Absolutely! I can see this happening in a couple of different ways.
Our users are grouped in Active Directory, so we could pull their group memberships. We could put our servers into security groups as well. We don’t do this currently. But we do separate them by AD OU. What I’ve done so far is create separate machine LDAP queries by AD OU.
We could have a field in the LDAP configuration to assign AD User Security Group and the SSH token type automatically.
Or I can see a section where you can view the security groups, and within the group setting, assign a set of computers based on the computer group membership, or LDAP Machine query.
We have a developer portal in our VM environment where they can turn up and destroy virtual machines at will, so whatever the solution would be would have to allow periodic queries to update the group memberships.
The other option is to have us create computer and/or user groups within PI and apply the settings at the group level. If the developer brings up a dev portal VM (mentioned in the above paragraph), they can go into PI and assign themselves permission to the new VM. It doesn’t happen that often, so it wouldn’t be too cumbersome.
We’d like to balance the admins requirement to control access to things like production, staging, test servers, with the users ability to add themselves to their dev machines.
We already use SSSD to control access to the VM’s and are looking to replace password login with the SSH login so this would be a huge help.
Having to do all the settings in PI individually for all 150 VM’s is quite a large pain. In the mean time, is it possible to update settings via API or direct DB query? The environment doesn’t change “that” frequently, so getting it set up now is the pain point - manually adding a machine in the future is more doable by hand.