[midPoint] Importing entitlements to roles for multiple account intents

Wojciech Staszewski wojciech.staszewski at diagnostyka.pl
Tue Jan 2 12:07:11 CET 2018 

Hello!

First: Of course the account intent is specified in the association from link inducement, order 2, not in the first order inducement as I wrote before.
Sorry for the mistake.

Second: After few days of testing, the workaround with multiple ObjectClasses for entitlements is working correctly.
I suppose this is not a right way how it should be done according to the midPoint philosophy,
but at the moment I have no other idea how to achieve the goal, which is independently given entitlements for each account intent when user has two or more accounts in one resource
and use the synchronization flavors of the entitlements for avoiding manual roles editing.
Of course I keep my mind open for other soultions.

Best regards!
WS

W dniu 30.12.2017 o 13:36, Wojciech Staszewski pisze:
> Hi!
> 
> Yes, but if the user have 2 or more accounts on this resource, all accounts will receive the entitlement. I have to avoid this.
> The entitlements must be given indepedently for each account.
> 
> I see some workarounds:
> 
> 1) Manually create the roles for account intents other than default and update them when needed.
> -disadvantages: A lot of roles and a lot of changes. There is 100 resources of this kind, some of them contains more than 1 account intent (1,5 average) and 3 entitlement types, every type contains 20 entitlements average. This makes 100 x 1,5 x 3 x 20 =  9000 roles for manual handling. Terrifying...
> 
> That's why I want to use synchronization tasks for importing and updating the roles automatically.
> 
> 2) Create another resource pointing to the same database for another intent, so each account intent is handled by separate (fake) resource.
> In this case I can set synchronization tasks for importing and updating the same entitlements for every account intent.
> - disadvantages: User changes laboratory, so the account changes intent. It happens. On the resource side this is a simple task: edit user, pick lab from drop-down list, save. How midPoint will see this? The user disappears from one resource and appears on another. With full enforcement policy midPoint will try to fix this situation and create an account for him in old intent. On the second resource new account will be deleted.
> Ok, so let's do it on midPoint side: Assign account and entitlements on the second resource and unassign the first one. MidPoint will delete an account on the first and create new one on the second, as for midPoint there are 2 independent resources. This is wrong way.
> 
> 3) This is ScriptedSQL resource. So in the Groovy scripts I can make multiple ObjectClasses for the entitlements pointing to the same database objects. In midPoint I will see the same entitlements multiple times, each with different ObjectClass. So I can use it to import and synchronize roles for different account intents. When the entitlement in resource database is changed, synchronization wil work for every objectClass.
> - disadvantages: I have to think a little bit, as I invented it just a moment ago.
> 
> Best regards!
> Wojciech Staszewski
> 
> W dniu 29.12.2017 o 19:36, Alcides Carlos de Moraes Neto pisze:
>> If you assign a Role that gives Entitlement X to User Y with weak strength, only the existing account(s) for User Y will receive the entitlement.
>> Having multiple weak inducements will work I think.
>>
>> I have a similar setup, but it's the other way around - multiple intents for entitlements induced from Org, only one for account intent associated to User.
>> I have multiple inducements in a Meta-role that I assign to Orgs.
>>
>> You can also using Condition expression to further filter them.
>>
>> 2017-12-29 13:40 GMT-02:00 Wojciech Staszewski <wojciech.staszewski at diagnostyka.pl <mailto:wojciech.staszewski at diagnostyka.pl>>:
>>
>>     Hi!
>>
>>     I thought about adding multiple first order inducements for each account intent with weak strength to the "associationFromLink" metarole,
>>     but what if the accounts (of one user in multiple intents) must have different privileges (entilements)?
>>     When I assign a role that gives entitlement X, it will be applied to every user account on this resource, i think.
>>
>>     Another way I tried is to assign the "associationFromLink" metarole to the role that provisions account creation,
>>     and the role with linkRef pointing to the entitlement shadow as separate user assignment, but it don't work.
>>     I think (but I don't know exactly) that "associationFromLink" is limited to one assignment chain so the linkRef and associationFromLink
>>     must be in the same chain. But maybe I'm wrong...?
>>
>>     I'm stuck here and see no good solution for now.
>>
>>     Best regards!
>>     WS
>>
>>
>>     W dniu 29.12.2017 o 15:08, Alcides Carlos de Moraes Neto pisze:
>>>     Hi WS,
>>>
>>>     In your role template, have you tried adding multiple inducements with an association for each entitlement? I don't see why that wouldn't work.
>>>
>>>     2017-12-28 13:54 GMT-02:00 Wojciech Staszewski <wojciech.staszewski at diagnostyka.pl <mailto:wojciech.staszewski at diagnostyka.pl>>:
>>>
>>>         Hello!
>>>
>>>         I'm looking for correct way how to correctly import resource entitlements into midPoint roles.
>>>
>>>         For now I'm doing this as follows:
>>>         1) create schema handling for entitlement.
>>>         2) create synchronization.
>>>         3) At the "unmatched->addFocus" synchronization step I connect a role template. The template assigns metaroles to the imported roles for:
>>>           a) association from link (as the imported roles are just linkRef only),
>>>           b) approval schema,
>>>           c) and assigns correct OrgUnit in the role catalog, based on resource, role type and other "things".
>>>
>>>         That works just perfect, but for one account intent only. The account intent is statically specified in "association from link" metarole in the first order inducement.
>>>         If is not, the metarole works for "default" account intent.
>>>         But I have 8 account intents in this resource, and every account must be associated with the entitlements regardless of the intent.
>>>
>>>         I tried to make more than one "unmatched->addFocus" synchronization reaction with different role templates
>>>         with hope for importing 8 roles from one entitlement for different account intents but midPoint warns me: "Duplicated reactions [...]".
>>>         I cannot just add multiple "actions" to one reaction because I can apply only one template to one reaction.
>>>
>>>         And I don't know how to do it.
>>>         Any ideas?
>>>         Beer is on me for the help!
>>>
>>>         Happy NY!
>>>         WS
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>     midPoint mailing list
>>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>     http://lists.evolveum.com/mailman/listinfo/midpoint <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>     -- 
>>     Wojciech Staszewski
>>     Administrator Systemów Sieciowych
>>     tel. kom: 663 680 236
>>     www.diagnostyka.pl <http://www.diagnostyka.pl>
>>     Diagnostyka Sp. z o. o.
>>     ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
>>     Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
>>     NIP: 675-12-65-009; REGON: 356366975
>>     Kapitał zakładowy: 33 756 500 zł.
>>
>>     Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 

-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.

Pomyśl o środowisku zanim wydrukujesz ten e-mail.

More information about the midPoint mailing list