Chapter 25. Policy: Defining Automatic Group Membership for Users and Hosts

Most of the policies and configuration within the Identity Management domain are based on groups. Settings from sudo rules to automount to access control are defined for groups, and then those settings are applied to group members.
Managing group membership is an important factor in managing users and hosts. Creating automember groups defines rules to add users and hosts to specified groups automatically, as soon as a new entry is added.

25.1. About Automembership

One of the most critical tasks for managing policies, identities, and security is managing group membership in Identity Management. Groups are the core of most policy configuration.
By default, hosts do not belong to any group when they are created; users are added to the catchall ipausers group. Even if custom groups are configured and all policy configuration is in place, users and hosts cannot take advantage of those policies until they are joined to groups. Of course, this can be done manually, but it is both more efficient and more consistent if group membership can be assigned automatically.
This is done with automembership groups.
Automembership is essentially an automatic, global entry filter that organizes entries, at least in part, based on specific criteria. An automember rule, then, is the way that that filter is specified.
For example, there can be a lot of different, repeatable ways to categorize identities within the IT and organizational environment:
  • Adding all hosts or all users to a single global group.
  • Adding employees to specific groups based on their employee type, ID number, manager, or physical location.
  • Dividing hosts based on their IP address or subnet.
Automembers provide a way to pre-sort those entries. That makes it easier to configure the actual behavior that you want to configure — like granting different sudo rules to different user types or machines on different subnets or have different automount settings for different users.

Note

Automembership only applies to new users or hosts. Changing the configuration for an existing user or group does not trigger a change group membership.
Automembership is a target set on an existing user group or host group. An automembership rule is created as a policy. This is a sister entry to the actual group entry and it signals that the given group is used for automatic group membership.
Once the rule is created — once the group is identified as being a target — then the next step is to define automember conditions. Conditions are regular expression filters that are used to identify group members. Conditions can be inclusive or exclusive, meaning that matching entries can be added or ignored based on those conditions.
There can be multiple conditions in a single rule. A user or host entry can match multiple rules and be added to multiple groups.
Automembership is a way of imposing reliable order on user and host entries by adding them to groups as they are created.
The key to using automember groups effectively is to plan your overall Identity Management structure — the access control policies, sudo rules, host/service management rules, host groups, and user groups.
Once the structure is in place, then several things are clear:
  • What groups will be used in the Identity Management
  • What specific groups different types of users and hosts need to belong to to perform their designated functions
  • What delineating attributes can be used to filter users and hosts into the appropriate groups