[midPoint] Dynamic Role Assignment

Radovan Semancik radovan.semancik at evolveum.com
Thu Mar 17 11:23:33 CET 2016


Mappings in roles. Kind of. I'm not sure if there would be full mapping 
in a role or rather just a simple condition. Probably just a condition. 
But the important thing is that it does not make much difference from 
implementation perspective whether there are thousands of mappings in 
object template or there are mappings/conditions distributed in roles. 
But I understand that putting that to roles makes a big improvement of 
flexibility and usability.

My preliminary idea is like this: put a mapping or condition into roles. 
Then the code that now evaluates object template can simply search for 
all the roles with assignment conditions, compile a list of all the 
conditions and evaluate them. We will not need assignmentTargetSearch in 
that case, because each role knows about itself. So in case that there 
is only a condition in the role the midPoint can automatically construct 
assignment with proper targetRef. It does not need to be determined by 
assignmentTargetSearch.

The problem are assignment parameters. But firstly, we can leave that 
for later. And secondly, there may be additional mappings for them. The 
critical part is to evaluate all the conditions efficiently (because 
there may be thousands of them). Once we have the assignment targets, we 
can afford to evaluate more mappings/expressions, because there will be 
only handful of roles left to evaluate.

-- 
Radovan Semancik
Software Architect
evolveum.com



On 03/17/2016 11:12 AM, Дорофеев Илья wrote:
>
> Sorry, I didn’t catch what exactly would be feasible? Hundreds of 
> mappings in object template or mappings in roles? In the latter case 
> is there going to be a mapping inside a role or anything else? What 
> about dynamic assignment target search based on attribute value in 
> object templates? However, there will be a problem: how do we 
> determine when an object (user) fulfils a condition and when he doesn’t.
>
> Ilya Dorofeev
>
> *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com] *On 
> Behalf Of *Radovan Semancik
> *Sent:* Thursday, March 17, 2016 11:34 AM
> *To:* midpoint at lists.evolveum.com
> *Subject:* Re: [midPoint] Dynamic Role Assignment
>
> That's right.
>
> Our conclusion is that this would be feasible. There is probably very 
> slight performance hit, but it is more than justified by the benefits 
> in manageability and flexibility. I like this idea.
>
> However, the part of midPoint roadmap that Evolveum is sponsoring is 
> currently full. Therefore the only practical way how to get this 
> feature in a near future is to sponsor it or develop it yourself.
>
>
> -- 
> Radovan Semancik
> Software Architect
> evolveum.com
>
>
>
>
> On 03/16/2016 05:37 PM, Ivan Noris wrote:
>
>     I have not found the issue in JIRA, but I remember we were
>     discussing it at the start of December 2015.
>     Anyway I've created https://jira.evolveum.com/browse/MID-2840 to
>     track the feature.
>
>     To increase the priority of the implementation,  the usual options
>     are: https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature
>
>
>     Best regards,
>     Ivan
>
>     On 03/16/2016 04:19 PM, Дорофеев Илья wrote:
>
>         Hi Ivan,
>
>         What if I have plenty of employee types (say, 100) in my
>         trusted identity source? Do I have to create a hundred of
>         mappings in object template in order to assign a corresponding
>         role for each employeeType? I anticipate the performance of
>         clockwork will suffer in such a case.
>
>         __________________________
>
>         Ilya Dorofeev
>
>         *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com]
>         *On Behalf Of *Ivan Noris
>         *Sent:* Saturday, March 12, 2016 8:31 PM
>         *To:* midPoint General Discussion
>         <midpoint at lists.evolveum.com> <mailto:midpoint at lists.evolveum.com>
>         *Subject:* Re: [midPoint] Dynamic Role Assignment
>
>         Hi Gauri,
>
>         this is easily possible using Object Templates.
>
>         Please refer to one or our samples for example:
>
>         https://github.com/Evolveum/midpoint/blob/master/samples/objects/user-template-complex.xml
>
>         <!-- RB-RBAC functionality. The Pirate role is automatically
>         assigned based on the value of employeeType property -->
>             <mapping>
>                 <source>
>         <path>employeeType</path>
>                 </source>
>                 <expression>
>                     <value>
>                         <assignment>
>         <targetRef oid="12345678-d34d-b33f-f00d-987987987988"
>         type="RoleType"/>
>                                         </assignment>
>                     </value>
>                 </expression>
>                 <target>
>                         <path>assignment</path>
>                 </target>
>                 <condition>
>                         <script>
>                        
>         <language>http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</language
>         <http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy%3C/language>>
>                         <code>employeeType == 'PIRATE'</code>
>                     </script>
>                         </condition>
>             </mapping>
>
>         Regards,
>
>         Ivan
>
>         ------------------------------------------------------------------------
>
>             *From: *"GAURI SHIRSATH" <gauri15.shirsath at gmail.com
>             <mailto:gauri15.shirsath at gmail.com>>
>             *To: *midpoint at lists.evolveum.com
>             <mailto:midpoint at lists.evolveum.com>
>             *Sent: *Saturday, March 12, 2016 8:14:01 AM
>             *Subject: *[midPoint] Dynamic Role Assignment
>
>             Hi,
>
>             Can you please guide me for how to assign a role to user
>             dynamically based on some attribute value?
>
>             Like, if my data is coming in to midpoint from CSV file
>             and I want to assign a user role based on some attribute
>             value.
>
>             Thank you,
>
>             Gauri
>
>
>             _______________________________________________
>             midPoint mailing list
>             midPoint at lists.evolveum.com
>             <mailto:midPoint at lists.evolveum.com>
>             http://lists.evolveum.com/mailman/listinfo/midpoint
>
>         -- 
>
>           Ing. Ivan Noris
>           Senior Identity Management Engineer & IDM Architect
>           evolveum.com                     evolveum.com/blog/
>           ___________________________________________________
>           "Semper ID(e)M Vix."
>
>
>
>
>
>         _______________________________________________
>
>         midPoint mailing list
>
>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>     -- 
>
>        Ing. Ivan Noris
>
>        Senior Identity Management Engineer & IDM Architect
>
>        evolveum.com                     evolveum.com/blog/
>
>        ___________________________________________________
>
>        "Semper ID(e)M Vix."
>
>
>
>
>     _______________________________________________
>
>     midPoint mailing list
>
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160317/461103ea/attachment.htm>


More information about the midPoint mailing list