[midPoint] Users and Groups in database

Tue Jun 23 12:24:50 CEST 2015

Hello Roman,

Something like this works for me - I'm rewriting my configuration to 
"your" terms, hopefully not making any mistake:

1) Define an association in the account definition:

<association>
     <c:ref>ri:rolesAssociation</c:ref>
     <matchingRule 
xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
     <kind>entitlement</kind>
     <intent>role</intent>
     <direction>subjectToObject</direction>
<associationAttribute>ri:roles</associationAttribute>
     <valueAttribute>icfs:uid</valueAttribute>
</association>

In this case, ri:rolessAssociation is the name of the association. It is 
"artificial" name by which midPoint will refer to the association. On 
the other hand, ri:roles is the name of the actual attribute where 
information about the roles of a given user is stored. Kind/intent 
(entitlement/role) tells midPoint what kind of objects we are referring 
to. ValueAttribute = icfs:uid tells it that in the roles attribute there 
are uids (not names) of the given roles. If there are names, you would 
have to provide icfs:name here.

2) Now, define the fact that a midPoint Role would correspond to your 
resource's role object *and* that any user that has an assignment of the 
midPoint role would be assigned the resource's role object to his account.

The easiest way is to define a metarole like this:

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">

    <name>Metarole</name>
    <displayName>Metarole</displayName>
    <inducement id="1">*<!-- this tells midPoint to create resource's 
role object for any midPoint Role that has this metarole assigned -->*
       <construction>
          <resourceRef oid="*(your resource OID goes here)*"/>
          <kind>entitlement</kind>
          <intent>role</intent>
       </construction>
    </inducement>
    <inducement id="2">*<!-- this tells that any user having assigned 
midPoint Role will get the corresponding resource's role associated to 
him -->*
       <construction>
          <resourceRef oid="*(your resource OID goes here)*"/>
          <kind>account</kind>
          <intent>default</intent>
          <association>
<c:ref>ri:rolesAssociation</c:ref>
             <outbound>
                <expression>
                   <associationFromLink>
                      <projectionDiscriminator>
<kind>entitlement</kind>
                         <intent>role</intent>
                      </projectionDiscriminator>
                   </associationFromLink>
                </expression>
             </outbound>
          </association>
       </construction>
       <order>2</order>
    </inducement>
    <requestable>false</requestable>
</role>

Hope this helps.

Best regards,
Pavol

> Hi Pavol,
> thanks for great advice!
>
> Now I have all application roles saved as multi-valued attribute in 
> the user in MidPoint.
> How can I associate these values with entitlements (roles) in 
> MidPoint? "AssignmentTargetSearch" in mapping gives me "Expression 
> returned more than one value" exception (yes, attribute is multi-valued).
>
> Thanks!
>
> Regards
> R. Pudil
>
> Roman Pudil
> solution architect
>
> gsm: [+420] 775 663 666
> e-mail: roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>
> 			
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel./fax: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz>
>
> 			
>
> AMI Praha a.s.
>
>
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
> výhradně písemnou formu.
>
> Dne 20.6.2015 v 18:38 Pavol Mederly napsal(a):
>> Hello Roman,
>>
>> we've recently implemented this scenario for one of our customers.
>>
>> It was done via ScriptedSQL connector, as one resource, having two 
>> object classes:
>>
>> - users
>> - roles
>>
>> The user-role association was implemented as a multi-valued attribute 
>> called "roles" in the user. (It could be done also via attribute 
>> "users"/"members" in the role object, but we chose this way because 
>> the user in our case has fewer roles than there are users for a given 
>> role.)
>>
>> Groovy scripts in the connector were used as a wrapper that called 
>> stored procedures in the database. These procedures were responsible 
>> for manipulating the tables, including updating user-role table based 
>> on the information that came in the "roles" attribute.
>>
>> It is more complex than using the simple DB connector, but works nicely.
>>
>> Best regards,
>> Pavol
>>
>> On 20. 6. 2015 18:07, Roman Pudil - AMI Praha a.s. wrote:
>>> Hi all,
>>> I have 3 tables in database.
>>>
>>> 1) table with users
>>> 2) talbe with roles
>>> 3) table with users id's assigned to roles id's (M:N relation)
>>>
>>> First table and second table are connected to midPoint as two 
>>> database resources (DB users as identities, DB roles as midPoint 
>>> roles). But how to process third table to MidPoint with users to 
>>> groups relations? As third resource or not? How? What is best practice?
>>>
>>> Thanks for any idea!
>>>
>>> Regards!
>>> Roman Pudil
>>> AMI Praha, a.s.
>>> -- 
>>>
>>> Roman Pudil
>>> solution architect
>>> gsm: [+420] 775 663 666
>>> e-mail: roman.pudil at ami.cz
>>>
>>> AMI Praha a.s.
>>> Pláničkova 11
>>> 162 00 Praha 6
>>> tel./fax: [+420] 274 783 239
>>> web: www.ami.cz
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150623/b3e58a11/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2900 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150623/b3e58a11/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 21628 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150623/b3e58a11/attachment.png>