[midPoint] Actual state of Entitlements functionallity
Manfredo Hopp
mhopp.conicet at gmail.com
Tue Oct 13 18:45:40 CEST 2015
Thank you Radovan for your complete answer!.
We will take all this into account when we go deeper with our research.
Regards MHopp
2015-10-09 6:23 GMT-03:00 Radovan Semancik <radovan.semancik at evolveum.com>:
> Hi,
>
> Short answer: entitlements are now fully supported in midPoint core engine
> (partially in midPoint 3.0, fully in midPoint 3.1 and later). The GUI
> support is lacking behind a bit. Some improvements were made in 3.1 and
> 3.2. The GUI support for entitlement is is still not ideal, but as far as I
> can tell it is usable for automation and basic use cases (see below). If
> you are interested GUI enhancement can still be planned for 3.4 release.
>
> Entitlements are partially configured in the demo. When you open user
> details page and expand an LDAP account you will see "association" section.
> These are account associations to LDAP groups. The LDAP groups are
> configured as entitlements. The demo documentation needs and update (and
> thank you for pointing that out).
>
> The current state of midPoint when it comes to entitlements is focused
> mostly on automation. E.g. it is easy to use entitlements in role
> definitions, it is easy to dynamically create entitlements (e.g. LDAP or AD
> groups) for new organizational units or roles, it is easy to automatically
> assign organizational unit member to appropriate groups, etc. This
> functionality works well, it is well tested (see
> https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test and other
> tests) and it is heavily used in several real-world deployments. The GUI
> part is currently designed mostly to support visibility. I.e. it can be
> used to inspect the entitlement associations, but currently it is not
> designed to manage the entitlements in a direct manual fashion. All our
> deployments manage entitlements indirectly by managing organizational units
> and roles. The change to organizational units and roles is then
> automatically reflected to the entitlements and entitlement associations.
>
> However, the GUI can be extended and currently we are in a period of
> intensive GUI development. If you are interested in improving GUI
> entitlement support you have the usual options:
> https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
>
>
> On 10/07/2015 06:56 PM, Manfredo Hopp wrote:
>
>
> Hi,
>
> we are evaluating midPoint as alternative for propagation to an LDAP with
> the provisioning of new users from DB and possibly changes to structure
> from db or through midPoints API.
>
> Actually our users are registered in DB and associated to different
> application-roles one of which is selected from user after login and
> forwarded to applications.
> We also have an administrative system which maintains this structure
> where we manage the concept of groups within roles (grouping several
> roles), role delegation and have automatic enrollment of users and role
> assigments.
>
> Trying to get an overall knowledge about midPoint I was following Live
> Demo and some documentation and found out that the concept of midpoints
> Entitlement is what better suits our need to reflect our Roles.
>
> So I was trying to find out something about Entitlments in demo with no
> results. There is still a reference to it which I copy:
>
> "Some of the roles and organizational units modify membership in LDAP
> groups. However, there is a limitation to this somehow caused by the
> incomplete design of the connector framework. Quite an ugly trick is needed
> to work around this in current midPoint version. The trick is an ad-hoc
> support for ldapGroups attribute in the LDAP connector. However the
> attribute is hidden and needs to be manually added to the generated LDAP
> resource schema. This also means that the LDAP groups are normally not
> displayed for LDAP account in midPoint. However we are working hard on
> this. The next version of midPoint will introduce the concept of
> *Entitlements* that will provide an elegant and systematic solution to
> this problem."
>
> Also I found this in documentation:
>
> "MidPoint can be configured to fully understand entitlements. MidPoint can
> know which resource objects represent groups. Therefore midPoint can manage
> group membership in a structured and automated way. MidPoint can list
> entitlements and therefore it can be used to create smart and convenient
> user interfaces. MidPoint support for entitlements goes beyond the
> capabilities of vast majority of IDM solutions."
> and
>
> "The entitlements are supported in midPoint core engine but the GUI
> support is currently very limited"
>
> So here come my questions:
>
> What is actual state of entitlements GUI? Is it that of live Demo?
>
> How could Entitelments administration be adressed?
>
> Is there any midPoint Extension/Plugin that has been developed ?
>
> To what extent can midPoint be extended?
>
>
> Sorry for all this long introduction.
>
> Regards MHopp
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151013/551f85e7/attachment.htm>
More information about the midPoint
mailing list