[midPoint] Automatic role assignments

Pavol Mederly mederly at evolveum.com
Tue Jun 14 13:53:32 CEST 2016 

Hello Aivo,


it's probably possible.


If there would not be point #4 (hierarchical aspect), your configuration 
could be implemented by inducements defined at various points in the org 
tree.


But point #4 requires more elaborate solution. I would suggest trying 
something like this:


- create a user template containing the following mapping:

   - source: parentOrgRef

   - target: assignment

   - code: something like:

     - take all parentOrgRefs

     - iteratively compute a transitive closure, adding their parents, 
grand-parents, etc, up to the root(s) of the hierarchy

     - collect all inducements of these orgs, and use them as the result 
of this mapping

  (mapping should be declared as 'absolute', not 'relative' one)


Actually I'm not convinced it will work, but ... it's worth a try, maybe 
(giving it ~ 60% chance...)


Inherent limitation of this solution is that it's not able to 
distinguish which assignments are 'manual' and which are 'automatic'. 
I.e. in case that something goes really wrong, we are not able to run 
something like 'total recomputation' which would delete all automatic 
asssignments that are no longer appropriate. This would need to be 
hacked by running a bulk action that would first eliminate all 
'automatic' assignments from a given user, and then run a recomputation 
to provide valid ones.


Another caveat is the order of evaluation of these mappings and existing 
assignments. This would need to be experimented as well.


And, as for #3, in both scenarios (hierarchical or non-hierarchical), 
user recomputation would be needed.


Maybe someone could propose a better solution...


Best regards,

Pavol


On 14.06.2016 13:36, Aivo Kuhlberg wrote:
>
> Hi,
> I would like to create automatic role assignments for users based on 
> the organization unit where each user belongs to. The mechanism should 
> have following functionality:
>
>  1. When user is added to midPoint s/he will get automatic roles
>     assigned based on the org unit where s/he belongs.
>  2. When user moves to another organization unit then the automatic
>     roles should be reassigned (old org unit automatic roles removed
>     and new org unit automatic roles assigned).
>  3. When existing automatic role is added/changed/deleted the change
>     should be reflected in all users' automatic roles.
>  4. Automatic role assignments should be related with organization
>     hierarchy - eg. top-level org automatic role A will be assigned to
>     all users who belong to top-level and its child organizations.
>     Child org automatic role B should be assigned to only child org users.
>
> Is it possible to implement this setup or at last part of it in 
> midPoint 3.3.1 (or 3.4)? What is the suggested way to implement this?
>
>
> Thanks,
>
> Aivo Kuhlberg
>
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160614/dfd7f54d/attachment.htm>

More information about the midPoint mailing list