platforms like the Gluu Server deal with runtime--things like presenting the login page, issuing access tokens and identity assertions (i.e. the id_token in OpenID Connect). The Gluu Server is a "consumer" of identity information. Just a guess, but as your requirements are somewhat business specific, it will probably make sense to build delegated administration into your application. The website that does this can use the SCIM Rest API to search, add, edit and delete user information. Your delegated admin application will add the right filters (for organization) and populate the right data based on the organization for which the admin is authorized to transact. Ultimately, you can keep the users "flat" in the Gluu database, as long as each user entity has the right information about organization affiliation and permissions. I hope that helps. I'm going to close this issue because it's a design question, not a feature or bug in the Gluu Server.