[midPoint] Valid to role assignment problem

Ivan Noris ivan.noris at evolveum.com
Mon Oct 31 16:11:59 CET 2016


Hi Aivo,

regarding displaying indirect assignments such as roles - we're already
tracking that new feature as https://jira.evolveum.com/browse/MID-3385


(Also happened to me and I needed it.)

It's waiting for prioritzation/sponsosrhip though.


Feel free to comment that issue directly in JIRA.


Best regards,

Ivan


On 10/31/2016 03:41 PM, Aivo Kuhlberg wrote:
>
> I answer to my own question and the answer is yes. When the tolerance
> is set to false in association then all the group memberships of
> linked AD users which are not controlled by midPoint will we deleted.
> So if I have not imported all AD groups (where currently linked AD
> users belong) to midPoint then after setting tolerance to false and
> reconciliation only the membership of the imported and assigned groups
> will be kept.
> But there is a positive side, actually even two positive results.
> First is that now the "Valid to" field in assignments works. There is
> still issue (MID-3494) when the role has approver but that is another
> problem.
> The second positive result is that now the removing of indirect role
> assignment works as expected which brings it one critical step closer
> to implementing automatic role assignments. I think now the most
> troublesome issue for me is that users are not able to see easily
> indirect roles - it would be nice to see them (for example in
> different color) in "My assignments" and under profile assignments tab
> without needing to browse cog menu.
> Regards,
> Aivo
>
> ------------------------------------------------------------------------
> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelAivo
> Kuhlberg <aivo.kuhlberg at rmit.ee>
> *Saadetud:* 31. oktoober 2016 11:01
> *Adressaat:* midPoint General Discussion
> *Teema:* Re: [midPoint] Valid to role assignment problem
>  
>
> Hi Ivan,
> Does association + tolerant mean I have to add
> <tolerant>false</tolerant> to association part in account definition
> in resourceSchema?
>
> If so then what will happen all the groups which I have exluded in my
> current AD group import? Will this setting delete any existing members
> of these groups? For example when midPoint user A has AD account and
> this AD account has membership with AD group B but this group B is not
> synced to midPoint. Will this group membership deleted if tolerant is
> set to false?
>
>
> Best Regards,
> Aivo
>
> ------------------------------------------------------------------------
> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelIvan
> Noris <ivan.noris at evolveum.com>
> *Saadetud:* 28. oktoober 2016 22:10
> *Adressaat:* midpoint at lists.evolveum.com
> *Teema:* Re: [midPoint] Valid to role assignment problem
>  
>
> Hi Aivo,
>
> please check this issue: https://jira.evolveum.com/browse/MID-3296
>
>
> If it's what you are experiencing, please check how is you association
> + tolerant configured.
>
>
> Ivan
>
>
> On 10/28/2016 10:14 AM, Aivo Kuhlberg wrote:
>>
>> Hello,
>>
>> I am testing role assignment valid from/to triggering and have
>> problem with valid to functionality. I assigned role to midPoint user
>> and before saving the assignment I specified validto value. This
>> midPoint role is imported from AD group so I expect that when the
>> valid to time is over then the AD group will be removed from the AD
>> user but that does not happen. Even full reconciliation of AD users
>> and groups did not help. Even changing the administrative status to
>> "Disabled" did not help. But when I changed it to "Enabled" and then
>> "Disabled" then the AD user group membership dissapeared. Can it be
>> because I am using .NET AD connector and in LDAP connector this
>> problem is fixed?
>> Before that I tested "Valid From" field triggering and that worked as
>> expected - after the specified time and validity scanner run the AD
>> group was assigned to AD user.  
>> Regards,
>> Aivo Kuhlberg
>>
>>
>> ------------------------------------------------------------------------
>> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks
>> tunnistatud teavet.
>> This e-mail may contain information which is classified for official
>> use.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> -- 
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
> ------------------------------------------------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks
> tunnistatud teavet.
> This e-mail may contain information which is classified for official use.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161031/43fa8e69/attachment.htm>


More information about the midPoint mailing list