[midPoint] Technical/Service Accounts

Arnošt Starosta - AMI Praha a.s. arnost.starosta at ami.cz
Fri Nov 8 14:41:40 CET 2019


Hi Rainer,

 I want to bind these technical
> accounts to a person, that is responsible for that account. One person can
> be responsible for more than one technical account.


It's been done many times, however I don't know of any native construct
that supports this. Creating a service/role object per account and
assigning these to user objects works.

You might link multiple resource accounts to single user/focus object, but
the functionality is only literally half implemented sofar, only inbound
mappings work. Modeling with personas or shadow intents is imho limited to
a fixed set of occurrences, no 1..n, just 1..fixed-k.


> Further, I want to be
> able to disable the accounts depending of the state of the responsible
> user.
>

You will need model  hooks to synchronize the state - check the delta for
specific attribute change (administrative or effective status in your case)
and update all service accounts. As something may go wrong during the
updates, you will need a periodic task checking and repairing state
consistency. It's clumsy, but it works. If anybody knows any other
solution, please share.


> The service accounts should be synchronized between several ressources,
> i.e.
> LDAP and the mail system.
>

No problem for service or role as focus having resource accounts.


> These accounts need also passwords etc.


This may have improved during recent 4.0 updates, but generating passwords
for non-user focus objects in schemaHandling/credentials was not supported,
you had to do it by custom hook again. Please check the current state with
role/service objects yourself.


> and some attributes should be
> checked for uniqueness for all accounts, i.e. mail addresses.
>

Should be ok, when generating attribute values, you can use
midpoint.isUniquePropertyValue to checks whatever attribute and entity you
like.

Good luck
arnost


> I have read about the Service Account Management in MidPoint:
> https://wiki.evolveum.com/display/midPoint/Service+Account+Management
> But I am not sure will this do the task, e.g. is it possible to check for
> the email address uniqueness betwenn normal user`s accounts and service
> accounts.
>
> What would you advice?
> - Import these accounts into user objects?
> - Link the technical accounts to existing users?
> - Or extend the service schema with POSIX attributes like numerical UID
> and
> email adresses?
> - Is there an easy way to enforce uniqueness to attributes in different
> object types?
>
> Heap of questions... ;-)
>
> TIA!
>
>
> Rainer Herbst
> Leiter IT-Service
> Phone: +49 331 7499-257
> e-mail: rainer.herbst at aip.de
> https://www.aip.de
>
>
> -----------------------------------------------------------------------------------------------
> Leibniz-Institut für Astrophysik Potsdam (AIP)
> An der Sternwarte 16, 14482 Potsdam
>
> Vorstand: Prof. Dr. Matthias Steinmetz, Matthias Winker
> Stiftung bürgerlichen Rechts
> Stiftungsverzeichnis Brandenburg: 26 742-00/7026
>
> -----------------------------------------------------------------------------------------------
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>


-- 

*Arnošt Starosta*
solution architect

gsm: [+420] 603 794 932
e‑mail: arnost.starosta at ami.cz

*AMI Praha a.s.*
Pláničkova 11, 162 00 Praha 6

tel.: [+420] 274 783 239 | web: www.ami.cz

[image: AMI Praha a.s.]

Textem tohoto e‑mailu podepisující neslibuje uzavřít ani neuzavírá
za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.

Tento e‑mail je určen výhradně pro potřeby jeho adresáta/ů a může obsahovat
důvěrné nebo osobní
informace. Nejste‑li zamýšleným příjemcem, je zakázáno jakékoliv
zveřejňování, zprostředkování
nebo jiné použití těchto informací. Pokud jste obdrželi e‑mail neoprávněně,
informujte o tom prosím
odesílatele a vymažte neprodleně všechny kopie tohoto e‑mailu včetně
všech jeho příloh. Nakládáním
s neoprávněně získanými informacemi se vystavujete riziku právního postihu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20191108/51ca34b5/attachment.htm>


More information about the midPoint mailing list