[midPoint] Actual state of Entitlements functionallity

Radovan Semancik radovan.semancik at evolveum.com
Fri Oct 9 11:23:11 CEST 2015


Hi,

Short answer: entitlements are now fully supported in midPoint core 
engine (partially in midPoint 3.0, fully in midPoint 3.1 and later). The 
GUI support is lacking behind a bit. Some improvements were made in 3.1 
and 3.2. The GUI support for entitlement is is still not ideal, but as 
far as I can tell it is usable for automation and basic use cases (see 
below). If you are interested GUI enhancement can still be planned for 
3.4 release.

Entitlements are partially configured in the demo. When you open user 
details page and expand an LDAP account you will see "association" 
section. These are account associations to LDAP groups. The LDAP groups 
are configured as entitlements. The demo documentation needs and update 
(and thank you for pointing that out).

The current state of midPoint when it comes to entitlements is focused 
mostly on automation. E.g. it is easy to use entitlements in role 
definitions, it is easy to dynamically create entitlements (e.g. LDAP or 
AD groups) for new organizational units or roles, it is easy to 
automatically assign organizational unit member to appropriate groups, 
etc. This functionality works well, it is well tested (see 
https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test and other 
tests) and it is heavily used in several real-world deployments. The GUI 
part is currently designed mostly to support visibility. I.e. it can be 
used to inspect the entitlement associations, but currently it is not 
designed to manage the entitlements in a direct manual fashion. All our 
deployments manage entitlements indirectly by managing organizational 
units and roles. The change to organizational units and roles is then 
automatically reflected to the entitlements and entitlement associations.

However, the GUI can be extended and currently we are in a period of 
intensive GUI development. If you are interested in improving GUI 
entitlement support you have the usual options:
https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature

-- 
Radovan Semancik
Software Architect
evolveum.com




On 10/07/2015 06:56 PM, Manfredo Hopp wrote:
>
> Hi,
>
>  we are evaluating midPoint as alternative for propagation to an LDAP 
> with the  provisioning of new users from DB and possibly changes to 
> structure from db or through  midPoints API.
>
> Actually our  users are registered in DB  and associated to different 
> application-roles one of  which is selected from user after login and 
>  forwarded to applications.
> We also have an administrative system which maintains this structure 
>  where  we manage the concept of groups within roles (grouping several 
> roles), role delegation and have automatic enrollment of users and 
> role assigments.
>
> Trying to get an overall knowledge about midPoint I was following Live 
> Demo and some  documentation and found out that the concept of 
> midpoints Entitlement is what better suits our need to reflect our Roles.
>
> So I was trying to find out something about Entitlments in demo with 
> no results. There is still a reference to it which I copy:
>
> "Some of the roles and organizational units modify membership in LDAP 
> groups. However, there is a limitation to this somehow caused by the 
> incomplete design of the connector framework. Quite an ugly trick is 
> needed to work around this in current midPoint version. The trick is 
> an ad-hoc support for |ldapGroups| attribute in the LDAP connector. 
> However the attribute is hidden and needs to be manually added to the 
> generated LDAP resource schema. This also means that the LDAP groups 
> are normally not displayed for LDAP account in midPoint. However we 
> are working hard on this. The next version of midPoint will introduce 
> the concept of /Entitlements/ that will provide an elegant and 
> systematic solution to this problem."
>
> Also I found this in documentation:
>
> "MidPoint can be configured to fully understand entitlements. MidPoint 
> can know which resource objects represent groups. Therefore midPoint 
> can manage group membership in a structured and automated way. 
> MidPoint can list entitlements and therefore it can be used to create 
> smart and convenient user interfaces. MidPoint support for 
> entitlements goes beyond the capabilities of vast majority of IDM 
> solutions."
> and
>
> "The entitlements are supported in midPoint core engine but the GUI 
> support is currently very limited"
>
> So here come my questions:
>
> What is actual state of entitlements GUI? Is it that of live Demo?
>
> How could  Entitelments administration be adressed?
>
> Is there any midPoint Extension/Plugin that has been developed ?
>
> To what extent can  midPoint be extended?
>
>
> Sorry for all this long introduction.
>
> Regards MHopp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151009/2dd1f1ab/attachment.htm>


More information about the midPoint mailing list