[midPoint] Actual state of Entitlements functionallity
Radovan Semancik
radovan.semancik at evolveum.com
Fri Oct 9 11:23:11 CEST 2015
Hi,
Short answer: entitlements are now fully supported in midPoint core
engine (partially in midPoint 3.0, fully in midPoint 3.1 and later). The
GUI support is lacking behind a bit. Some improvements were made in 3.1
and 3.2. The GUI support for entitlement is is still not ideal, but as
far as I can tell it is usable for automation and basic use cases (see
below). If you are interested GUI enhancement can still be planned for
3.4 release.
Entitlements are partially configured in the demo. When you open user
details page and expand an LDAP account you will see "association"
section. These are account associations to LDAP groups. The LDAP groups
are configured as entitlements. The demo documentation needs and update
(and thank you for pointing that out).
The current state of midPoint when it comes to entitlements is focused
mostly on automation. E.g. it is easy to use entitlements in role
definitions, it is easy to dynamically create entitlements (e.g. LDAP or
AD groups) for new organizational units or roles, it is easy to
automatically assign organizational unit member to appropriate groups,
etc. This functionality works well, it is well tested (see
https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test and other
tests) and it is heavily used in several real-world deployments. The GUI
part is currently designed mostly to support visibility. I.e. it can be
used to inspect the entitlement associations, but currently it is not
designed to manage the entitlements in a direct manual fashion. All our
deployments manage entitlements indirectly by managing organizational
units and roles. The change to organizational units and roles is then
automatically reflected to the entitlements and entitlement associations.
However, the GUI can be extended and currently we are in a period of
intensive GUI development. If you are interested in improving GUI
entitlement support you have the usual options:
https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature
--
Radovan Semancik
Software Architect
evolveum.com
On 10/07/2015 06:56 PM, Manfredo Hopp wrote:
>
> Hi,
>
> we are evaluating midPoint as alternative for propagation to an LDAP
> with the provisioning of new users from DB and possibly changes to
> structure from db or through midPoints API.
>
> Actually our users are registered in DB and associated to different
> application-roles one of which is selected from user after login and
> forwarded to applications.
> We also have an administrative system which maintains this structure
> where we manage the concept of groups within roles (grouping several
> roles), role delegation and have automatic enrollment of users and
> role assigments.
>
> Trying to get an overall knowledge about midPoint I was following Live
> Demo and some documentation and found out that the concept of
> midpoints Entitlement is what better suits our need to reflect our Roles.
>
> So I was trying to find out something about Entitlments in demo with
> no results. There is still a reference to it which I copy:
>
> "Some of the roles and organizational units modify membership in LDAP
> groups. However, there is a limitation to this somehow caused by the
> incomplete design of the connector framework. Quite an ugly trick is
> needed to work around this in current midPoint version. The trick is
> an ad-hoc support for |ldapGroups| attribute in the LDAP connector.
> However the attribute is hidden and needs to be manually added to the
> generated LDAP resource schema. This also means that the LDAP groups
> are normally not displayed for LDAP account in midPoint. However we
> are working hard on this. The next version of midPoint will introduce
> the concept of /Entitlements/ that will provide an elegant and
> systematic solution to this problem."
>
> Also I found this in documentation:
>
> "MidPoint can be configured to fully understand entitlements. MidPoint
> can know which resource objects represent groups. Therefore midPoint
> can manage group membership in a structured and automated way.
> MidPoint can list entitlements and therefore it can be used to create
> smart and convenient user interfaces. MidPoint support for
> entitlements goes beyond the capabilities of vast majority of IDM
> solutions."
> and
>
> "The entitlements are supported in midPoint core engine but the GUI
> support is currently very limited"
>
> So here come my questions:
>
> What is actual state of entitlements GUI? Is it that of live Demo?
>
> How could Entitelments administration be adressed?
>
> Is there any midPoint Extension/Plugin that has been developed ?
>
> To what extent can midPoint be extended?
>
>
> Sorry for all this long introduction.
>
> Regards MHopp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151009/2dd1f1ab/attachment.htm>
More information about the midPoint
mailing list