[midPoint] Importing entitlements to roles for multiple account intents
Wojciech Staszewski
wojciech.staszewski at diagnostyka.pl
Fri Dec 29 16:40:31 CET 2017
Hi!
I thought about adding multiple first order inducements for each account
intent with weak strength to the "associationFromLink" metarole,
but what if the accounts (of one user in multiple intents) must have
different privileges (entilements)?
When I assign a role that gives entitlement X, it will be applied to
every user account on this resource, i think.
Another way I tried is to assign the "associationFromLink" metarole to
the role that provisions account creation,
and the role with linkRef pointing to the entitlement shadow as separate
user assignment, but it don't work.
I think (but I don't know exactly) that "associationFromLink" is limited
to one assignment chain so the linkRef and associationFromLink
must be in the same chain. But maybe I'm wrong...?
I'm stuck here and see no good solution for now.
Best regards!
WS
W dniu 29.12.2017 o 15:08, Alcides Carlos de Moraes Neto pisze:
> Hi WS,
>
> In your role template, have you tried adding multiple inducements with
> an association for each entitlement? I don't see why that wouldn't work.
>
> 2017-12-28 13:54 GMT-02:00 Wojciech Staszewski
> <wojciech.staszewski at diagnostyka.pl
> <mailto:wojciech.staszewski at diagnostyka.pl>>:
>
> Hello!
>
> I'm looking for correct way how to correctly import resource
> entitlements into midPoint roles.
>
> For now I'm doing this as follows:
> 1) create schema handling for entitlement.
> 2) create synchronization.
> 3) At the "unmatched->addFocus" synchronization step I connect a
> role template. The template assigns metaroles to the imported
> roles for:
> a) association from link (as the imported roles are just linkRef
> only),
> b) approval schema,
> c) and assigns correct OrgUnit in the role catalog, based on
> resource, role type and other "things".
>
> That works just perfect, but for one account intent only. The
> account intent is statically specified in "association from link"
> metarole in the first order inducement.
> If is not, the metarole works for "default" account intent.
> But I have 8 account intents in this resource, and every account
> must be associated with the entitlements regardless of the intent.
>
> I tried to make more than one "unmatched->addFocus"
> synchronization reaction with different role templates
> with hope for importing 8 roles from one entitlement for different
> account intents but midPoint warns me: "Duplicated reactions [...]".
> I cannot just add multiple "actions" to one reaction because I can
> apply only one template to one reaction.
>
> And I don't know how to do it.
> Any ideas?
> Beer is on me for the help!
>
> Happy NY!
> WS
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.
Pomyśl o środowisku zanim wydrukujesz ten e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171229/703b635e/attachment.htm>
More information about the midPoint
mailing list