Flowmon

Integrating Flowmon and LDAP/AD

03/08/20

How to deploy Flowmon for multiple users easily.

The integration of Flowmon with an external user database such as Active Directory (AD) significantly simplifies access rights management both for small companies and enterprises. Although it has been available for some time, there are some helpful functions that may not be immediately obvious.

Two ways of integration

The first option is to add AD groups with a name consisting of a prefix and the name of the user role separated by a dash or underscore (e.g., Flowmon-Support). Only groups whose names conform to this pattern are assigned their roles, and permissions management is thus limited to assigning users to groups in Active Directory. 

This is a simple mechanism that doesn’t need any additional configuration.

LDAP-configuration

Fig. 1 Integration via prefix. Groups in AD should start with "Flowmon" and the "-" must be followed by the role name in the Flowmon system.

This method is remarkably simple, although it has a limitation in the fact that it requires the creation of additional groups in AD specifically for the management of Flowmon, which may cause difficulties for customers with an extensive AD structure and a naming scheme that does not allow the use of a prefix. Therefore, it is best suited for small companies that want to benefit from centralized identity management and access control into all systems, including Flowmon.

For enterprise customers, there is an alternative mechanism where roles are assigned to existing groups in AD. Flowmon can then access the whole structure of the user database, so no new groups with an imposed naming system are needed. In this way, roles can be mapped onto any group in any AD branch, and thanks to this, the integration is very flexible and can fit any kind of AD structure.

LDAP mapping

Fig. 2 The alternative integration method allows mapping any AD groups to Flowmon roles.

LDAP enable mapping

Fig. 3 List of all group-role mappings.

Inheriting permissions and group nesting are handy functions in AD management, which help admins to manage resource privileges. In Flowmon, you can do the same by choosing the group nesting function.

LDAP-rules-grouping.PNG

Fig. 4 Enabling group nesting. It is possible to choose two ways of inheriting access rights.

It should be noted that this is a possibility, not a necessity. When configuring integration mechanisms, you can choose whether you want to use nesting or use a flat AD structure. If you decide to nest permissions, there are two types of nesting - inheritance from the parent object or taking permissions from child groups; see the diagrams below.

LDAP-roles-parents

Fig. 5 Roles inherited from parent elements. The member groups inherit roles from the main group.

LDAP-roles-child.png

Fig. 6 Roles obtained from child elements. The main group takes roles from member groups.

What next?

Choose which integration suits you better and decide whether you want to use group nesting. Set the primary information about your domain and account that you’ll use for the integration, and see how easy it is to use it to manage multiple users of the Flowmon solution.

If this article does not answer all your questions about how to access rights in Flowmon, contact us.