[midPoint] Attribute-Based Access Control user unassing on role mapping change
Német, Ádám
adam.nemet at cdsys.hu
Wed Apr 13 13:46:42 CEST 2022
Hi,
I use Midpoint version 4.4.1.
I would like to create Attribute-Based Access Control (ABAC) roles. I tried
with role object auto assignment and object template, you can see the
configuration below. It was working very well in most cases.
But when I changed the auto assign mapping rule of the role, then the
unassign operation was not running to users who were only in the kitchen
organizational unit.
*Old ABAC rule:* organizationalUnit?.norm == 'kitchen'
*New ABAC rule:* organizationalUnit?.norm == 'livingroom'
It was the same effect on object templates with another rule.
*Old ABAC rule: *employeeNumber == '12345'
*New **ABAC rule: *employeeNumber == '123456789'
So, the role membership revoke from the users were not evaluating, when the
role mapping rule was changing. I tried to run recomputation tasks too, but
nothing happened.
Is there a way to automatically unassign the role form users after the role
auto assign rule changed?
If the unassing has to be done manually, is there a best practice for this
case?
Thank you for helping!
Best regards,
Adam Nemet
*Configuration:*
<?xml version="1.0" encoding="UTF-8"?>
<config>
<role oid="1638b6d0-e0de-45b8-9828-c3b5ab6bf46e">
<name>Requester</name>
<autoassign>
<enabled>true</enabled>
<focus>
<mapping id="16">
<strength>strong</strength>
<source>
<path>organizationalUnit</path>
</source>
<condition>
<script>
<code>
organizationalUnit?.norm == 'kitchen'
</code>
</script>
</condition>
</mapping>
<selector>
<type>UserType</type>
</selector>
</focus>
</autoassign>
</role>
<objectTemplate oid="516a979a-824d-497d-ac44-53f8af592a12">
<name>User AD role auto assigment</name>
<mapping>
<authoritative>true</authoritative>
<source>
<path>employeeNumber</path>
</source>
<expression>
<value>
<targetRef oid="e8fe3a12-6701-4943-8180-c3aff2d132e6"
type="RoleType"/>
</value>
</expression>
<target>
<path>assignment</path>
</target>
<condition>
<script>
<code>employeeNumber == '12345'</code>
</script>
</condition>
</mapping>
</objectTemplate>
<systemConfiguration>
...
<roleManagement>
<roleCatalogRef oid="20000000-7798-11e2-964e-200000000100"
relation="org:default" type="c:OrgType">
<!-- IT Department -->
</roleCatalogRef>
<roleCatalogCollections>
<collection>
<collectionUri>
http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog
</collectionUri>
</collection>
<collection>
<collectionUri>
http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allRoles
</collectionUri>
</collection>
</roleCatalogCollections>
<defaultCollection>
<collectionUri>
http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog
</collectionUri>
</defaultCollection>
<autoassignEnabled>true</autoassignEnabled>
</roleManagement>
...
<defaultObjectPolicyConfiguration>
<objectTemplateRef oid="516a979a-824d-497d-ac44-53f8af592a12"
relation="org:default" type="c:ObjectTemplateType">
<!-- User Template -->
</objectTemplateRef>
<type>UserType</type>
</defaultObjectPolicyConfiguration>
...
</systemConfiguration>
</config>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220413/90b3ca21/attachment.htm>
More information about the midPoint
mailing list