search

snipe / snipe-it

A free open source IT asset/license management system
https://snipeitapp.com
GNU Affero General Public License v3.0
10.81k stars 3.13k forks source link

User Sync auto assign group #4877

Open R4MPi opened 6 years ago

R4MPi commented 6 years ago

Expected Behavior (or desired behavior if a feature request)

Looking for a function to auto assign groups for the new Windows AD Sync users.

Actual Behavior

After a sync with LDAP (Windows AD) we need a auto assign for the new users. So we dont need to assign manually the right group.

Or is there an attribute in AD for it?

Thx :)

therealjoshuad commented 6 years ago

Open an edit location page, you’ll see the ldap sync field to choose the filter for that location.

R4MPi commented 6 years ago

Hmm.. I trie to give the users automatically after the sync our added permisson group. So where can I define the default permisson grouP? :)

therealjoshuad commented 6 years ago

Oh groups, I’m sorry, I thought you meant the users location field. I’m not sure that that’s possible, but I’ll defer to the others for that one.

stale[bot] commented 6 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions!

NerijusKr commented 6 years ago

Any news on this?

TheGammelgalopper commented 5 years ago

Yes I would like to see this feature as well! This really is the last feature that is missing for my install!

Hobadee commented 5 years ago

I came to this thread after Googling around trying to see if this was possible or not.

Our use case: We would like users in the "Domain Admins" group to have admin access without having to manually add them to an "Admin" group inside Snipe-IT.

JonathanTab commented 5 years ago

Bump. Is this doable?

RTodorov commented 5 years ago

yet another bump.... can we reopen this issue?

R4MPi commented 5 years ago

Hi,

if there is a chance to bring this new feature online. Yes we can! 😉

Wir bleiben in Kontakt

Christian Kreutz Teamlead IT-Operations E-Mail

christian.kreutz@un-iq.demailto:christian.kreutz@un-iq.de

Phone

+49 2301 8978924

[http://signatures.un-iq.de/logos/uniq_logo_schwarz.png]https://www.un-iq.de/

UNIQ GmbH Rhenus Platz 2 59439 Holzwickede www.un-iq.dehttps://www.un-iq.de

[http://signatures.un-iq.de/social-media/fb_klein.jpg]https://www.facebook.com/wirsinduniq/[http://signatures.un-iq.de/social-media/insta_klein.jpg]https://www.instagram.com/uniq_inside/[http://signatures.un-iq.de/social-media/xing_klein.jpg]https://www.xing.com/companies/uniqgmbh/

HR Amtsgericht Hamm RegisterNr. HRB 8204 Geschäftsführung Daniel Krahn & Daniel Marx

[http://signatures.un-iq.de/brands/ug_klein.jpg]https://www.urlaubsguru.de/[http://signatures.un-iq.de/brands/fee_klein.jpg]https://www.fashionfee.de/[http://signatures.un-iq.de/brands/mh_klein.jpg]https://www.mein-haustier.de/[http://signatures.un-iq.de/brands/ck_klein.jpg]https://www.captain-kreuzfahrt.de/[http://signatures.un-iq.de/brands/prinz_klein.jpg]https://www.prinz-sportlich.de/ Von: Renato Quinhoneiro Todorov notifications@github.com Gesendet: Freitag, 1. Februar 2019 11:01 An: snipe/snipe-it snipe-it@noreply.github.com Cc: Christian Kreutz christian.kreutz@un-iq.de; Author author@noreply.github.com Betreff: Re: [snipe/snipe-it] User Sync auto assign group (#4877)

yet another bump.... can we reopen this issue?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/snipe/snipe-it/issues/4877#issuecomment-459669796, or mute the threadhttps://github.com/notifications/unsubscribe-auth/Ah4rNItKcrsWUg8h0jeJR78VRNI9QmEoks5vJBB0gaJpZM4RnAw0.

BFMiBu commented 3 years ago

Is there a chance to reopen this? Would be great!

stale[bot] commented 3 years ago

Okay, it looks like this issue or feature request might still be important. We'll re-open it for now. Thank you for letting us know!

paulopaag commented 3 years ago

I'd like to also let it be known that it'd be an awesome feature.

Kizan commented 3 years ago

Would very much like to have this featue.

benwa commented 2 years ago

This also needs to un-assign group permissions when a user leaves an LDAP group.

nghia-dang commented 2 years ago

Would also be handy to be able to assign permissions for

  1. People in a specific ldap group to be assignable to one or more companies.
  2. People that are in multiple ldap groups be able to be in multiple companies if those ldap groups are assigned access rights to them
  3. Requestable items at specific locations visible to people only if they are in specific LDAP groups
  4. Assets located at specific locations to be made available visible only to people in specific LDAP groups..
Edogstraus00 commented 1 year ago

Is there any updates on being able to do this? I see this was opened a few years ago.

BFMiBu commented 1 year ago

Is there any updates on being able to do this? I see this was opened a few years ago.

