[midPoint] Entitlements with associations
Keith LeValley
klevalley2 at davenport.edu
Mon Oct 11 17:32:08 CEST 2021
Thank you for the response, and this works so I am starting to figure out
what's going on a little bit. My concern is that every group inside
openldap would then have to entitle the user to openldap. I was initially
thinking of controlling account creation in openldap through 3 roles
(depending on placement). I can condense this into one role using account
naming standards (our vendor accounts always start with v_ etc). I am not
really concerned with a user having an openldap account anytime they get
placed in a group that is entitled to openldap.
My concern though, and this is probably just a lack of understanding of
Midpoint. If the user is placed in say 15 different openldap groups, and
each of those groups are granting an entitlement to the user, does this
cause any type of performance or scaling issue with the user having those
15 openldap entitlements?
On Mon, Oct 11, 2021 at 10:35 AM Joshua Williams <
jwilliams+list at globalnaz.org> wrote:
> Hi Keith,
> I am fairly new to midPoint, so I may be a little off base. However, I
> have a Role that is similar to yours.
>
> To make the Metarole assign the account to the LDAP Posix Group, I have to
> use <assignment> for the Metarole and <inducement> for writing the LDAP
> account and attributes.
>
> <assignment>
> <!-- This assigns the LDAP Group Metarole -->
> <targetRef oid="10000000-0000-0000-0000-000000000003
> </assignment>
>
> <inducement>
> <!-- Sends the job to the appropriate resource -->
> <construction>
> <resourceRef oid="10000000-0000-0000-0000-000000000004"
> relation="org:default"
> type="c:ResourceType"></resourceRef>
> <attribute>
> <c:ref>ri:authServices</c:ref>
> <outbound>
> <strength>strong</strength>
> <expression>
> <value xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xsd:string”>attribute</value>
> </expression>
> </outbound>
> </attribute>
> </construction>
>
> </inducement>
>
> The Metarole I assign is basically this one:
> https://github.com/Evolveum/midpoint/blob/master/testing/story/src/test/resources/unix/role-meta-unix-group.xml
>
> Josh
>
> On Oct 11, 2021, at 7:45 AM, Keith LeValley via midPoint <
> midpoint at lists.evolveum.com> wrote:
>
> I was hoping someone might be able to explain the interaction with
> inducements using associations.
>
> I am using the example from the demo site, the meta role used to grant
> group entitlements to openldap. Below is the xml of that inducements
>
> <inducement id="2">
> <construction>
> <resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
> relation="org:default" type="c:ResourceType">
> <!-- openldap -->
> </resourceRef>
> <kind>entitlement</kind>
> <intent>group</intent>
> </construction>
> </inducement>
> <inducement id="3">
> <construction>
> <resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
> relation="org:default" type="c:ResourceType">
> <!-- openldap -->
> </resourceRef>
> <kind>account</kind>
> <intent>default</intent>
> <association id="3">
> <ref>ri:group</ref>
> <outbound>
> <expression>
> <associationFromLink xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
> <projectionDiscriminator xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ShadowDiscriminatorType">
> <kind>entitlement</kind>
> <intent>group</intent>
> </projectionDiscriminator>
> </associationFromLink>
> </expression>
> </outbound>
> </association>
> </construction>
> <order>2</order>
> </inducement>
>
> This works, when I assign a user to a group, assign that group to the meta
> role the user gets the openldap inducement and will be added to the group
> in openldap also.
>
> Unfortunately this won't work for my setup, I need to split the inducement
> to openldap and to the group. The group and the user still get created but
> the association doesn't seem to work, the user is not assigned to the
> group. Below is the inducement to the group that entitles the user with
> the association
>
> <inducement id="2">
> <construction>
> <resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
> relation="org:default" type="c:ResourceType">
> <!-- openldap -->
> </resourceRef>
> <kind>account</kind>
> <intent>default</intent>
> <association id="9">
> <ref>ri:group</ref>
> <outbound>
> <expression>
> <associationFromLink xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
> <projectionDiscriminator xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ShadowDiscriminatorType">
> <kind>entitlement</kind>
> <intent>group</intent>
> </projectionDiscriminator>
> </associationFromLink>
> </expression>
> </outbound>
> </association>
> </construction>
> </inducement>
>
> Below is the inducement used to entitle the group
>
> <inducement id="2">
> <construction>
> <resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
> relation="org:default" type="c:ResourceType">
> <!-- openldap -->
> </resourceRef>
> <kind>entitlement</kind>
> <intent>group</intent>
> </construction>
> </inducement>
>
> This to me looks like it should work? The user still has the same
> inducements; it's just spread between two different roles instead of on a
> single meta role.
>
>
>
> --
> Keith LeValley
> Identity Services Architect, Davenport University
> phone: (616) 732-1102
> klevalley2 at davenport.edu
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
--
Keith LeValley
Identity Services Architect, Davenport University
phone: (616) 732-1102
klevalley2 at davenport.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20211011/991e538a/attachment.htm>
More information about the midPoint
mailing list