[midPoint] Users and Groups in database

Roman Pudil - AMI Praha a.s. roman.pudil at ami.cz
Fri Jun 26 09:42:33 CEST 2015 

Hi Pavol,
thanks for Your help!

Roman

Roman Pudil
solution architect

gsm: [+420] 775 663 666
e-mail: roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>

			

AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel./fax: [+420] 274 783 239
web: www.ami.cz <http://www.ami.cz>

			

AMI Praha a.s.


<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
výhradně písemnou formu.

Dne 23.6.2015 v 12:24 Pavol Mederly napsal(a):
> Hello Roman,
>
> Something like this works for me - I'm rewriting my configuration to 
> "your" terms, hopefully not making any mistake:
>
> 1) Define an association in the account definition:
>
> <association>
>     <c:ref>ri:rolesAssociation</c:ref>
>     <matchingRule 
> xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>     <kind>entitlement</kind>
>     <intent>role</intent>
>     <direction>subjectToObject</direction>
> <associationAttribute>ri:roles</associationAttribute>
> <valueAttribute>icfs:uid</valueAttribute>
> </association>
>
> In this case, ri:rolessAssociation is the name of the association. It 
> is "artificial" name by which midPoint will refer to the association. 
> On the other hand, ri:roles is the name of the actual attribute where 
> information about the roles of a given user is stored. Kind/intent 
> (entitlement/role) tells midPoint what kind of objects we are 
> referring to. ValueAttribute = icfs:uid tells it that in the roles 
> attribute there are uids (not names) of the given roles. If there are 
> names, you would have to provide icfs:name here.
>
> 2) Now, define the fact that a midPoint Role would correspond to your 
> resource's role object *and* that any user that has an assignment of 
> the midPoint role would be assigned the resource's role object to his 
> account.
>
> The easiest way is to define a metarole like this:
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>       xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>       xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>       xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
>
>    <name>Metarole</name>
>    <displayName>Metarole</displayName>
>    <inducement id="1">*<!-- this tells midPoint to create resource's 
> role object for any midPoint Role that has this metarole assigned -->*
>       <construction>
>          <resourceRef oid="*(your resource OID goes here)*"/>
>          <kind>entitlement</kind>
>          <intent>role</intent>
>       </construction>
>    </inducement>
>    <inducement id="2">*<!-- this tells that any user having assigned 
> midPoint Role will get the corresponding resource's role associated to 
> him -->*
>       <construction>
>          <resourceRef oid="*(your resource OID goes here)*"/>
>          <kind>account</kind>
>          <intent>default</intent>
>          <association>
> <c:ref>ri:rolesAssociation</c:ref>
>             <outbound>
>                <expression>
>                   <associationFromLink>
>                      <projectionDiscriminator>
> <kind>entitlement</kind>
> <intent>role</intent>
>                      </projectionDiscriminator>
>                   </associationFromLink>
>                </expression>
>             </outbound>
>          </association>
>       </construction>
>       <order>2</order>
>    </inducement>
>    <requestable>false</requestable>
> </role>
>
> Hope this helps.
>
> Best regards,
> Pavol
>
>> Hi Pavol,
>> thanks for great advice!
>>
>> Now I have all application roles saved as multi-valued attribute in 
>> the user in MidPoint.
>> How can I associate these values with entitlements (roles) in 
>> MidPoint? "AssignmentTargetSearch" in mapping gives me "Expression 
>> returned more than one value" exception (yes, attribute is multi-valued).
>>
>> Thanks!
>>
>> Regards
>> R. Pudil
>>
>> Roman Pudil
>> solution architect
>>
>> gsm: [+420] 775 663 666
>> e-mail: roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>>
>> 			
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel./fax: [+420] 274 783 239
>> web: www.ami.cz <http://www.ami.cz>
>>
>> 			
>>
>> AMI Praha a.s.
>>
>>
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>> výhradně písemnou formu.
>>
>> Dne 20.6.2015 v 18:38 Pavol Mederly napsal(a):
>>> Hello Roman,
>>>
>>> we've recently implemented this scenario for one of our customers.
>>>
>>> It was done via ScriptedSQL connector, as one resource, having two 
>>> object classes:
>>>
>>> - users
>>> - roles
>>>
>>> The user-role association was implemented as a multi-valued 
>>> attribute called "roles" in the user. (It could be done also via 
>>> attribute "users"/"members" in the role object, but we chose this 
>>> way because the user in our case has fewer roles than there are 
>>> users for a given role.)
>>>
>>> Groovy scripts in the connector were used as a wrapper that called 
>>> stored procedures in the database. These procedures were responsible 
>>> for manipulating the tables, including updating user-role table 
>>> based on the information that came in the "roles" attribute.
>>>
>>> It is more complex than using the simple DB connector, but works nicely.
>>>
>>> Best regards,
>>> Pavol
>>>
>>> On 20. 6. 2015 18:07, Roman Pudil - AMI Praha a.s. wrote:
>>>> Hi all,
>>>> I have 3 tables in database.
>>>>
>>>> 1) table with users
>>>> 2) talbe with roles
>>>> 3) table with users id's assigned to roles id's (M:N relation)
>>>>
>>>> First table and second table are connected to midPoint as two 
>>>> database resources (DB users as identities, DB roles as midPoint 
>>>> roles). But how to process third table to MidPoint with users to 
>>>> groups relations? As third resource or not? How? What is best practice?
>>>>
>>>> Thanks for any idea!
>>>>
>>>> Regards!
>>>> Roman Pudil
>>>> AMI Praha, a.s.
>>>> -- 
>>>>
>>>> Roman Pudil
>>>> solution architect
>>>> gsm: [+420] 775 663 666
>>>> e-mail: roman.pudil at ami.cz
>>>>
>>>> AMI Praha a.s.
>>>> Pláničkova 11
>>>> 162 00 Praha 6
>>>> tel./fax: [+420] 274 783 239
>>>> web: www.ami.cz
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/c35b68eb/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ami_logo.gif
Type: image/gif
Size: 2900 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/c35b68eb/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: AMI-podpis-IdM_1.png
Type: image/png
Size: 21628 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/c35b68eb/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2900 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/c35b68eb/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 21628 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/c35b68eb/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4240 bytes
Desc: Elektronicky podpis S/MIME
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/c35b68eb/attachment.bin>

More information about the midPoint mailing list