[midPoint] Mapping Org to Active Directory Groups

Oskar Butovič - AMI Praha a.s. oskar.butovic at ami.cz
Tue Oct 31 10:30:44 CET 2017 

something like this inside your schema handling in your active directory
resource could do the trick.

<objectType>
         <kind>entitlement</kind>
         <intent>group</intent>
         <displayName>AD Group</displayName>
         <default>true</default>
         <objectClass>ri:group</objectClass>
...
...
        <association>
            <c:ref>ri:group</c:ref>
            <displayName>AD Group Membership</displayName>
            <kind>entitlement</kind>
            <intent>group</intent>
            <direction>objectToSubject</direction>
            <associationAttribute>ri:member</associationAttribute>
            <valueAttribute>ri:dn</valueAttribute>

<shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
            <shortcutValueAttribute>ri:dn</shortcutValueAttribute>

<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
         </association>
...
...
</objectType>

next thing you need is inducement on meta-role like:
<inducement>
      <construction>
         <resourceRef oid="AD-resource"
                      relation="org:default"
                      type="c:ResourceType"></resourceRef>
         <kind>account</kind>
         <intent>default</intent>
         <association>
            <c:ref>ri:group</c:ref>
            <outbound>
               <strength>strong</strength>
               <expression>
                  <associationFromLink xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"

 xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
                     <projectionDiscriminator>
                        <kind>entitlement</kind>
                        <intent>group</intent>
                     </projectionDiscriminator>
                  </associationFromLink>
               </expression>
            </outbound>
         </association>
      </construction>
      <order>2</order>
   </inducement>

for further info look at the link to wiki I sent you.

Best Regards
Oskar Butovič


2017-10-31 7:55 GMT+01:00 Ian Chen <ianchen.op at gmail.com>:

> Hi Oskar,
>
> I mapped all org to Entitlement as AD groups.
> But I cannot find how to map parent org of assignment, could you share
> some details?
> Thanks.
>
> Regards,
> Ian
>
> On Wed, Oct 25, 2017 at 6:33 PM, Oskar Butovič - AMI Praha a.s. <
> oskar.butovic at ami.cz> wrote:
>
>> Hi Chen,
>>
>> I suggest mapping this as an association. https://wiki.evol
>> veum.com/display/midPoint/Entitlements#Entitlements-Associat
>> ionDefinitionExamples . Association can handle both direction of
>> membership (members in group or groups in user). So for example if you
>> assign parrent org to user or other org midpoint also modifies
>> group represented by parrent org. Hope it makes sense. :-)
>>
>> Association works with assignments. If properly assigned child
>> orgs should have parrent org in one of assignments and also in
>> parrentOrgRef element.
>>
>> Best Regards
>> Oskar Butovič
>>
>> 2017-10-25 12:23 GMT+02:00 Ian Chen <ianchen.op at gmail.com>:
>>
>>> Hi List,
>>>
>>> I'm new here are trying to solve mapping Org to AD groups as
>>> https://evolveum.com/blog/practical-organization-structure-i
>>> n-active-directory/. I'm stuck at setting member for group.
>>>
>>> It seems AD group can only have member (children), while in midpoint Org
>>> is assigned upwards (parent). As I cannot find children Org in outbound
>>> mapping, I added an extension attribute to hold parentID of parent Org. My
>>> plan is when outbound mapping, searching for any Org with parentID set to
>>> current Org ID, but I cannot find how. Please help!
>>>
>>> Also if there is better/simpler method to do this, please let me know.
>>>
>>> Thanks!
>>> Ian
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>> --
>>
>> Oskar Butovič
>> solution architect
>>
>> gsm: [+420] 774 480 101 <+420%20774%20480%20101>
>> e-mail: oskar.butovic at ami.cz
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>> web: www.ami.cz
>>
>>
>> [image: AMI Praha a.s.]
>>
>> [image: AMI Praha a.s.]
>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>


-- 

Oskar Butovič
solution architect

gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz


[image: AMI Praha a.s.]

[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171031/880e3b04/attachment.htm>

More information about the midPoint mailing list