[midPoint] Role Explosion and Role Parameters
Ivan Noris
ivan.noris at evolveum.com
Fri Jun 29 09:00:36 CEST 2018
Hi Nicolas,
when I was working with parametric roles, I was using an approach which
I described here: https://evolveum.com/blog/working-multi-tenant-roles/
(The screenshots are from old midpoint :-) but you should get the message.)
By default you can assign roles with parameters: orgRef or tenantRef:
- orgRef: you select (probably any) of the organizations in midPoint to
be the parameter
- tenantRef: you select any organization marked as tenant in midPoint to
be the parameter
This might help you as it is (we were / are using this in multiple
deployments).
What we definitely want is to make this more configurable and
extensible. But I'm sure Radovan will prove more on this topic.
I believe the feature is tracked here:
https://jira.evolveum.com/browse/MID-3515
Best regards,
Ivan
On 29.06.2018 00:11, Nicolas Rossi wrote:
> Hi guys,
>
> We are working on a customer who needs to define some roles with
> parameters to prevent role explosion scenario. I have found lot of
> references to this issue on the wiki (here
> <https://wiki.evolveum.com/display/midPoint/Role+Explosion>, here
> <https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC#AdvancedHybridRBAC-ParametricRoles>
> and here
> <https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-ParametricAssignments>).
> There were also similar question
> <https://lists.evolveum.com/pipermail/midpoint/2013-July/000096.html>s
> on the mailing list few years ago where Radovan explains that is was
> designed but not implemented.
>
> Regarding the Radovan explanation I am not sure if we should extend
> the AssociationType to add custom parameters or if we should define
> role parameters (couldn't find any example on the documentation).
>
> On the UI when and end-user request a new role, he can define
> properties on the assignment (parameters) for each role, but... is
> there any way to define that some properties / parameters are required
> so the user can't request the role without specifying some value for
> that parameter ?
>
> I apologize in advance for the lengthy e-mail
>
> Thanks,
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180629/7f56b8e6/attachment.htm>
More information about the midPoint
mailing list