Cross-domain assignment

When designing an environment where RBAC data is provided by two domains such as local files and LDAP, consideration must be given to the issue of cross-domain assignment of entities. Examples of cross-domain assignment include assigning an LDAP-defined role to a local user or assigning a local-defined role to an LDAP user.

The assignment of a remote entity (LDAP role) to a local entity (local user) is not much of a concern since it has no impact on other systems in the environment. However, assigning a local entity (local role) to a remote entity (LDAP user) should only be done with great care. Since the remote entity (LDAP user) is visible on multiple clients, there is no guarantee that the local entity (local role) assigned to it is defined or has the same definition on each client system. For example, a role may be defined locally on each client but have different associated authorizations. A remote user that is assigned this local role would therefore have different authorizations on each of these clients and this can have undesirable security consequences.

To prevent possible security issues with assigning a local entity to LDAP entity, it is recommended that the LDAP server implement access control to the RBAC databases to prevent each client from modifying entries. Only clients connecting to the LDAP server through a privileged account should be allowed to modify LDAP RBAC entities. Other clients should only have read access to the LDAP RBAC databases.