[midPoint] Automatic role assignments

Pavol Mederly mederly at evolveum.com
Tue Jun 14 14:07:58 CEST 2016 

To correct my own answer ... maybe there's yet another possibility:


Let's imagine you have an org O that should induce assigning role R on 
all users that are in O and all of its sub-orgs.


You could implement this by creating inducements of R on O with orders 
of 1, ..., N where N is to estimated maximum depth of the org tree. 
Something like this (for N = 4):


<org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      oid="6e0ad2bc-1d74-48bd-b7b3-793a33d70cce">
    <name>O</name>
    <displayName>...</displayName>
    <inducement id="1">
       <targetRef oid="190c7097-d18a-4cfe-935f-bf1bcf7ef3eb" 
type="c:RoleType"><!-- X --></targetRef>
    </inducement>
    <inducement id="2">
       <targetRef oid="190c7097-d18a-4cfe-935f-bf1bcf7ef3eb" 
type="c:RoleType"><!-- X --></targetRef>
       <order>2</order>
    </inducement>

    <inducement id="3">
       <targetRef oid="190c7097-d18a-4cfe-935f-bf1bcf7ef3eb" 
type="c:RoleType"><!-- X --></targetRef>
       <order>3</order>
    </inducement>

    <inducement id="4">
       <targetRef oid="190c7097-d18a-4cfe-935f-bf1bcf7ef3eb" 
type="c:RoleType"><!-- X --></targetRef>
       <order>4</order>
    </inducement>

</org>


If a user U has assigned org O3 which is a child of O2 (i.e. has an 
assignment of O2), where O2 is a child of O (i.e. has an assignment of 
O), it will have the following roles added:
- inducements of O3 defined with order=1 (the default)
- inducements of O2 defined with order=2
- inducements of O defined with order=3

I've verified that it basically works. Please note that the roles are 
not shown when user is edited; but they are effectively present. They 
can be displayed by clicking on "Show all assignments" button when 
editing the user:



Best regards,
Pavol

On 14.06.2016 13:53, Pavol Mederly wrote:
>
> Hello Aivo,
>
>
> it's probably possible.
>
>
> If there would not be point #4 (hierarchical aspect), your 
> configuration could be implemented by inducements defined at various 
> points in the org tree.
>
>
> But point #4 requires more elaborate solution. I would suggest trying 
> something like this:
>
>
> - create a user template containing the following mapping:
>
>   - source: parentOrgRef
>
>   - target: assignment
>
>   - code: something like:
>
>     - take all parentOrgRefs
>
>     - iteratively compute a transitive closure, adding their parents, 
> grand-parents, etc, up to the root(s) of the hierarchy
>
>     - collect all inducements of these orgs, and use them as the 
> result of this mapping
>
>  (mapping should be declared as 'absolute', not 'relative' one)
>
>
> Actually I'm not convinced it will work, but ... it's worth a try, 
> maybe (giving it ~ 60% chance...)
>
>
> Inherent limitation of this solution is that it's not able to 
> distinguish which assignments are 'manual' and which are 'automatic'. 
> I.e. in case that something goes really wrong, we are not able to run 
> something like 'total recomputation' which would delete all automatic 
> asssignments that are no longer appropriate. This would need to be 
> hacked by running a bulk action that would first eliminate all 
> 'automatic' assignments from a given user, and then run a 
> recomputation to provide valid ones.
>
>
> Another caveat is the order of evaluation of these mappings and 
> existing assignments. This would need to be experimented as well.
>
>
> And, as for #3, in both scenarios (hierarchical or non-hierarchical), 
> user recomputation would be needed.
>
>
> Maybe someone could propose a better solution...
>
>
> Best regards,
>
> Pavol
>
>
> On 14.06.2016 13:36, Aivo Kuhlberg wrote:
>>
>> Hi,
>> I would like to create automatic role assignments for users based on 
>> the organization unit where each user belongs to. The mechanism 
>> should have following functionality:
>>
>>  1. When user is added to midPoint s/he will get automatic roles
>>     assigned based on the org unit where s/he belongs.
>>  2. When user moves to another organization unit then the automatic
>>     roles should be reassigned (old org unit automatic roles removed
>>     and new org unit automatic roles assigned).
>>  3. When existing automatic role is added/changed/deleted the change
>>     should be reflected in all users' automatic roles.
>>  4. Automatic role assignments should be related with organization
>>     hierarchy - eg. top-level org automatic role A will be assigned
>>     to all users who belong to top-level and its child organizations.
>>     Child org automatic role B should be assigned to only child org
>>     users.
>>
>> Is it possible to implement this setup or at last part of it in 
>> midPoint 3.3.1 (or 3.4)? What is the suggested way to implement this?
>>
>>
>> Thanks,
>>
>> Aivo Kuhlberg
>>
>>
>> ------------------------------------------------------------------------
>> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks 
>> tunnistatud teavet.
>> This e-mail may contain information which is classified for official 
>> use.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160614/d773c054/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jjhjijaiodcceaik.png
Type: image/png
Size: 16754 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160614/d773c054/attachment.png>

More information about the midPoint mailing list