[midPoint] Metarole and resourceRef inheritance

Wojciech Staszewski wojciech.staszewski at diagnostyka.pl
Mon Nov 27 19:14:02 CET 2017


Hello!

I'm just trying this solution and got some trouble.

I have created role, lets call it "Master", this role have an extension
attribute "resourceRef", and it induces basic resource account.
Value of this attribute is my resource OID.

Then I've created metarole with provided expression:

<resourceRef type="c:ResourceType">
            <filter>
               <q:inOid>
                  <expression>
                     <script>
                        <code>
                                val = basic.getExtensionReferenceValue(focus, "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
            			return val?.getOid() 
                            </code>
                     </script>
                  </expression>
               </q:inOid>
            </filter>
            <resolutionTime>run</resolutionTime>
</resourceRef>

This metarole is assigned to "Master". Master role creates an account
with required basic attributes, and metarole gives the entitlements.
But the metarole resourceRef expression does not resolve the resource
OID from master role, the errors appear:

Got no target from repository, filter:NONE, class:class
com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType in
resolving resource.

I want this single metarole assign to any of dozens "master" roles which
are assigning resource accounts in dozens identical systems and it must
give entitlement with the same icfs:name in each resource (this is
working already).

Am I missing something? Thanks!
WS


W dniu 16.02.2017 o 09:16, Wojciech Staszewski pisze:
> Thank you very much!
> I'll try it. I can't promise that I'll try it today because I have to use snapshots due to translation process.
> And because of that I have some stability issues (stack overflow error when applying changes on user and in reconciliation also),
> but I'll check it if only these issues are fixed.
>
> Best regards!
> WS
>
> W dniu 16.02.2017 o 08:53, Katka Valalikova pisze:
>> Hi Wojciech,
>>
>> in one of my environment I have a similar situation (if I understood your problem correctly). I have hundreds of Unix systems where I manage groups, users and their memberships in groups. I use following configuration. 
>>
>> 1. I have midPoint Role A - this role has assigned metarole M(x) which create a group (G) on target linux and after this Role A is assigned to the user, it adds this user as a member of unix group (G) created by the metarole M(x). In the Role A I have extension attribute which contains reference to the resource where all of this should happen. 
>> 2. The configuration for the "dynamically" resolved resource ref looks like following:
>>
>>
>>  <inducement id="1">    <!-- create an unix group on the target system referenced from the val.getOid() with the name from extension/ext:commonName-->
>>       <construction>
>>          <resourceRef type="c:ResourceType">
>>             <filter>
>>                <q:inOid>
>>                   <expression>
>>                      <script>
>>                         <code>
>>                                 val = basic.getExtensionReferenceValue(focus, "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>             			return val?.getOid() 
>>                             </code>
>>                      </script>
>>                   </expression>
>>                </q:inOid>
>>             </filter>
>>             <resolutionTime>run</resolutionTime>
>>          </resourceRef>
>>          <kind>entitlement</kind>
>>          <intent>unixGroup</intent>
>>          <attribute>
>>             <c:ref>icfs:name</c:ref>
>>             <matchingRule xmlns:mr="http://prism.evolveum.com/xml/ns/public/matching-rule-3">mr:stringIgnoreCase</matchingRule>
>>             <outbound>
>>                <source>
>>                   <name>commonName</name>
>>                   <c:path xmlns:ext="http://midpoint.evolveum.com/xml/ns/custom/roleext">extension/ext:commonName</c:path>
>>                </source>
>>             </outbound>
>>          </attribute>
>>       </construction>
>>    </inducement>
>>    <inducement id="2">   <!-- assign user to the group on the target system referenced from the val.getOid() -->
>>       <construction>
>>          <resourceRef type="c:ResourceType">
>>             <filter>
>>                <q:inOid>
>>                   <expression>
>>                      <script>
>>                         <code>
>>                                 val = basic.getExtensionReferenceValue(immediateRole, "http://midpoint.evolveum.com/xml/ns/custom/roleext", "resourceRef")
>>                                 return val?.getOid() 
>>                             </code>
>>                      </script>
>>                   </expression>
>>                </q:inOid>
>>             </filter>
>>             <resolutionTime>run</resolutionTime>
>>          </resourceRef>
>>          <kind>account</kind>
>>          <intent>default</intent>
>>          <association>
>>             <c:ref>ri:unixGroup</c:ref>
>>             <outbound>
>>                <strength>strong</strength>
>>                <expression>
>>                   <associationFromLink>
>>                      <projectionDiscriminator>
>>                         <kind>entitlement</kind>
>>                         <intent>unixGroup</intent>
>>                      </projectionDiscriminator>
>>                   </associationFromLink>
>>                </expression>
>>             </outbound>
>>          </association>
>>       </construction>
>>       <order>2</order>
>>       <focusType>UserType</focusType>
>>    </inducement> 
>>
>> You can maybe use something like this. In general, there is a support for resolving references to the resource (even roles, services, orgs) dynamically using filter (and expression) instead of static reference (resourceRef, ...). Your expression can be modified according to your needs. However, keep in mind that this configuration can be used only if the target systems are the same and have the same schema. In my case, all of target systems are Linux distribution with the same configuration.
>>
>> Best regards,
>>
>> Katarina Valalikova
>> Java Developer
>> evolveum.com
>>
>> ----- Original Message -----
>> From: "Wojciech Staszewski" <wojciech.staszewski at diagnostyka.pl>
>> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
>> Sent: Tuesday, February 14, 2017 10:26:33 AM
>> Subject: [midPoint]  Metarole and resourceRef inheritance
>>
>> Hello all!
>>
>> I have a question, maybe stupid or maybe not:
>>
>> - Why metarole must have "ResourceRef"? Can't it be inherited from "master" role?
>>   (I know the answer: "metarole is also a normal role..." etc.).
>>
>> This would be useful with large number of identical systems. I'd like to have 30 metaroles that I could assign to any of 200 systems than have to maintain 30x200 metaroles.
>> Access rights (roles, groups, privileges, "entitlements" in general) are identical in each system, they are replicated from central server.
>> Any change causing necessity to edit 30x200 roles, it will be a nightmare to maintain.
>>
>> Best regards,
>> Wojciech Staszewski
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint



More information about the midPoint mailing list