Nope. Has unfortunately still not been included. This would be such a helpful function

felibb commented 1 year ago

@snipe could you please comment? There are multiple requests (#6508, #8356, #10430), but it seems unclear whether you find this feature feasible and/or worthy of consideration. Thanks.

snipe commented 1 year ago

There is already a PR in progress for this #11736

CrypNZ commented 1 year ago

@snipe I've read through that pr - what I was hoping for is something on the Group Management page that would allow you to sync users to groups based on the LDAP group they are in. Perhaps something that would run alongside an LDAP sync that would view members of defined x,y,z groups and update their SnipeIT group accordingly. This would also help with removal of users from these groups.

I'm not sure if I am misunderstanding - is that pr for one singular default group when someone gets added to snipeit or will it allow the functionality I have outlined above?

Thanks,

jarrodCoombes commented 11 months ago

@snipe That PR is not what people are asking for, we are asking for the ability to sync group membership from AD to keep our installs secure and to make sure people have the correct level of access when they are onboarded. So I'd argue that PR does not satisfy or solve this feature request.

The problem with the default group approach is that you end up with everyone in that group and it become very onerous to go through and update them all manually. Catch all things like that should be a last resort, not a first attempt.

snipe commented 11 months ago

@jarrodCoombes thats why this issue is still open and not marked as resolved.

snipe commented 11 months ago

@jarrodCoombes the issue that’s been there the whole time - and remains - is that there may not be parity between manually created groups in Snipe-IT and ones in AD/LDAP/Google Workspace - and even if they exist, since our permissions and AD permissions might not match up, there is always the danger of elevating permissions because of name collisions, etc. And I’d argue that the default group should handle most cases, since you don’t want that many admins and superadmins on any system, imho.

When we find a reasonable solve for this, we’ll execute on it, but right now, there are still a lot of limitations and footguns.

jarrodCoombes commented 11 months ago

Glad you are taking a cautious approach to this.

there may not be parity between manually created groups in Snipe-IT and ones in AD/LDAP/Google Workspace

The manually mapping is what creates the parity. Unless I am missing some sort of fundamental points about how the sync actually works.

To be clear, I am not suggesting Snipe automatically creates new groups based on what is synced from the directory, I am suggesting you simply allow group mapping between Snipe and the directory. In other words, I create group in Snipe and manually tell it which AD group it maps to (similarly to how you can map a location to an OU currently). As a side note, this is actually how a ton of other platforms do this exact thing.

our permissions and AD permissions might not match up

This sort of confuses me, as you don't sync any AD permissions as far as I can tell. So the only thing that would matter to Snipe is what group the user is in and if that group is actually mapped to an existing Snipe group. All of this is on the admin who sets this up and not you as devs.

Running through that workflow in my mind, I cannot see where the danger of privilege elevations comes in, unless I, as the super admin, maps the wrong group, or add the AD user to the wrong group in AD.

snipe commented 11 months ago

You’re assuming a world where 1) admins will remember to map those at all and 2) admins will continue to remember to map over time as new groups get added to their directory. This project is a decade old. While I’d love to believe that everyone’s install is perfect, pristine, and up to date, a decade of xp tells me that’s not true. While one could argue that’s not really on us, we also try hard to not provide opportunities where “the asset management initiative” was started by someone who doesn’t even work there anymore, has been inherited by someone who doesn’t know what needs to be done, and falls into disrepair. Because permissions are important here, we want to make sure we minimize the places where things can get wonky when regimes change, people change roles, etc.

snipe commented 11 months ago

(I’m not arguing with you btw - just explaining that this, like so many other parts of this project, is more complicated than it seems if we want to do it right in the long term)

jarrodCoombes commented 11 months ago

Yep, no argument here, just debate (thanks for engaging).

1) admins will remember to map those at all and 2) admins will continue to remember to map over time as new groups get added to their directory.

If they don't, then the user falls into the default group as per the settings, or no group with no permissions if that's not setup (basically how it does it now). If it's a new group, not mapped, then nothing changes with the current setup. So it "fails" into a safe state, or at least a status quo state.

I think we are missing each other on something here. I believe you are assuming that people would want all new directory groups to be automatically added to Snipe and have it's permissions mapped accordingly? If so, this is not the case at all. Most people will simply want to pick or create a Snipe group and then tell it to put people in it from the directory who are in this particular directory group and ignore all other groups.

A working example would be what we need. I have Staff members and I have students. I would like any AD user in the "Snipe-Staff" AD group to be places in the "Staff" Group in Snipe, and anyone in the "Snipe-Student" AD group to be placed in the "Student" group in Snipe. All other directory groups should be completely ignored, and if a user is in neither of those groups, then what happens now should continue to happen.

ipaqmaster commented 9 months ago

Late 2023 it seems this is still not possible? Even the LDAP Permissions Group setting doesn't seem to be at all functional.

GodAtum360 commented 6 months ago

Is this still not possible? When i onboard new users, I need to manually set their correct group in SnipeIT!

droid-sheep commented 2 months ago

I've ran into the same problem. I wrote a quick and dirty node script to synchronize my active directory users to snipe.

Check it out at https://github.com/droid-sheep/snipe-it-ldap-group-sync

GitHub
GitHub - droid-sheep/snipe-it-ldap-group-sync: Synchronizes ldap ad group memberships to snipe it groups
Synchronizes ldap ad group memberships to snipe it groups - droid-sheep/snipe-it-ldap-group-sync