[midPoint] Assign Roles from Account Entitlements
Pálos Gustáv
gustav.palos at evolveum.com
Tue Aug 30 17:57:24 CEST 2016
Hi Patrick,
is there a workaround for this.
You can import the list of LDAP role names to the new multi-valued
extension user attribute, and create user object template to read this
value, search for the role by name and create the user-role assignment in
the script.
Similar but for orgs you can see here:
http://lists.evolveum.com/pipermail/midpoint/2016-June/002013.html
In this sample, the user extension name is extension/namesOfOrgs where are
orgs names imported.
You need to change OrgType* to RoleType* in your case.
Best regards,
Gustav
2016-08-30 16:19 GMT+02:00 Radovan Semancik <radovan.semancik at evolveum.com>:
> Hi,
>
> There is currently no easy way how to do this. This is one of the issues
> that are waiting for funding or contribution. Please see:
> https://jira.evolveum.com/browse/MID-2104
> https://jira.evolveum.com/browse/MID-2103
>
> What you can do about it is described here: https://wiki.evolveum.com/disp
> lay/midPoint/I+Need+New+Feature
>
> These features would be really useful and they are waiting for some time
> already ...
> In the meantime you can probably do some magic with scripting hooks (
> https://wiki.evolveum.com/display/midPoint/Scripting+Hooks) but that is
> not an easy approach and it definitely is not the right one. The correct
> approach would be to develop the necessary features.
>
> --
> Radovan Semancik
> Software Architectevolveum.com
>
>
>
> On 08/30/2016 01:09 AM, pdbogen at cernu.us wrote:
>
> Howdy!
>
> I have MidPoint set up to create users and roles from the inetOrgPersons and
> groupOfMembers in OpenLDAP, respectively.
>
> GroupOfMembers are created using a template that assigns a meta-role that
> induces a 2nd order assignment of the correct entitlement- so in other words,
> assigning the role in midpoint correctly associates the entitlement, and
> changes LDAP properly.
>
> My concern right now is the other direction- maybe just for initial import,
> maybe ongoing; I'd like new associations from LDAP to add the role to the
> affected account.
>
> I.e., if cn=patrick is added to role cn=midpoint.admin in LDAP, the
> corresponding 'patrick' user in MidPoint should be assigned the
> 'midpoint.admin' role.
>
> I think they may be a concept I'm missing to implement this, so I'm not sure
> if anything is 'wrong' at this stage.
>
> Thoughts? What information can I provide to help figure this out?
>
> Thanks!
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
Gustáv Pálos
Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160830/b86e87e9/attachment.htm>
More information about the midPoint
mailing list