[midPoint] Role template "role-sailor"

Thu Jul 18 15:57:53 CEST 2013

Hi Ivan,

You seem to have all answers to my questions ! So I’ll raise the level a bit J

I’ve read from the https://wiki.evolveum.com/display/midPoint/Advanced+RBAC page that midpoint implements parametric roles.

This is pretty convenient from our point of view and it is the first time we see it implemented in an IM product without having to use custom code everywhere.

From my comprehension, those role parameters are listed somewhere to give role/parameter association, and limit parameter permitted values.

Then, how much parameter lists can I associate to a role ? Lets take an example.

Imagine we have a team of sales men. They have different access right in the sale app depending on their geographic area, on their type of clients and on their line of products.

Then I would have one role : role_salesman

And three parametric lists : [area][client][product]

So, is it possible to have multiple parameters associated to a role ?

And is it possible to have multiple values ? Like vendor to both EMEA and ASIA areas, and 3 or 4 different lines of products ?

Regards,

Salim

De : midpoint-bounces at lists.evolveum.com [mailto:midpoint-bounces at lists.evolveum.com] De la part de Ivan Noris
Envoyé : jeudi 18 juillet 2013 14:39
À : midpoint at lists.evolveum.com
Objet : Re: [midPoint] Role template "role-sailor"

Hi Salim,

see my answers inline:

On 07/18/2013 01:38 PM, Salim Boulkour wrote:

	Hey everyone,

	I began playing with roles in midpoint and am trying to understand the contents of https://svn.evolveum.com/midpoint/tags/midpoint-2.1.2/samples/roles/role-sailor.xml.

	Role description says :

	A basic role, that specifies account on OpenDJ resource

	and also sets "employeeType" attribute to a fixed value and it sets "destinationIndicator"

	as a copy of a user property.

	What interests me here, is the ability to do modifications to the account. So my questions are :

	-       Does the account has to be created before assigning that role to a user ? Or account would be created as soon as role is given to the user ?

The account will be created as soon you assign this role to user.
The attributes will be set as specified by mappings in the role (employeeNumber, destinationIndicator).

-       I understand the OID in ‘resourceRef’ being the way to specify the targeted resource. Is this the only way to specify it ? (As the doc on the data model stated I wouldn’t have to play with OIDs much ;) )

Yes this is the only reference type - by oid. In the next releases, more parts of administrative GUI will be enhanced by wizards so that you can select the resource instead of typing its oid. But so far you have to create the role(s) and refer to resource oid to make a reference. IF you need to prepare a set of configuration (XML) files, e.g. resources and roles, and wish to import them and make some tests, you may use your own oids, just be sure to make them unique.

-       If I specify in the role a resource attribute that is already handled by the resource/connector conf’, what would happen ? Has the value given by the role assignment a higher priority than the default one ?

Very good question. Please see https://wiki.evolveum.com/display/midPoint/Mapping especially "Mapping Order":
"When defining multiple mappings for single-valued attribute, every next applied mapping in order rewrites the value of attribute. Be sure to check, if this is what you want. In case of multiple-value attributes, mappings simply add next values to the attribute values list. "

So it depends mainly on the single/multi value attribute. For multi-value it would do what you perhaps expect - merge.

Regards,
Ivan

-- 
  Ing. Ivan Noris
  Consultant
  Evolveum, s.r.o
  ___________________________________________________
  "Semper cautus - semper paratus - semper idem Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20130718/bda198d2/attachment.htm>