[midPoint] Role Explosion and Role Parameters

Nicolas Rossi nrossi at identicum.com
Fri Jun 29 19:09:36 CEST 2018


Hi Ivan, we found the assignment properties and we also extended the
AssignmentType for other project but we don't know how to specify in a role
definition that a property on the assignment is mandatory. Is there any way
to do that ?

On the other hand we are working on a Rest Connector and I couldn't find
any example to access the assignment parameters when provisioning the role
to the resource.

Regarding the issue at Jira, what does Evolveum need to continue the
development? Maybe we can find some support from our customers to achieve
that.

Kind regards,




Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com


On Fri, Jun 29, 2018 at 4:03 AM Ivan Noris <ivan.noris at evolveum.com> wrote:

> Hi Nicolas,
>
> when I was working with parametric roles, I was using an approach which I
> described here: https://evolveum.com/blog/working-multi-tenant-roles/
>
> (The screenshots are from old midpoint :-) but you should get the message.)
>
> By default you can assign roles with parameters: orgRef or tenantRef:
>
> - orgRef: you select (probably any) of the organizations in midPoint to be
> the parameter
>
> - tenantRef: you select any organization marked as tenant in midPoint to
> be the parameter
>
> This might help you as it is (we were / are using this in multiple
> deployments).
>
> What we definitely want is to make this more configurable and extensible.
> But I'm sure Radovan will prove more on this topic.
>
> I believe the feature is tracked here:
> https://jira.evolveum.com/browse/MID-3515
> Best regards,
> Ivan
>
> On 29.06.2018 00:11, Nicolas Rossi wrote:
>
> Hi guys,
>
> We are working on a customer who needs to define some roles with
> parameters to prevent role explosion scenario. I have found lot of
> references to this issue on the wiki (here
> <https://wiki.evolveum.com/display/midPoint/Role+Explosion>, here
> <https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC#AdvancedHybridRBAC-ParametricRoles>
> and here
> <https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-ParametricAssignments>).
> There were also similar question
> <https://lists.evolveum.com/pipermail/midpoint/2013-July/000096.html>s on
> the mailing list few years ago where Radovan explains that is was designed
> but not implemented.
>
> Regarding the Radovan explanation I am not sure if we should extend the
> AssociationType to add custom parameters or if we should define role
> parameters (couldn't find any example on the documentation).
>
> On the UI when and end-user request a new role, he can define properties
> on the assignment (parameters) for each role, but... is there any way to
> define that some properties / parameters are required so the user can't
> request the role without specifying some value for that parameter ?
>
> I apologize in advance for the lengthy e-mail
>
> Thanks,
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180629/bb9072a6/attachment.htm>


More information about the midPoint mailing list