[midPoint] Importing entitlements to roles for multiple account intents

Wojciech Staszewski wojciech.staszewski at diagnostyka.pl
Sat Dec 30 13:36:56 CET 2017


Hi!

Yes, but if the user have 2 or more accounts on this resource, all
accounts will receive the entitlement. I have to avoid this.
The entitlements must be given indepedently for each account.

I see some workarounds:

1) Manually create the roles for account intents other than default and
update them when needed.
-disadvantages: A lot of roles and a lot of changes. There is 100
resources of this kind, some of them contains more than 1 account intent
(1,5 average) and 3 entitlement types, every type contains 20
entitlements average. This makes 100 x 1,5 x 3 x 20 =  9000 roles for
manual handling. Terrifying...

That's why I want to use synchronization tasks for importing and
updating the roles automatically.

2) Create another resource pointing to the same database for another
intent, so each account intent is handled by separate (fake) resource.
In this case I can set synchronization tasks for importing and updating
the same entitlements for every account intent.
- disadvantages: User changes laboratory, so the account changes intent.
It happens. On the resource side this is a simple task: edit user, pick
lab from drop-down list, save. How midPoint will see this? The user
disappears from one resource and appears on another. With full
enforcement policy midPoint will try to fix this situation and create an
account for him in old intent. On the second resource new account will
be deleted.
Ok, so let's do it on midPoint side: Assign account and entitlements on
the second resource and unassign the first one. MidPoint will delete an
account on the first and create new one on the second, as for midPoint
there are 2 independent resources. This is wrong way.

3) This is ScriptedSQL resource. So in the Groovy scripts I can make
multiple ObjectClasses for the entitlements pointing to the same
database objects. In midPoint I will see the same entitlements multiple
times, each with different ObjectClass. So I can use it to import and
synchronize roles for different account intents. When the entitlement in
resource database is changed, synchronization wil work for every
objectClass.
- disadvantages: I have to think a little bit, as I invented it just a
moment ago.

Best regards!
Wojciech Staszewski

W dniu 29.12.2017 o 19:36, Alcides Carlos de Moraes Neto pisze:
> If you assign a Role that gives Entitlement X to User Y with weak
> strength, only the existing account(s) for User Y will receive the
> entitlement.
> Having multiple weak inducements will work I think.
>
> I have a similar setup, but it's the other way around - multiple
> intents for entitlements induced from Org, only one for account intent
> associated to User.
> I have multiple inducements in a Meta-role that I assign to Orgs.
>
> You can also using Condition expression to further filter them.
>
> 2017-12-29 13:40 GMT-02:00 Wojciech Staszewski
> <wojciech.staszewski at diagnostyka.pl
> <mailto:wojciech.staszewski at diagnostyka.pl>>:
>
>     Hi!
>
>     I thought about adding multiple first order inducements for each
>     account intent with weak strength to the "associationFromLink"
>     metarole,
>     but what if the accounts (of one user in multiple intents) must
>     have different privileges (entilements)?
>     When I assign a role that gives entitlement X, it will be applied
>     to every user account on this resource, i think.
>
>     Another way I tried is to assign the "associationFromLink"
>     metarole to the role that provisions account creation,
>     and the role with linkRef pointing to the entitlement shadow as
>     separate user assignment, but it don't work.
>     I think (but I don't know exactly) that "associationFromLink" is
>     limited to one assignment chain so the linkRef and associationFromLink
>     must be in the same chain. But maybe I'm wrong...?
>
>     I'm stuck here and see no good solution for now.
>
>     Best regards!
>     WS
>
>
>     W dniu 29.12.2017 o 15:08, Alcides Carlos de Moraes Neto pisze:
>>     Hi WS,
>>
>>     In your role template, have you tried adding multiple inducements
>>     with an association for each entitlement? I don't see why that
>>     wouldn't work.
>>
>>     2017-12-28 13:54 GMT-02:00 Wojciech Staszewski
>>     <wojciech.staszewski at diagnostyka.pl
>>     <mailto:wojciech.staszewski at diagnostyka.pl>>:
>>
>>         Hello!
>>
>>         I'm looking for correct way how to correctly import resource
>>         entitlements into midPoint roles.
>>
>>         For now I'm doing this as follows:
>>         1) create schema handling for entitlement.
>>         2) create synchronization.
>>         3) At the "unmatched->addFocus" synchronization step I
>>         connect a role template. The template assigns metaroles to
>>         the imported roles for:
>>           a) association from link (as the imported roles are just
>>         linkRef only),
>>           b) approval schema,
>>           c) and assigns correct OrgUnit in the role catalog, based
>>         on resource, role type and other "things".
>>
>>         That works just perfect, but for one account intent only. The
>>         account intent is statically specified in "association from
>>         link" metarole in the first order inducement.
>>         If is not, the metarole works for "default" account intent.
>>         But I have 8 account intents in this resource, and every
>>         account must be associated with the entitlements regardless
>>         of the intent.
>>
>>         I tried to make more than one "unmatched->addFocus"
>>         synchronization reaction with different role templates
>>         with hope for importing 8 roles from one entitlement for
>>         different account intents but midPoint warns me: "Duplicated
>>         reactions [...]".
>>         I cannot just add multiple "actions" to one reaction because
>>         I can apply only one template to one reaction.
>>
>>         And I don't know how to do it.
>>         Any ideas?
>>         Beer is on me for the help!
>>
>>         Happy NY!
>>         WS
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>         <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>     -- 
>     Wojciech Staszewski
>     Administrator Systemów Sieciowych
>     tel. kom: 663 680 236
>     www.diagnostyka.pl <http://www.diagnostyka.pl>
>     Diagnostyka Sp. z o. o.
>     ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
>     Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
>     NIP: 675-12-65-009; REGON: 356366975
>     Kapitał zakładowy: 33 756 500 zł.
>
>     Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171230/9fda85d1/attachment.htm>


More information about the midPoint mailing list