[midPoint] How to treat roles and groups in a different way

Patrick Brunmayr p.brunmayr at linzag.at
Tue Oct 11 13:36:51 CEST 2016 

Hi

So basically i was using the wrong term with AD. I meant a basic directory Service like LDAP.  Its not microsoft specific!

- We have groups in our LDAP under a dn like ou=Groups,dc=example,dc=com. Each user references them via memberOf. This is quite standard :=)

- On the other hand we have an external RBAC system ( Apache Fortress ) which stores the role information in a multivalued
  attribute ftRA on the user entry.

In midpoint i can only see the term "Roles" which in many examples is used to build the group information in LDAP like here

https://evolveum.com/blog/simplifying-ldap-group-management-using-midpoint<https://evolveum.com/blog/simplifying-ldap-group-management-using-midpoint/>

But for me thats not the case. A role is not a group!

So

- how can i use midpoint to assign groups ( retrieved from LDAP ) but not using midpoint roles.

- how can i use midpoint to assign roles in a special way ? My problem is Apache Fortress stores the role information
in a special way which can not be done with a simple ldap query. So whenever a role is assigned, removed i would
need to call a rest service to apply changes via Apache Fortress

Thank u


Am 11.10.2016 um 13:03 schrieb Ivan Noris:

Hi Patrick,

until now I was working only with AD groups. Could you please explain
what you mean with "AD roles"? (If this is something related do MS
documentation, a link to doc would help.)

Thanks,

Ivan


On 10/11/2016 12:13 PM, Patrick Brunmayr wrote:


Hello

How does midpoint differ between roles and groups ? In our AD system we
have a group membership to
mimic what kind of resource ( apps ) a user has access to. On the other
way we have roles which describe
what the user is capable of doing in the application.

How can i do this with midpoint?

Thx


LINZ AG für Energie, Telekommunikation, Verkehr und Kommunale Dienste
A-4021 Linz, Wiener Straße 151, Postfach 1300, Tel. +43/732/3400-0,
E-Mail: info at linzag.at<mailto:info at linzag.at>


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint





--
Patrick Brunmayr
LINZ AG TELEKOM
Infrastruktur & Netzwerktechnik
Internet Services

Die LINZ AG TELEKOM ist ein Geschäftsbereich der LINZ STROM GmbH
für Energieerzeugung, -handel, -dienstleistungen und Telekommunikation.

4021 Linz,  Wiener Straße 151, Austria
Tel.:        +43(0)732/3400-5639
Fax:        +43(0)732/3400-155639
E-Mail:    p.brunmayr at linzag.at<mailto:p.brunmayr at linzag.at>
Internet:  www.linzag-telekom.at<http://www.linzag-telekom.at>

FN 199533 g des Landesgerichtes Linz
Zertifiziert nach:
EN ISO   9001 Qualitätsmanagement (QM)
OHSAS 18001 Arbeitsschutzmanagementsystem
ISO/IEC 27001 Informationssicherheits-Managementsystem (ISMS)




LINZ AG für Energie, Telekommunikation, Verkehr und Kommunale Dienste
A-4021 Linz, Wiener Straße 151, Postfach 1300, Tel. +43/732/3400-0, E-Mail: info at linzag.at


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161011/8b137f77/attachment.htm>

More information about the midPoint mailing list