[midPoint] ScriptedSQL connector: multiple group types

Nicolas Rossi nrossi at identicum.com
Tue Dec 20 17:05:55 CET 2016


Maybe you can add custom parameters to the role assignment but AFAIK there
is no timeframe configuration to the role assignments in midpoint.

Regards,



Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Tue, Dec 20, 2016 at 12:44 PM, Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl> wrote:

> Hello again!
>
> It is possibe and how to configure group membership (association), each
> with different time constraints?
> User may have assigned multiple "workplaces", each workplace must have
> it's own time constraint. Example:
> user "jdoe" has:
> - workplace "Serology lab 1" from 2015.04.01 to 2016.12.31
> - workplace "Microbiology lab 2" from 2015.05.05 to 2017.05.05
> - and workplace "Analytics lab 1" from 2012.01.01 to 2020.12.31
>
> Is that possible to do?
> Best regards,
> WS
>
> W dniu 19.12.2016 o 21:53, Wojciech Staszewski pisze:
> > Thanks!
> >
> > So then, it shouldn't be so hard.
> > Best regards!
> >
> > Dnia poniedziałek, 19 grudnia 2016 20:38:42 CET Pavol Mederly pisze:
> >> Wojciech,
> >>
> >> I think your original idea is OK. You can create multiple types - i.e.
> >> object classes - in SchemaScript for your groups. Like Group1, Group2,
> >> ..., BlueGroup, RedGroup, GreenGroup, ..., DatabaseRole,
> >> ApplicationModule, Workplace. Anything you want. As soon as you
> >> consistently refer to them in all your scripts.
> >>
> >> And yes, you then map these object classes to midPoint terms:
> >> kind/intent; kind being entitlement in this case, and intents as you
> >> like. For example, databaseRole, applicationModule, or workplace.
> >>
> >> Pavol Mederly
> >> Software developer
> >> evolveum.com
> >>
> >> On 19.12.2016 20:25, Wojciech Staszewski wrote:
> >>> Hello!
> >>>
> >>> Jokes are over. My first scriptedSQL connector works like a charm
> (Zabbix account with group membership), so it is time for something more
> sophisticated.
> >>> I've got a system, where user's access rights are set by 3 different
> memberships.
> >>> First membership are database roles.
> >>> Second are application modules available for user.
> >>> Third type are "workplaces" (with time constraints).
> >>> These 3 memberships are independent, each user can have for example 3
> roles, 12 enabled modules and 5 workplaces.
> >>>
> >>> I thought that I can do multiple group types in SchemaScript and
> distinguish them by "intent".
> >>> But I can't do this. I can declare only 1 CustomGroupObjectClass...
> >>> Any advice? Thanks and regards,
> >>> WS :)
> >>>
> >>> _______________________________________________
> >>> midPoint mailing list
> >>> midPoint at lists.evolveum.com
> >>> http://lists.evolveum.com/mailman/listinfo/midpoint
> >>
> >> _______________________________________________
> >> midPoint mailing list
> >> midPoint at lists.evolveum.com
> >> http://lists.evolveum.com/mailman/listinfo/midpoint
> >>
> >
> >
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.evolveum.com/pipermail/midpoint/attachments/20161220/f5c3ed2d/attachment.html>


More information about the midPoint mailing list