[midPoint] ScriptedSQL connector: multiple group types

Pavol Mederly mederly at evolveum.com
Tue Dec 20 17:18:15 CET 2016 

Wojciech,

as discussed today on this list: in midPoint this is represented by the 
activation item (specifically, its validFrom/validTo properties) 
residing in the user's assignment (pointing to given role).

Pavol Mederly
Software developer
evolveum.com

On 20.12.2016 16:44, Wojciech Staszewski wrote:
> Hello again!
>
> It is possibe and how to configure group membership (association), each with different time constraints?
> User may have assigned multiple "workplaces", each workplace must have it's own time constraint. Example:
> user "jdoe" has:
> - workplace "Serology lab 1" from 2015.04.01 to 2016.12.31
> - workplace "Microbiology lab 2" from 2015.05.05 to 2017.05.05
> - and workplace "Analytics lab 1" from 2012.01.01 to 2020.12.31
>
> Is that possible to do?
> Best regards,
> WS
>
> W dniu 19.12.2016 o 21:53, Wojciech Staszewski pisze:
>> Thanks!
>>
>> So then, it shouldn't be so hard.
>> Best regards!
>>
>> Dnia poniedziaƂek, 19 grudnia 2016 20:38:42 CET Pavol Mederly pisze:
>>> Wojciech,
>>>
>>> I think your original idea is OK. You can create multiple types - i.e.
>>> object classes - in SchemaScript for your groups. Like Group1, Group2,
>>> ..., BlueGroup, RedGroup, GreenGroup, ..., DatabaseRole,
>>> ApplicationModule, Workplace. Anything you want. As soon as you
>>> consistently refer to them in all your scripts.
>>>
>>> And yes, you then map these object classes to midPoint terms:
>>> kind/intent; kind being entitlement in this case, and intents as you
>>> like. For example, databaseRole, applicationModule, or workplace.
>>>
>>> Pavol Mederly
>>> Software developer
>>> evolveum.com
>>>
>>> On 19.12.2016 20:25, Wojciech Staszewski wrote:
>>>> Hello!
>>>>
>>>> Jokes are over. My first scriptedSQL connector works like a charm (Zabbix account with group membership), so it is time for something more sophisticated.
>>>> I've got a system, where user's access rights are set by 3 different memberships.
>>>> First membership are database roles.
>>>> Second are application modules available for user.
>>>> Third type are "workplaces" (with time constraints).
>>>> These 3 memberships are independent, each user can have for example 3 roles, 12 enabled modules and 5 workplaces.
>>>>
>>>> I thought that I can do multiple group types in SchemaScript and distinguish them by "intent".
>>>> But I can't do this. I can declare only 1 CustomGroupObjectClass...
>>>> Any advice? Thanks and regards,
>>>> WS :)
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

More information about the midPoint mailing list