netdata-cloud icon indicating copy to clipboard operation
netdata-cloud copied to clipboard
verified publisher icon netdata

[Feat]: Support Group Resource for Identity Management (SCIM)

Open sashwathn opened this issue 1 year ago • 3 comments

Problem

Currently, our SCIM server supports only the User resource. It can only be used to grant or block access to Netdata for users in their organization. After a user is created, it is up to the Netdata administrator to manually invite them to spaces, rooms and assign roles.

Description

Organisations need a way to map users in their Incident Management systems to relevant Space / Rooms / Permissions within Netdata without needing to manually invite each user.

cc: @juacker @ralphm

Importance

must have

Value proposition

  1. Enterprise Feature requested by many customers
  2. Key feature for full integration with SCIM

Proposed implementation

No response

sashwathn avatar Dec 03 '24 19:12 sashwathn

Based on the meeting with @ralphm, @papazach, and @car12o, we have agreed on the following specifications for implementing SCIM group support in Netdata:

specifications

  1. Mappings Configuration

    • SCIM group-to-Netdata membership mappings can be defined.
    • Each mapping will consist of:
      • Space: The target space for the mapping.
      • Role: The Netdata role to assign.
      • List of Rooms (Optional): A specific subset of rooms within the space where the mapping applies.

  2. Admin Role Mapping Requirement

    • At least one mapping for the admin role is mandatory if mappings are configured for a space.

  3. Organization Scope

    • These mappings will only apply to SCIM accounts managed by the same organization.
    • Accounts within the space that are not under the organization’s control will not be affected by the mappings.

  4. Conflict Resolution

    • In cases where a user belongs to multiple SCIM groups with conflicting mappings (i.e. each group maps to a different role), the mapping associated with the role that has higher permissions will take precedence.

  5. Default Behavior

    • If no mappings are configured for a space, no automatic membership assignments will be performed.

operational details

  • Mappings will be evaluated whenever a group operation is received via SCIM.
  • The result of these evaluations will determine the space and room memberships for users within the SCIM organization.

Let me know if there are any additional considerations or clarifications required.

juacker avatar Dec 13 '24 12:12 juacker

Just found this one, referencing it https://github.com/netdata/netdata-cloud/issues/917

car12o avatar Dec 17 '24 10:12 car12o

Backend implementation is complete.

The new API documentation for creating rules is available here, but this API is not yet public, it will be exposed publicly once the FE is completed.

@kapantzak please let me know when you need access to the API and I can make it public in the test environment.

juacker avatar Feb 18 '25 12:02 juacker

Last pending point was the upgrade of Okta integration, but yesterday Okta upgraded our integration adding SCIM support. Closing as completed.

cc: @sashwathn

juacker avatar Jul 10 '25 14:07 juacker