[midPoint] Dynamic Role Assignment
Дорофеев Илья
i.dorofeev at solarsecurity.ru
Thu Mar 17 11:12:39 CET 2016
Sorry, I didn’t catch what exactly would be feasible? Hundreds of mappings in object template or mappings in roles? In the latter case is there going to be a mapping inside a role or anything else? What about dynamic assignment target search based on attribute value in object templates? However, there will be a problem: how do we determine when an object (user) fulfils a condition and when he doesn’t.
Ilya Dorofeev
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Radovan Semancik
Sent: Thursday, March 17, 2016 11:34 AM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Dynamic Role Assignment
That's right.
Our conclusion is that this would be feasible. There is probably very slight performance hit, but it is more than justified by the benefits in manageability and flexibility. I like this idea.
However, the part of midPoint roadmap that Evolveum is sponsoring is currently full. Therefore the only practical way how to get this feature in a near future is to sponsor it or develop it yourself.
--
Radovan Semancik
Software Architect
evolveum.com
On 03/16/2016 05:37 PM, Ivan Noris wrote:
I have not found the issue in JIRA, but I remember we were discussing it at the start of December 2015.
Anyway I've created https://jira.evolveum.com/browse/MID-2840 to track the feature.
To increase the priority of the implementation, the usual options are: https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature
Best regards,
Ivan
On 03/16/2016 04:19 PM, Дорофеев Илья wrote:
Hi Ivan,
What if I have plenty of employee types (say, 100) in my trusted identity source? Do I have to create a hundred of mappings in object template in order to assign a corresponding role for each employeeType? I anticipate the performance of clockwork will suffer in such a case.
__________________________
Ilya Dorofeev
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Ivan Noris
Sent: Saturday, March 12, 2016 8:31 PM
To: midPoint General Discussion <midpoint at lists.evolveum.com><mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Dynamic Role Assignment
Hi Gauri,
this is easily possible using Object Templates.
Please refer to one or our samples for example:
https://github.com/Evolveum/midpoint/blob/master/samples/objects/user-template-complex.xml
<!-- RB-RBAC functionality. The Pirate role is automatically assigned based on the value of employeeType property -->
<mapping>
<source>
<path>employeeType</path>
</source>
<expression>
<value>
<assignment>
<targetRef oid="12345678-d34d-b33f-f00d-987987987988" type="RoleType"/>
</assignment>
</value>
</expression>
<target>
<path>assignment</path>
</target>
<condition>
<script>
<language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language<http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy%3C/language>>
<code>employeeType == 'PIRATE'</code>
</script>
</condition>
</mapping>
Regards,
Ivan
________________________________
From: "GAURI SHIRSATH" <gauri15.shirsath at gmail.com<mailto:gauri15.shirsath at gmail.com>>
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Sent: Saturday, March 12, 2016 8:14:01 AM
Subject: [midPoint] Dynamic Role Assignment
Hi,
Can you please guide me for how to assign a role to user dynamically based on some attribute value?
Like, if my data is coming in to midpoint from CSV file and I want to assign a user role based on some attribute value.
Thank you,
Gauri
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160317/919bd981/attachment.htm>
More information about the midPoint
mailing list