Details
-
Suggestion
-
Resolution: Unresolved
-
None
Description
Problem Definition
Nested Groups can be enabled on both, Crowd server and connected applications using Embedded Crowd.
On some connected applications, doing operations with nested groups (i.e. permissions validation on Confluence) may be expensive.
When Embedded Crowd synchronizes a directory with Crowd, it uses the /crowd/rest/usermanagement/1/group/membership REST API method.
If we have the below hierarchy in the LDAP server, then Crowd will pass it along to the connected application without any modifications.
+ GroupProject1
++ aduser003
++ GroupTeam1
+++ aduser001
+++ aduser002
This forces the connected application to be aware of nested groups and still perform expensive operations to accomplish its tasks.
Suggested Solution
When nested groups is enabled in Crowd, there could be a configuration to always pass along to the connected applications a flattened groups memberships in a way that the connected application isn't aware the nested groups configuration exists.
In the previous example, instead of passing the hierarchy below
+ GroupProject1
++ aduser003
++ GroupTeam1
+++ aduser001
+++ aduser002
Crowd could send a flattened list of users x groups memberships as below
+ GroupProject1
++ aduser003
++ aduser001
++ aduser002+ GroupTeam1
++ aduser001
++ aduser002
This would relief the connected application from expensive nested groups calculation, leaving this task to Crowd when Synchronization occurs.
Workaround
There's no workaround so far.
Attachments
Issue Links
- is related to
-
CWD-4942 Update Nested Groups in Crowd documentation
- Short Term Backlog