[midPoint] Role-Entitlement Assignment

Ivan Noris ivan.noris at evolveum.com
Wed Jun 29 22:04:09 CEST 2016 

Hi Martin,

if you create the role, it can be assigned as a role assignment, so all
the end user knows is a name of the role. The role may just construct
the account, set attribute values (similar/additional to schema handling
mappings) and associate the account with entitlements. That's all
encapsulated in the role.

But the role with the association must be defined and imported from XML
file - at least for now.

Regards,
Ivan

On 06/29/2016 08:23 PM, Martin Marchese wrote:
> Thanks Ivan, I'll try this.
>
> Is there a way to do this assignment from the MidPoint UI? The
> end-user is not tech, so it will be great if they can do this kind of
> assignment from the UI.
>
> Regards,
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Anchorena 1357 PB
> Tel: +54 (11) 3526.5509
> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
> www.identicum.com <http://www.identicum.com>
>
> On Wed, Jun 29, 2016 at 12:06 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Martin,
>
>     you can use associationTargetSearch in role:
>
>     . . .
>         <inducement>
>             <construction>
>                     <resourceRef
>     oid="00000000-dc00-dc00-0001-100000000002" type="c:ResourceType"/>
>             <kind>account</kind>
>             <association>
>                 <ref>ri:group</ref>
>                 <outbound>
>                     <strength>strong</strength>
>                     <expression>
>                         <associationTargetSearch>
>                             <filter>
>                                 <q:equal>
>                                     <q:path>attributes/ri:dn</q:path>
>                                    
>     <q:value>cn=group1,ou=foo,ou=bar,dc=example,dc=com</q:value>
>                                 </q:equal>
>                             </filter>
>                           
>     <searchStrategy>onResourceIfNeeded</searchStrategy>
>                         </associationTargetSearch>
>                     </expression>
>                 </outbound>
>               </association>
>             </construction>
>           </inducement>
>     ...
>
>     The above example tries to construct an account (intent is not
>     specified, thus default) and associate with an entitlement, which
>     has "ri:dn" attribute equal to
>     "cn=group1,ou=foo,ou=bar,dc=example,dc=com". This will search the
>     group on the resource.
>     The shadow will be created after the group is found. Further
>     associations will use the shadow instead of looking up (searching)
>     on resource.
>
>     Regards,
>     Ivan
>
>
>     On 06/29/2016 04:56 PM, Martin Marchese wrote:
>>     Hi All!,
>>
>>     I have a question on Role-Entitlement assignment:
>>
>>     I have an Entitlement representing LDAP groups (it does not exist
>>     in midpoint, just in the resource, so it does not have a shadow).
>>
>>     I found the following example:
>>     |<||assignment||>|
>>     |    ||<||construction||>|
>>     |        ||<||resourceRef| |oid||=||"10000000-0000-0000-0000-000000000004"| |type||=||"c:ResourceType"||/>|
>>     |        ||<||kind||>account</||kind||>|
>>     |        ||<||association||>|
>>     |            ||<||ref||>ri:group</||ref||>|
>>     |            ||<||outbound||>|
>>     |                ||<||expression||>|
>>     |                    ||<||value||>|
>>     |                        ||<||shadowRef| |oid||=||"20000000-0000-0000-3333-000000000001"||/>|
>>     |                    ||</||value||>|
>>     |                ||</||expression||>|
>>     |            ||</||outbound||>|
>>     |        ||</||association||>|
>>     |    ||</||construction||>|
>>     |</||assignment||>|
>>
>>     However, as I don't have the shadow created in MidPoint, I can't
>>     add the shadow OID for reference. Is there a way to achieve this
>>     and not creating the object within MidPoint?
>>     |
>>     |
>>     |Another question, as this assignment will probably be done a
>>     non-tech customer, is there a way to do this assignment thru the UI?|
>>     |
>>     |
>>     |Thanks in advance|
>>
>>
>>     *Ing. Martín Marchese*
>>     Identicum S.A.
>>     Anchorena 1357 PB
>>     Tel: +54 (11) 3526.5509
>>     mmarchese at identicum.com <mailto:mmarchese at identicum.com>
>>     www.identicum.com <http://www.identicum.com>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>       Ing. Ivan Noris
>       Senior Identity Management Engineer & IDM Architect
>       evolveum.com <http://evolveum.com>                     evolveum.com/blog/ <http://evolveum.com/blog/>
>       ___________________________________________________
>       "Semper ID(e)M Vix."
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160629/f530731d/attachment.htm>

More information about the midPoint mailing list