[midPoint] Role-Entitlement Assignment

Martin Marchese mmarchese at identicum.com
Wed Jun 29 20:23:20 CEST 2016 

Thanks Ivan, I'll try this.

Is there a way to do this assignment from the MidPoint UI? The end-user is
not tech, so it will be great if they can do this kind of assignment from
the UI.

Regards,

*Ing. Martín Marchese*
Identicum S.A.
Anchorena 1357 PB
Tel: +54 (11) 3526.5509
mmarchese at identicum.com
www.identicum.com

On Wed, Jun 29, 2016 at 12:06 PM, Ivan Noris <ivan.noris at evolveum.com>
wrote:

> Hi Martin,
>
> you can use associationTargetSearch in role:
>
> . . .
>     <inducement>
>         <construction>
>                 <resourceRef oid="00000000-dc00-dc00-0001-100000000002"
> type="c:ResourceType"/>
>         <kind>account</kind>
>         <association>
>             <ref>ri:group</ref>
>             <outbound>
>                 <strength>strong</strength>
>                 <expression>
>                     <associationTargetSearch>
>                         <filter>
>                             <q:equal>
>                                 <q:path>attributes/ri:dn</q:path>
>
> <q:value>cn=group1,ou=foo,ou=bar,dc=example,dc=com</q:value>
>                             </q:equal>
>                         </filter>
>                        <searchStrategy>onResourceIfNeeded</searchStrategy>
>                     </associationTargetSearch>
>                 </expression>
>             </outbound>
>           </association>
>         </construction>
>       </inducement>
> ...
>
> The above example tries to construct an account (intent is not specified,
> thus default) and associate with an entitlement, which has "ri:dn"
> attribute equal to "cn=group1,ou=foo,ou=bar,dc=example,dc=com". This will
> search the group on the resource.
> The shadow will be created after the group is found. Further associations
> will use the shadow instead of looking up (searching) on resource.
>
> Regards,
> Ivan
>
>
> On 06/29/2016 04:56 PM, Martin Marchese wrote:
>
> Hi All!,
>
> I have a question on Role-Entitlement assignment:
>
> I have an Entitlement representing LDAP groups (it does not exist in
> midpoint, just in the resource, so it does not have a shadow).
>
> I found the following example:
> <assignment>
>     <construction>
>         <resourceRef oid="10000000-0000-0000-0000-000000000004" type=
> "c:ResourceType"/>
>         <kind>account</kind>
>         <association>
>             <ref>ri:group</ref>
>             <outbound>
>                 <expression>
>                     <value>
>                         <shadowRef oid=
> "20000000-0000-0000-3333-000000000001"/>
>                     </value>
>                 </expression>
>             </outbound>
>         </association>
>     </construction>
> </assignment>
>
> However, as I don't have the shadow created in MidPoint, I can't add the
> shadow OID for reference. Is there a way to achieve this and not creating
> the object within MidPoint?
>
> Another question, as this assignment will probably be done a non-tech
> customer, is there a way to do this assignment thru the UI?
>
> Thanks in advance
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Anchorena 1357 PB
> Tel: +54 (11) 3526.5509
> mmarchese at identicum.com
> www.identicum.com
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
>   Ing. Ivan Noris
>   Senior Identity Management Engineer & IDM Architect
>   evolveum.com                     evolveum.com/blog/
>   ___________________________________________________
>   "Semper ID(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160629/91383757/attachment.htm>

More information about the midPoint mailing list