[midPoint] Sync Virtual Identities and AD Groups using roles

Tue Dec 13 16:08:30 CET 2016

Another note if you want those roles populated with current members from
AD, you would need to create an inbound sync for groups from AD which then
gets assigned the correct role in midpoint. This is not currently supported
in midpoint but I do have a work around, might not be the best way to do it
but it does work.

See my post,
http://lists.evolveum.com/pipermail/midpoint/2016-September/002503.html ,
using AD .NET connector but even with the new AD LDAP connector it should
work the same, just different attribute, maybe ri:memberOf ? Haven't used
the connector yet so not sure. One caveat, it only works on reconcile, not
live sync. I have within the default objectTemplate to assign a role based
on the group name.

JASON

On Tue, Dec 13, 2016 at 1:58 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

> Hi,
>
> if you open your role in midPoint, you can see its members in "Members"
> tab. Both direct and indirect members should be displayable. So you can see
> who has the role assigned.
>
> It's not possible yet to make a report which uses resource data, i.e.
> "show all users in midPoint, which have account in AD with attribute XY".
> As we do not store resource account attributes, the data would need to be
> fetche during such report. This is not implemented yet.
> Regards,
> Ivan
>
>
> On 12/12/2016 04:57 PM, m.benucci wrote:
>
> Hi,
> I have imported users from an Active Directory and
> I have successfully synchronized AD groups with midPoint roles using a
> metarole.
> Provisioning and Synchronization seems to works well.
>
> Now, given a midPoint Role (an AD entitlement), I would like to know if
> is possible to know who is assigned to this role (e.g. I would like to know
> from midPoint who is assigned to the role/entitlement "Domain Admin").
>
> I suppose I necessarily need to assign the role to an user to see if he is
> a member of it, is there a way to automate this assignment process?
>
>
> Thank you.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>

-- 

CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161213/fcd8d2a9/attachment.htm>