[midPoint] Some questions to midPoint 3.3

Ivan Noris ivan.noris at evolveum.com
Mon Mar 21 18:08:37 CET 2016 

Hello Philippe & Fabian,

see also my notes inline in addition to Pavol's.

On 03/21/2016 05:46 PM, Pavol Mederly wrote:
> Hello Philippe and Fabian,
>
> here are some answers (or, more precisely, pointers to relevant
> information) to your questions:
>
>> - How can you adjust some attribute in a connector? We tried to
>> rename some attribute names in the XML file but if we try to create a
>> new user with the new attribute names the connector says the
>> attribute is unknown? 
> I don't understand this question. What exactly you'd like to adjust?
> Please be more specific what you'd like to achieve, and preferably
> give us an example.
>

IF you are trying to show the attribute name in the GUI form differently
from its name in the connector, e.g. the attribute name is
sAMAccountName and you wish to show it as "Login name", this is very
easy. See <displayName> element in the schemaHandling/attribute in many
of our samples, e.g.:
   <attribute>
                                        <ref>ri:sAMAccountName</ref>
                                        <displayName>Login
name</displayName>
...

>> - If you create a role, how can you give this role authorities? From
>> the start on, there is for example just the role end user and super
>> user with authorities.
> What do you mean by "authorities"? From what you say I understand
> you'd like to attach some authorizations to a role - i.e. saying like
> "holder of this role can see all other users' details". Is it so? If
> yes, please have a look at
> https://wiki.evolveum.com/display/midPoint/Authorization+Configuration. It
> is a very elaborate and powerful mechanism, allowing to specify
> authorizations in very, very flexible and detailed manner.
>
>> - Is it possible to filter Users just through attributes? for example
>> show every user with the name Thomas? Or is it just possible to
>> filter users with organisations? 
> I'm not sure how it is in midPoint 3.3, but in 3.4-snapshot it is
> possible to filter users by name, given name (e.g. Thomas), family
> name, full name, additional name(s), administrative status, cost
> center. If you need more, you can use e.g. Bulk actions
> (https://wiki.evolveum.com/display/midPoint/Bulk+actions) to extract
> users you need (but that's not very interactive). Or you can use
> reports. Or export all users and write a custom script to filter what
> you need.
>
>> - Is there an option to prevent that users dont get authorities that
>> they should never have? for example a customer user should never be
>> able to get the role of a super user?
> I'm not sure about this; maybe someone other on this list would respond.
> For general prevention of unwanted authorizations and role assignments
> midPoint provides:
> - certifications
> (https://evolveum.com/blog/access-certification-in-midpoint/)
> - approvals (https://wiki.evolveum.com/display/midPoint/Workflows).
>
>> - Is it possible to set attributes from a user through a role
>> assignment?
> Certainly. See e.g.
> https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC
>
>> - How can you change the password policy in midpoint and
>> synchronizise them with Active Directory and Exchange?
> You specify password policy like this:
> https://wiki.evolveum.com/display/midPoint/Password+Policy
> Not sure what you mean by synchronization of the policy with
> AD/Exchange; if you want to have compatible policies in midPoint and
> AD/Exchange (i.e. so that if a user's password is accepted by midPoint
> it will be accepted by AD/Exchange and vice versa), you have to obtain
> current password policy from AD/Exchange and manually create
> equivalent policy in midPoint. (Or the way around, take a policy from
> midPoint and create equivalent one in AD/Exchange.)

Just to add: midPoint uses its own password policies to
validate/generate passwords. For each resource, different password
policy can be used, or the global one will be used (default). As we
don't synchronize the policies (the complexity definitions), you need to
create the password policies in midPoint to be at least as strong as in
the resources.

>
>> - How can an employee request authorities? And how can his boss
>> authorize this request?
> Please see the wiki page on workflows mentioned above.
> In 3.3, the request is done simply by trying to assign specific role
> to himself/herself. After saving it, the workflow is started
> automatically (if role approver or approver expression or approval
> schema is defined).
> In 3.4 there will be a special tab for requesting roles (see
> 3.4-snapshot).
>
>> - Is it possible to create a hierarchy? If yes, how?
> A hierarchy of what? E.g. for organizations (that could be basically
> anything from traditional organizations to projects to e.g. study
> programmes or even individual lectures), it certainly is possible and
> well supported. Please have a look around our wiki.
>
>> - How can you generate reports? are there already basic templates for
>> reports? and how can you export them in different formats like .xls
>> .csv .pdf ? 
> Very simply. You just need to use "Reports" menu. Please try it; and
> have a look at
> https://wiki.evolveum.com/display/midPoint/Report+Configuration.
>
>> - How can we transfer a currently existing active directory structure
>> as easily as possible in midpoint? We got an XML-data for example and
>> want to implement this user in midpoint as well. 
> Please be more specific. Or, even better, please have a look at the
> following:
> - https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test (this
> one is not specific to AD but the general idea is the same)
> -
> https://wiki.evolveum.com/display/midPoint/Active+Directory+Group+Synchronization+HOWTO
> -
> https://evolveum.com/blog/practical-organization-structure-in-active-directory/
> ...and then think again and try to formulate your question more
> precisely.
>

Certainly it's possible to import/synchronize the directory structures,
one way, or the another or bi-directional. So if you have e.g. directory
structure of organizational units or groups in AD and wish to create the
corresponding structure in midPoint, yes this is possible. The real data
is synchronized, you don't need to export it from AD and preprocess for
midpoint.
Please read the links Pavol shared above.

Best regards,
Ivan

> Hope this helps,
> Pavol
>
>
> On 19.03.2016 20:57, Fabian Mirz wrote:
>> Hello all,
>>
>> we are a group of students who are currently testing MidPoint 3.3 as
>> an Identity Manager System for a big company.
>> We have build up recently our test environment with 2 servers. On the
>> first one, we installed midPoint and on the second one we
>> configurated Active Directory and installed Exchange.
>> The basic functions are already running, we are for example able to
>> create a user in midpoint, assign him with the exchange connector and
>> midpoint creates this user also on the other server with a mailbox.
>> Sadly we still have some issues and we hope you can help us.
>>
>> We are new to this topic, so please be forgiving if there are some
>> "stupid" questions.
>>
>> - How can you adjust some attribute in a connector? We tried to
>> rename some attribute names in the XML file but if we try to create a
>> new user with the new attribute names the connector says the
>> attribute is unknown?
>> - If you create a role, how can you give this role authorities? From
>> the start on, there is for example just the role end user and super
>> user with authorities.
>> - Is it possible to filter Users just through attributes? for example
>> show every user with the name Thomas? Or is it just possible to
>> filter users with organisations?
>> - Is there an option to prevent that users dont get authorities that
>> they should never have? for example a customer user should never be
>> able to get the role of a super user?
>> - Is it possible to set attributes from a user through a role
>> assignment?
>> - How can you change the password policy in midpoint and
>> synchronizise them with Active Directory and Exchange?
>> - How can an employee request authorities? And how can his boss
>> authorize this request?
>> - Is it possible to create a hierarchy? If yes, how?
>> - How can you generate reports? are there already basic templates for
>> reports? and how can you export them in different formats like .xls
>> .csv .pdf ?
>>
>> And the last but most import question:
>> - How can we transfer a currently existing active directory structure
>> as easily as possible in midpoint? We got an XML-data for example and
>> want to implement this user in midpoint as well.
>>
>>
>> Best regards
>>
>> Philippe Büdinger & Fabian Mirz
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160321/4cf9ec70/attachment.htm>

More information about the midPoint mailing list