[midPoint] Role-Entitlement Assignment

Ivan Noris ivan.noris at evolveum.com
Wed Jun 29 17:06:55 CEST 2016 

Hi Martin,

you can use associationTargetSearch in role:

. . .
    <inducement>
        <construction>
                <resourceRef oid="00000000-dc00-dc00-0001-100000000002"
type="c:ResourceType"/>
        <kind>account</kind>
        <association>
            <ref>ri:group</ref>
            <outbound>
                <strength>strong</strength>
                <expression>
                    <associationTargetSearch>
                        <filter>
                            <q:equal>
                                <q:path>attributes/ri:dn</q:path>
                               
<q:value>cn=group1,ou=foo,ou=bar,dc=example,dc=com</q:value>
                            </q:equal>
                        </filter>
                       <searchStrategy>onResourceIfNeeded</searchStrategy>
                    </associationTargetSearch>
                </expression>
            </outbound>
          </association>
        </construction>
      </inducement>
...

The above example tries to construct an account (intent is not
specified, thus default) and associate with an entitlement, which has
"ri:dn" attribute equal to "cn=group1,ou=foo,ou=bar,dc=example,dc=com".
This will search the group on the resource.
The shadow will be created after the group is found. Further
associations will use the shadow instead of looking up (searching) on
resource.

Regards,
Ivan

On 06/29/2016 04:56 PM, Martin Marchese wrote:
> Hi All!,
>
> I have a question on Role-Entitlement assignment:
>
> I have an Entitlement representing LDAP groups (it does not exist in
> midpoint, just in the resource, so it does not have a shadow).
>
> I found the following example:
> |<||assignment||>|
> |    ||<||construction||>|
> |        ||<||resourceRef| |oid||=||"10000000-0000-0000-0000-000000000004"| |type||=||"c:ResourceType"||/>|
> |        ||<||kind||>account</||kind||>|
> |        ||<||association||>|
> |            ||<||ref||>ri:group</||ref||>|
> |            ||<||outbound||>|
> |                ||<||expression||>|
> |                    ||<||value||>|
> |                        ||<||shadowRef| |oid||=||"20000000-0000-0000-3333-000000000001"||/>|
> |                    ||</||value||>|
> |                ||</||expression||>|
> |            ||</||outbound||>|
> |        ||</||association||>|
> |    ||</||construction||>|
> |</||assignment||>|
>
> However, as I don't have the shadow created in MidPoint, I can't add
> the shadow OID for reference. Is there a way to achieve this and not
> creating the object within MidPoint?
> |
> |
> |Another question, as this assignment will probably be done a non-tech
> customer, is there a way to do this assignment thru the UI?|
> |
> |
> |Thanks in advance|
>
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Anchorena 1357 PB
> Tel: +54 (11) 3526.5509
> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
> www.identicum.com <http://www.identicum.com>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160629/15715ff8/attachment.htm>

More information about the midPoint mailing list