We use cookies for Piwik Page Analytics. More details can be found in our privacy policy/ imprint

Wir verwenden Cookies für Piwik / Nutzungsanaklyse. Mehr Informationen finden Sie in unserer Datenschutzrichtlinie/ Impressum


An expert

Yes we are. We are WedaCon. Your experts for a wide range of IAM solutions from development to implementation.

26.03.2015 - 'do good and talk about it'-series, volume 8

Since 2001, WedaCon Informationstechnologien GmbH is helping its customers to reach their goals regarding everything related to identity and access management (and access governance, to be complete). In this series, we would like to give you as the valued reader a quick overview on what we have achieved. Other just call it 'Success Stories'. Today we will talk about...


Criteria Groups


We all know: managing groups can become complex. Often, addministrators tend to take the quick path and assign rights to users directly, not by assigning him to a group, and then allow the group to access the resource. On the other hand, how many groups do you have with only one member? And would'nt it be cool if the groups are filling and maintaing themself?


Role Bases Access Control (RBAC) and Attribute Based Access Control (ABAC) are two common concepts that are widely used in IT to manage access to resources. But who is managing the role, and who is managing the attribute? And how to handle exceptions?

In our customers environments we prefer to implement a relational management of entities (which can be a location, department, device, user, whatever). Instead of 'Identity Management', we call this 'Entity Management'.

The concept of 'entity management' in conjunction of a relational LDAP Directory design (yes, LDAP can be relational) allows us to implement a completely new way of managing groups. We call them 'Criteria Group'.


A Criteria Group is a kind of dynamic group (there are several RFC for LDAP dealing with dynamic approaches). The dynamic nature is defined by a kind of LDAP Query. Every object matching the query will be member of the group. Fine! What about manual assignments? Works, eg openLDAP and Novell eDirectory can easily do that. But that opens again the problem space: is a group which has manual assignments still a 'dynamic' one?


Our criteria groups are working based on 'variance analyzis'. Beside the usual dynamic element (who should be in the group?) we have an additional one (who is currently in the group?). By doing a regular comparision, we can eleminate incorrect assignments (eg manual ones).

Explicit assignments (and also explicit deny) is still available, but now by using standard group membership assignment.

Feel free to contact us via dganulltai@wedacon.net