Access Control also provides LDAP integration support for two common authentication service providers: Active Directory and Apache DS. LDAP groups are mapped to Clarify roles, thereby integrating the two systems and providing additional authentication and authorization to Clarify. With successful LDAP integration in place, users can sign into Clarify using their network credentials, which will be directly mapped to their respective role/permission levels in Clarify. This is how single sign-on can be implemented with Access Control.
How Clarify authenticates using an LDAP profile in Access Control
Server login authentication will first check any configured and enabled LDAP server. If an enabled LDAP profile is not found, or the user is not found in an enabled LDAP server, then the Clarify database will be checked. Once a match is found, the user's permission level is determined by either the LDAP group-to-role mapping (used by the LDAP server), or user-to-role configurations (used by the database), depending on where the user was authenticated.
Two approaches to LDAP integration with Clarify
With LDAP integration, the organization of users and groups has an impact on how you determine and specify the appropriate permissions in Clarify.
- Scenario 1: one LDAP group mapped to one Clarify role.
- Scenario 2: many LDAP groups mapped to many Clarify roles.
Scenario 1 shows one possible integration. Only one LDAP group exists (Group 1), but contains several users (A through F). Since we can only map group-to-role, all users in this example will have the same permissions in Clarify (assigned to Clarify Super role). There is no way to separate or specify different permissions for different users. This configuration may or may not be acceptable.
In Scenario 2, however, we have created different LDAP groups (1 through 4), with each group containing only certain users from Group 1. In this configuration, we can be more specific in our group-to-role mappings.
- User A (Group 2) represents the System Administrator in Clarify; not only do they have all permissions to use Clarify features, but they can also manage access control for all other users.
- Users B, C, and D (Group 3) have the permissions assigned to the role of Super User. They too have all permissions to use Clarify features, but lack ability to manage access control in Clarify.
- Users E and F (Group 4) have been mapped to the Clarify User role. As such, they may have very limited ability in Clarify, such as read-only access to record logs.