[midPoint] Role template "role-sailor"
Radovan Semancik
radovan.semancik at evolveum.com
Fri Jul 19 11:17:16 CEST 2013
Hi Salim,
On 07/18/2013 03:57 PM, Salim Boulkour wrote:
> I've read from the
> https://wiki.evolveum.com/display/midPoint/Advanced+RBAC page that
> midpoint implements parametric roles.
>
> This is pretty convenient from our point of view and it is the first
> time we see it implemented in an IM product without having to use
> custom code everywhere.
>
Good to see that. This is exactly our long-term goal with midPoint: more
configuration, less coding. Efficient deployment and maintenance. I'm
glad that you like it.
> From my comprehension, those role parameters are listed somewhere to
> give role/parameter association, and limit parameter permitted values.
>
Yes and no. The parameter values are currently taken from either static
schemas (usually schema for UserType object) or schema extensions along
the role hierachy (user extension, assignment extension, inducement
extension). This works great in reducing the number of roles in RBAC
structure and fighting the role explosion problem. It was designed
primarily for roles that will be assigned automatically using rules (in
a RB-RBAC fashion).
The interactive side of parametric roles is still slightly unfinished.
The role has no way how to specify what parameters it needs. This was
not needed for the automatic approach but it is definitely needed for
advanced RBAC GUI. We have quite concrete design for this aspect: adding
a parameter schema to the role. And I can assure you that it is no kind
of afterthough but quite an integral part of the entire solution. We
have spend a lot of time designing it but we haven't spend much time on
implementing it yet. There was a very limited customer demand and
therefore we have problems justifying the development cost. Even the
current parametric RBAC design seems to be too advanced for many
engineers that are used to work with other IDM products. Yet the plans
may change if there is sufficient motivation ... as always :-)
Which also means that there is currently no convenient way how to
specify permitted values for these parameters. This should be possible
with the introduction of role parameter schema and some dynamic schema
definition improvements. This is quite advanced stuff and therefore we
do not have a concrete plan when to implement it. However if you have an
idea how to fund this part of the development we definitely can talk
about it.
> Then, how much parameter lists can I associate to a role ? Lets take
> an example.
>
> Imagine we have a team of sales men. They have different access right
> in the sale app depending on their geographic area, on their type of
> clients and on their line of products.
>
> Then I would have one role : role_salesman
>
> And three parametric lists : [area][client][product]
>
> So, is it possible to have multiple parameters associated to a role ?
>
Yes, this is possible even now. The number of parameters is not limited.
> And is it possible to have multiple values ? Like vendor to both EMEA
> and ASIA areas, and 3 or 4 different lines of products ?
>
I don't think I completely understand this question. Currently there is
no list of permitted values as stated above. But even if there would be
a list of permitted values then each of the parameters is independent.
Therefore you could have vendor with values [ACME, Example,
Whatchacalit], area with values [EMEA, ASIA] and products [foo, bar,
baz, foobar]. Any combination of these could be assigned. The schema
will not limit the combinations. That would be perhaps too much to ask
from a schema. However, if you want to limit possible combinations that
might be possible by using two approaches:
1) conditions and expressions in role definition. These may throw an
error if a "bad" combination is present. Not very convenient from GUI
perspective but quite simple to do and quite secure (e.g. even
webservice/rest invocation will be unable to set incorrect combination).
2) some tweaks in the GUI. This may be convenient for the user. But
currently it means modifying the GUI code. midPoint is opensource so
this is not such a big obstacle when compared to commercial products. We
have a plan to have flexible forms similar to those used in Sun IDM
(Waveset), but this is also quite a distant future. But whatever method
you use it is still just a check in the presentation logic and can be
theoretically circumvented.
So in practice you probably would need both. I recommend starting with
method 1) if your deployment strategy alllows that and then improve it
with convenience in next deployment phases.
--
Radovan Semancik
Software Architect
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20130719/196a12aa/attachment.htm>
More information about the midPoint
mailing list