Skip to main content

Need an automation to map Active Directory groups to access to groups and monitoring projects on Ataccama UI.

 

Have you already had a look at the guide in the official documentation on AD integration @hbairi ? Here: https://docs.ataccama.com/one/latest/third-party-software/keycloak-active-directory-integration.html

This takes care of your AD mapping to an Ataccama Keycloak role.

 

Then, to configure what that Keycloak role means in the Ataccama application, this section of the doc should help: https://docs.ataccama.com/one/latest/user-access-management/introduction.html

 

Depending on your product version some details may differ, so please ensure you check the docs for your current version.

 

Have a read through and let us know if you have any specific questions on your use case? It would be helpful if you could share which AD provider you’re working with. Also, depending on your architecture (self-managed or PaaS or hybrid) there may also be slight differences in configuration.


@maykwok_hamilton  We already got this document and I already implemented this as a manual procedure. We are looking for an automation procedure where when we create an AD group in Active directory, we would need that to be visible on Ataccama as AD integration has already been done, rather than creating the identity role in keyclock and mapping it on the keyclock console manually. We worked with anna.kitor@ataccama.com on this implementation.
We are looking for AD group mapping automatically but not AD users.

Below are the steps which we implemented in our stage environment and got to know that there are many manual steps involved.
 

High Level steps:

  1. Create an AD group from IIQ - Approvals needed → AUTOMATE TASK
  2. Map AD group under Keycloak admin by creating a mapper (Manual Task) - Need attribute name of AD group from IAM/OKTA team → MANUAL Task
  3. Create role to the AD group mapper under Realm Role on Keycloak admin. → MANUAL TASK
  4. Assign the created role to the AD group mapper. → MANUAL TASK
  5. Restart the mmm-backend & Keycloak-server services on dependency & application server - OR- Click on UPDATE button on Ataccama one Web> Settings> Users > UPDATE → MANUAL TASK
  6. Create the group with same name on Ataccama One Web> Settings> groups> create → MANUAL TASK
  7. Edit the created group and add the indentity role to data-steward/data-owner role and save & publish it. → MANUAL TASK
  8. If any user requests for group & role access for the AD group then user need to open a request in IIQ to add him/her into the AD group. → AUTOMATE TASK
  9. Once user has been added., we will need to test/verify if the user has got access to the group once he/she login into Ataccama Web UI. → TESTING

10. Assign/provide group access to monitoring project by mapping AD group on Ataccama one Web UI → MANUAL TASK
a. Go to monitoring project- One web> Data quality> Monitoring project> Select monitoring project> Stewardship (edit)> assign ownership to group.
b. Verify the access after user testing his/her access to the monitoring project. → TESTING


Thanks,

Harish


Hi @hbairi thanks for elaborating.

 

I don’t know which specific version of keycloak or Ataccama you have, so please check the documentation for your relevant version.

For your steps 2, 3 and 4, Keycloak does have REST API you can use, for example, 

You should be able to write some component that would take your AD group values, perform some transformation to create your keycloak role and mapper names, then send those API calls to keycloak to create the roles and mappers?

 

For step 5, most certainly there is possibility to write some component that can issue graphql calls using JSON Call step to perform that task.

I use a little trick to catch the graphql queries that the web application produces when you press a button. E.g., if you click the “UPDATE” button to update user list, then you can track in your web browser console what graphql call your browser sent to the backend. You can “take it as inspiration”  and use it in your own use cases. Here’s a community article to show step by step guide on how to “steal” these queries: 

 

For steps 6, 7 and 10, you should be able to use either graphql call or ONE Metadata writer. I don’t have an example to hand, but usually I use the ONE Metadata reader to query the thing I try to create, check the metadata model and the output, and make sure I supply all required details (apart from the id which is created by ONE) in the ONE Metadata writer step.

If you haven’t worked with ONE Metadata much, here’s the documentation link on how to use the steps: https://docs.ataccama.com/one-desktop/latest/work-with-ataccama-one/work-with-metadata.html

And here’s the documentation link on the metadata model itself: https://docs.ataccama.com/one/latest/metadata-model/metadata-model-overview.html

 

This is a very big topic, so please do come back with more specific questions and let’s get the conversation going!

(And I wonder if Anna is around? Is this the right  @Anna ?)


Hi @may_kwok,
Thank you so much for this information. @Anna is out for maternity leave and I am the new product owner for the team. 
Would it be possible to set up a call with you and a few engineers on our team to understand how we can implement this for our use case?
Thanks


Hi @ritgupta ,

Have you been in touch with your engagement manager to get some help from another member of the Ataccama’s own professional services team, while Anna is on leave? What you’re trying to implement is a full blown project in its own right with multiple integrations between the applications so could benefit from someone seeing this through with you end-to-end.

There’s a community article here that explains in general how to use the ONE Metadata reader and writer steps: 

It also requires some understanding on how that is related to the underlying metadata model.


Reply


ataccama
arrows
Lead your team  forward  OCT 24 / 9AM ET
×