Leave feedback
  • Discussion

    Why don't we support nested groups in StreamStudio?

Enter a new topic
  • Ola Hellgren Ola Hellgren StreamServe Employee
    0 likes 1780 views

    Hi!

    I've come in contact now with many customers that like to use nested groups when assigning roles in StreamStudio. Does anyone know why we don't support this and if it's planned?

    Kind Regards, Ola Nordin

    Monday 18 January, 2010
  • David Shih David Shih StreamServe Employee
    0 likes

    They're probably running Active Directory, aren't they? In the Windows world, the best-practices convention is to create Domain Users, assign them to Global Groups, which are then assigned to Local Groups, which are then mapped to Resources. In the LDAP world, nested group membership is a lot harder to determine. In pure LDAP, group members are listed by RDN within the group definition; it's certainly possible to reference a group's RDN within another group. In Microsoft's Active Directory, they have virtual attribute:value pairs (memberOf) on the member entry, as well as the typical attribute:value pairs (member) on the group entry. In pure LDAP, I don't think there's an easy way to pick apart nested groups, aside from enumerating each "member" value, determine whether its objectclass is a "group" or "groupOfUniqueNames", then recursively enumerate each of those "member" values. It gets ugly extremely quickly. Since we'd be operating outside the LDAP server, we'd be parsing each RDN as a string value, and would require many many many LDAP queries just to determine group membership. In a future Service Pack, there's talk of supporting a native Active Directory API. I don't know the timeline. I'm a fan of sticking with pure LDAP calls. In other words, suck it up, and create new groups that only contain "User" or "inetOrgPerson" objects.

    Monday 18 January, 2010
  • Ola Hellgren Ola Hellgren StreamServe Employee
    0 likes

    Thank you for your answer David. Now I know where StreamServe stand on this issue.

    // Ola

    Monday 18 January, 2010
  • Ola Hellgren Ola Hellgren StreamServe Employee
    0 likes

    Hi again.

    I got some more input regarding this from a colleague. This talk of using Microsoft AD's API might be a good thing when the majority, from my experiece, of our customers use MAD as a directory service.

    Let's say as in a customer’s case they have 18.000 users that needs access to the Collector applications. They time it would take for them to put all users in one group will be extensive instead of just adding one group to StreamStudio and then let the local manager put new users in the local group that's connected to the global group.

    As StreamServe is used in lager comanies that have extensive AD's it might good to have support for this.

    Regards,

    Ola Nordin

    Monday 18 January, 2010