[midPoint] How to treat roles and groups in a different way

Ivan Noris ivan.noris at evolveum.com
Tue Oct 11 17:01:11 CEST 2016


Hi Patrick,

from what I see now:

- role in midPoint can do anything, including putting accounts to
groups, or setting attributes for accounts

- in your case, I think two resources would be required: LDAP resource
and Apache Fortress (REST) resource

- roles can be configured to set either LDAP groups (as in our numerous
samples) or any attributes required by Apache Fortress or both

- one role can provision accounts in LDAP, Apache Fortress or both. It's
actually an abstraction above the groups or whatever application uses
for similar purposes

Regards,

Ivan


On 10/11/2016 01:36 PM, Patrick Brunmayr wrote:
>
> Hi
>
> So basically i was using the wrong term with AD. I meant a basic
> directory Service like LDAP.  Its not microsoft specific!
>
> - We have groups in our LDAP under a dn like
> ou=Groups,dc=example,dc=com. Each user references them via memberOf.
> This is quite standard :=)
>
> - On the other hand we have an external RBAC system ( Apache Fortress
> ) which stores the role information in a multivalued
>   attribute ftRA on the user entry.
>
> In midpoint i can only see the term "Roles" which in many examples is
> used to build the group information in LDAP like here
>
> https://evolveum.com/blog/simplifying-ldap-group-management-using-midpoint
> <https://evolveum.com/blog/simplifying-ldap-group-management-using-midpoint/>
>
> But for me thats not the case. A role is not a group!
>
> So
>
> - how can i use midpoint to assign groups ( retrieved from LDAP ) but
> not using midpoint roles.
>
> - how can i use midpoint to assign roles in a special way ? My problem
> is Apache Fortress stores the role information
> in a special way which can not be done with a simple ldap query. So
> whenever a role is assigned, removed i would
> need to call a rest service to apply changes via Apache Fortress
>
> Thank u
>
>
>
> Am 11.10.2016 um 13:03 schrieb Ivan Noris:
>> Hi Patrick,
>>
>> until now I was working only with AD groups. Could you please explain
>> what you mean with "AD roles"? (If this is something related do MS
>> documentation, a link to doc would help.)
>>
>> Thanks,
>>
>> Ivan
>>
>>
>> On 10/11/2016 12:13 PM, Patrick Brunmayr wrote:
>>> Hello
>>>
>>> How does midpoint differ between roles and groups ? In our AD system we
>>> have a group membership to
>>> mimic what kind of resource ( apps ) a user has access to. On the other
>>> way we have roles which describe
>>> what the user is capable of doing in the application.
>>>
>>> How can i do this with midpoint?
>>>
>>> Thx
>>>
>>>
>>> LINZ AG für Energie, Telekommunikation, Verkehr und Kommunale Dienste
>>> A-4021 Linz, Wiener Straße 151, Postfach 1300, Tel. +43/732/3400-0,
>>> E-Mail: info at linzag.at
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
>
> *Patrick Brunmayr*
>
> *LINZ AG TELEKOM*
> Infrastruktur & Netzwerktechnik
>
> Internet Services
>
>  
>
> Die LINZ AG TELEKOM ist ein Geschäftsbereich der LINZ STROM GmbH
> für Energieerzeugung, -handel, -dienstleistungen und Telekommunikation.
>
>  
>
> 4021 Linz,  Wiener Straße 151, Austria
> Tel.:        +43(0)732/3400-5639
> Fax:        +43(0)732/3400-155639
> E-Mail:    _p.brunmayr at linzag.at <mailto:p.brunmayr at linzag.at>_
> Internet:  www.linzag-telekom.at <http://www.linzag-telekom.at>
>
> FN 199533 g des Landesgerichtes Linz
>
> Zertifiziert nach:
>
> EN ISO   9001 Qualitätsmanagement (QM)
>
> OHSAS 18001 Arbeitsschutzmanagementsystem
>
> ISO/IEC 27001 Informationssicherheits-Managementsystem (ISMS)
>
>  
>
>  
>
> LINZ AG für Energie, Telekommunikation, Verkehr und Kommunale Dienste
> A-4021 Linz, Wiener Straße 151, Postfach 1300, Tel. +43/732/3400-0,
> E-Mail: info at linzag.at
>
>  
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161011/adadb262/attachment.htm>


More information about the midPoint mailing list