DataViews

Challenge
You don't need to use a cannon to shoot flies. Sometimes you may have a relatively simple issue to resolve, but all the tools that are available to fix the problem seem to complicated for the solution that you want to implement. A scenario that seems fairly common is the option to limit the data that can be viewed for an entry depending on the user that is viewing the entry.

While this sort of functionality can be achieved using an ACL, this requires a fair amount of configuration and a pretty good understanding of the policy that you want to implement. Furthermore, an ACL may provide a slightly stricter policy than what you wish to implement. For instance, you may want to still be able to perform operational actions on particular 'hidden' attributes.

DataViews
Symlabs LDAP Proxy and Virtual Directory Server include a very simple plugin that allows you to quickly define a 'data view', limiting the attributes that will be presented for a particular entry, or branch of entries within your directory. The conditional model inside the processing stages used within your solution can be used to specify various filters that will determine when this functionality will be implemented. This means that you can apply the policy globally, limit it to particular branch requests, apply it for particular BIND credentials, or for the network or IP address that a request originates from.

The Data View plugin can be used to help filter out uninteresting attributes so that only relevant data is returned to a client application. This can help reduce overall network load and can improve client application responsiveness.

You can also hide particular attributes so that they will only be returned if they are explicitly requested. This can be used to allow you to store operational attributes that will not affect client application behavior, but which you are still able to make use of for operational purposes.

Finally, this plugin can be used as a very basic security filter, preventing read access to particular attributes accessed via the proxy engine. While the ACL plugin, is more generally recommended for this purpose, the Data View plugin offers a quick solution that is effective at limiting application access to particular attributes.

Symlabs is now part of Quest Software. A leader in simplifying and reducing the cost of IT management, Quest’s innovative solutions make solving the toughest IT management problems easier, enabling more than 100,000 customers worldwide to save time and money across physical, virtual and cloud environments. The addition of Symlabs virtual directory and federation technology will enhance the overall architecture of the Quest® One Identity Solution and Quest migration products. Learn more at www.quest.com/symlabs.

Site Map