[midPoint] Role Explosion and Role Parameters

Ivan Noris ivan.noris at evolveum.com
Mon Jul 2 12:30:52 CEST 2018


Hi Nicolas,

I have no example (nor experience) with Rest connector; maybe someone
else has.

Regarding for the issue in reference
(https://jira.evolveum.com/browse/MID-3515). It is marked as New feature
with "subscription needed". The best way is to have Platform
subscription for the project.

All the possible ways are described in
https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature and
https://wiki.evolveum.com/display/midPoint/Subscriptions+and+Sponsoring

Best regards,

Ivan


On 29.06.2018 19:09, Nicolas Rossi wrote:
> Hi Ivan, we found the assignment properties and we also extended the
> AssignmentType for other project but we don't know how to specify in a
> role definition that a property on the assignment is mandatory. Is
> there any way to do that ?
>
> On the other hand we are working on a Rest Connector and I couldn't
> find any example to access the assignment parameters when provisioning
> the role to the resource.
>
> Regarding the issue at Jira, what does Evolveum need to continue the
> development? Maybe we can find some support from our customers to
> achieve that. 
>
> Kind regards,
>
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com>
>
>
> On Fri, Jun 29, 2018 at 4:03 AM Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Nicolas,
>
>     when I was working with parametric roles, I was using an approach
>     which I described here:
>     https://evolveum.com/blog/working-multi-tenant-roles/
>
>     (The screenshots are from old midpoint :-) but you should get the
>     message.)
>
>     By default you can assign roles with parameters: orgRef or tenantRef:
>
>     - orgRef: you select (probably any) of the organizations in
>     midPoint to be the parameter
>
>     - tenantRef: you select any organization marked as tenant in
>     midPoint to be the parameter
>
>     This might help you as it is (we were / are using this in multiple
>     deployments).
>
>     What we definitely want is to make this more configurable and
>     extensible. But I'm sure Radovan will prove more on this topic.
>
>     I believe the feature is tracked here:
>     https://jira.evolveum.com/browse/MID-3515
>
>     Best regards,
>     Ivan
>
>     On 29.06.2018 00:11, Nicolas Rossi wrote:
>>     Hi guys, 
>>
>>     We are working on a customer who needs to define some roles with
>>     parameters to prevent role explosion scenario. I have found lot
>>     of references to this issue on the wiki (here
>>     <https://wiki.evolveum.com/display/midPoint/Role+Explosion>, here
>>     <https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC#AdvancedHybridRBAC-ParametricRoles>
>>     and here
>>     <https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-ParametricAssignments>).
>>     There were also similar question
>>     <https://lists.evolveum.com/pipermail/midpoint/2013-July/000096.html>s
>>     on the mailing list few years ago where Radovan explains that is
>>     was designed but not implemented.
>>
>>     Regarding the Radovan explanation I am not sure if we should
>>     extend the AssociationType to add custom parameters or if we
>>     should define role parameters (couldn't find any example on the
>>     documentation).
>>
>>     On the UI when and end-user request a new role, he can define
>>     properties on the assignment (parameters) for each role, but...
>>     is there any way to define that some properties / parameters are
>>     required so the user can't request the role without specifying
>>     some value for that parameter ?
>>
>>     I apologize in advance for the lengthy e-mail
>>
>>     Thanks,
>>
>>
>>     Ing Nicolás Rossi
>>     Identicum S.A.
>>     Jorge Newbery 3226
>>     Tel: +54 (11) 4552-3050
>>     www.identicum.com <http://www.identicum.com>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com <http://evolveum.com>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180702/d36d39ca/attachment.htm>


More information about the midPoint mailing list