[midPoint] Dynamic Role Assignment

Дорофеев Илья i.dorofeev at solarsecurity.ru
Thu Mar 17 11:12:39 CET 2016 

Sorry, I didn’t catch what exactly would be feasible? Hundreds of mappings in object template or mappings in roles? In the latter case is there going to be a mapping inside a role or anything else? What about dynamic assignment target search based on attribute value in object templates? However, there will be a problem: how do we determine when an object (user) fulfils a condition and when he doesn’t.

Ilya Dorofeev

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Radovan Semancik
Sent: Thursday, March 17, 2016 11:34 AM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Dynamic Role Assignment

That's right.

Our conclusion is that this would be feasible. There is probably very slight performance hit, but it is more than justified by the benefits in manageability and flexibility. I like this idea.

However, the part of midPoint roadmap that Evolveum is sponsoring is currently full. Therefore the only practical way how to get this feature in a near future is to sponsor it or develop it yourself.



--

Radovan Semancik

Software Architect

evolveum.com



On 03/16/2016 05:37 PM, Ivan Noris wrote:
I have not found the issue in JIRA, but I remember we were discussing it at the start of December 2015.
Anyway I've created https://jira.evolveum.com/browse/MID-2840 to track the feature.

To increase the priority of the implementation,  the usual options are: https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature

Best regards,
Ivan

On 03/16/2016 04:19 PM, Дорофеев Илья wrote:
Hi Ivan,

What if I have plenty of employee types (say, 100) in my trusted identity source? Do I have to create a hundred of mappings in object template in order to assign a corresponding role for each employeeType? I anticipate the performance of clockwork will suffer in such a case.

__________________________

Ilya Dorofeev

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Ivan Noris
Sent: Saturday, March 12, 2016 8:31 PM
To: midPoint General Discussion <midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Dynamic Role Assignment

Hi Gauri,

this is easily possible using Object Templates.

Please refer to one or our samples for example:
https://github.com/Evolveum/midpoint/blob/master/samples/objects/user-template-complex.xml

    <!-- RB-RBAC functionality. The Pirate role is automatically assigned based on the value of employeeType property -->
    <mapping>
        <source>
                <path>employeeType</path>
        </source>
        <expression>
            <value>
                <assignment>
                                        <targetRef oid="12345678-d34d-b33f-f00d-987987987988" type="RoleType"/>
                                </assignment>
            </value>
        </expression>
        <target>
                <path>assignment</path>
        </target>
        <condition>
                <script>
                <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language<http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy%3C/language>>
                <code>employeeType == 'PIRATE'</code>
            </script>
                </condition>
    </mapping>
Regards,
Ivan
________________________________
From: "GAURI SHIRSATH" <gauri15.shirsath at gmail.com<mailto:gauri15.shirsath at gmail.com>>
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Sent: Saturday, March 12, 2016 8:14:01 AM
Subject: [midPoint] Dynamic Role Assignment

Hi,

Can you please guide me for how to assign a role to user dynamically based on some attribute value?

Like, if my data is coming in to midpoint from CSV file and I want to assign a user role based on some attribute value.


Thank you,
Gauri

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint


--
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."






_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint



--

  Ing. Ivan Noris

  Senior Identity Management Engineer & IDM Architect

  evolveum.com                     evolveum.com/blog/

  ___________________________________________________

  "Semper ID(e)M Vix."




_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160317/919bd981/attachment.htm>

More information about the midPoint mailing list