[midPoint] check if an active directory account has a specific Group assigned
Ivan Noris
ivan.noris at evolveum.com
Fri May 13 14:57:58 CEST 2016
Hi,
recently my coleague wrote a post here with subject: [midPoint] AD
membership to midPoint role assignment
(http://lists.evolveum.com/pipermail/midpoint/2016-April/001796.html)
There is a way, roughly:
1) you need to create the roles in midPoint manually or import them
somehow from AD - thus synchronize (some) AD groups into midPoint roles
2) you need to synchronize users from AD to midPoint, and copy the list
of their AD groups to some extension attribute. Probably you would
filter the groups if you know how to distinguish them, to store only the
relevant to extension attribute
3) object template in midPoint will assign the roles based on that user
extension attribute
Please see the email referenced above and the samples for SAP connector
referenced there.
This can also be enhanced in future midPoint releases. FYI:
https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature
Best regards,
Ivan
On 05/13/2016 01:12 PM, Rijndaal Ramiji wrote:
>
> I need to assign some roles to all the users having specifics groups
> in AD.
>
> for example, every user that has assigned the group “HISOrgUnit_DIR”
> has to have the role “OUADMIN” assigned.
>
> The main problem is that my AD account has many roles, sometimes over 10…
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160513/4fe8e0cb/attachment.htm>
More information about the midPoint
mailing list