How to Configure Rules for Automatic CAL Assignment using SCIM
System for Cross-Domain Identity Management (SCIM) is an open standard protocol used to automate the exchange of user and group information between Identity providers and Enterprises. SCIM ensures that users added to the Identity Management System should have their accounts automatically created in VIDIZMO when they are provisioned from the Identity Provider. User attributes and profiles are synchronized between the two systems while the updates and removal of users is based on the user status in Identity Management System.
In VIDIZMO, a large number of users can be provisioned through Identity Providers which has to be given a CAL that is a kind of a security policy which determines what access permissions a user and a group has to perform a specific task. Hence, while configuring SCIM settings users will be able to set rules determining the targeted CAL. This will help enterprises to assign specific CAL to large organizational groups without manually assigning a CAL to each user.
Prerequisite.
- Ensure that you belong to a group where the Management of SSO + SCIM permission is enabled to access this feature.
Steps to Add New Rules
I. From the Portal's Home Page:
1. Click on the Admin Tab to expand it.
2. Navigate to the Portal Settings.
II. On the Portal Settings page:
1. Click on the Apps option on the left to expand it.
2. Further click on the Provisioning option.
3. Locate to the any of the SCIM-supported Identity Provider Apps and click on the Settings icon at the right hand side.
III. On the SCIM settings page:
1. Click on the Add New Rules option.
2. Select the Attribute Path.
3. Select any one of the Condition that you want to set for the rule being created.
4. Provide a Matching text in response to the condition you have selected above.
5. Select the Targeted CAL that you want to set for the users belonging to the groups qualifying the above conditions. 6. Click Save Changes.
Limitations and Considerations
- The Attribute path that is supported in VIDIZMO is for Group's Display Name only.
- User will be able to create multiple rules. However, if multiple conflicting rules are created, for example, a user belonging to two different groups in AD/OKTA, then the first rule would be applied.
- If the multiple rules are created and a group consisting of numerous users is provisioned from an Identity Provider, then the process may take a little longer than usual.