[midPoint] Metarole and resourceRef inheritance

Katka Valalikova katka.valalikova at evolveum.com
Thu Feb 16 08:53:30 CET 2017 

Hi Wojciech,

in one of my environment I have a similar situation (if I understood your problem correctly). I have hundreds of Unix systems where I manage groups, users and their memberships in groups. I use following configuration. 

1. I have midPoint Role A - this role has assigned metarole M(x) which create a group (G) on target linux and after this Role A is assigned to the user, it adds this user as a member of unix group (G) created by the metarole M(x). In the Role A I have extension attribute which contains reference to the resource where all of this should happen. 
2. The configuration for the "dynamically" resolved resource ref looks like following:


 <inducement id="1">    <!-- create an unix group on the target system referenced from the val.getOid() with the name from extension/ext:commonName-->
      <construction>
         <resourceRef type="c:ResourceType">
            <filter>
               <q:inOid>
                  <expression>
                     <script>
                        <code>
                                val = basic.getExtensionReferenceValue(focus, "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
            			return val?.getOid() 
                            </code>
                     </script>
                  </expression>
               </q:inOid>
            </filter>
            <resolutionTime>run</resolutionTime>
         </resourceRef>
         <kind>entitlement</kind>
         <intent>unixGroup</intent>
         <attribute>
            <c:ref>icfs:name</c:ref>
            <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
            <outbound>
               <source>
                  <name>commonName</name>
                  <c:path xmlns:ext="http://midpoint.evolveum.com/xml/ns/custom/roleext">extension/ext:commonName</c:path>
               </source>
            </outbound>
         </attribute>
      </construction>
   </inducement>
   <inducement id="2">   <!-- assign user to the group on the target system referenced from the val.getOid() -->
      <construction>
         <resourceRef type="c:ResourceType">
            <filter>
               <q:inOid>
                  <expression>
                     <script>
                        <code>
                                val = basic.getExtensionReferenceValue(immediateRole, "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
                                return val?.getOid() 
                            </code>
                     </script>
                  </expression>
               </q:inOid>
            </filter>
            <resolutionTime>run</resolutionTime>
         </resourceRef>
         <kind>account</kind>
         <intent>default</intent>
         <association>
            <c:ref>ri:unixGroup</c:ref>
            <outbound>
               <strength>strong</strength>
               <expression>
                  <associationFromLink>
                     <projectionDiscriminator>
                        <kind>entitlement</kind>
                        <intent>unixGroup</intent>
                     </projectionDiscriminator>
                  </associationFromLink>
               </expression>
            </outbound>
         </association>
      </construction>
      <order>2</order>
      <focusType>UserType</focusType>
   </inducement> 

You can maybe use something like this. In general, there is a support for resolving references to the resource (even roles, services, orgs) dynamically using filter (and expression) instead of static reference (resourceRef, ...). Your expression can be modified according to your needs. However, keep in mind that this configuration can be used only if the target systems are the same and have the same schema. In my case, all of target systems are Linux distribution with the same configuration.

Best regards,

Katarina Valalikova
Java Developer
evolveum.com

----- Original Message -----
From: "Wojciech Staszewski" <wojciech.staszewski at diagnostyka.pl>
To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
Sent: Tuesday, February 14, 2017 10:26:33 AM
Subject: [midPoint]  Metarole and resourceRef inheritance

Hello all!

I have a question, maybe stupid or maybe not:

- Why metarole must have "ResourceRef"? Can't it be inherited from "master" role?
  (I know the answer: "metarole is also a normal role..." etc.).

This would be useful with large number of identical systems. I'd like to have 30 metaroles that I could assign to any of 200 systems than have to maintain 30x200 metaroles.
Access rights (roles, groups, privileges, "entitlements" in general) are identical in each system, they are replicated from central server.
Any change causing necessity to edit 30x200 roles, it will be a nightmare to maintain.

Best regards,
Wojciech Staszewski
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

More information about the midPoint mailing list