[midPoint] Attribute-Based Access Control user unassing on role mapping change

Pavol Mederly mederly at evolveum.com
Wed Apr 20 12:05:44 CEST 2022 

Ádám,

the trick is to set up a mapping range, e.g. using assignment subtype 
(or another relevant "flag" for assignment values created by your mappings).

I am not sure how to do that for auto-assigned roles, but for 
templated-based mappings it is quite simple.

Please refer to docs and/or the samples (including the ones used for 
testing, i.e. in main midPoint github repo). Justs search for any 
assignment-related mappings with <range> element present.

Best regards,

-- 
Pavol Mederly
Software developer
evolveum.com

On 13/04/2022 13:46, Német, Ádám via midPoint wrote:
> Hi,
>
> I use Midpoint version 4.4.1.
>
> I would like to create Attribute-Based Access Control (ABAC) roles. I 
> tried with role object auto assignment and object template, you can 
> see the configuration below. It was working very well in most cases.
>
> But when I changed the auto assign mapping rule of the role, then the 
> unassign operation was not running to users who were only in the 
> kitchen organizational unit.
> *Old ABAC rule:* organizationalUnit?.norm == 'kitchen'
> *New ABAC rule:* organizationalUnit?.norm == 'livingroom'
>
> It was the same effect on object templates with another rule.
> *Old ABAC rule: *employeeNumber == '12345'
> *New **ABAC rule: *employeeNumber == '123456789'
>
> So, the role membership revoke from the users were not evaluating, 
> when the role mapping rule was changing. I tried to run recomputation 
> tasks too, but nothing happened.
>
> Is there a way to automatically unassign the role form users after the 
> role auto assign rule changed?
>
> If the unassing has to be done manually, is there a best practice for 
> this case?
>
> Thank you for helping!
>
> Best regards,
> Adam Nemet
>
> *Configuration:*
> <?xml version="1.0" encoding="UTF-8"?>
>
> <config>
>   <role  oid="1638b6d0-e0de-45b8-9828-c3b5ab6bf46e">
>     <name>Requester</name>
>     <autoassign>
>       <enabled>true</enabled>
>       <focus>
>         <mapping id="16">
> <strength>strong</strength>
>           <source>
> <path>organizationalUnit</path>
>           </source>
>           <condition>
>             <script>
>               <code>
>              organizationalUnit?.norm == 'kitchen'
>             </code>
>             </script>
>           </condition>
>         </mapping>
>         <selector>
>           <type>UserType</type>
>         </selector>
>       </focus>
>     </autoassign>
>   </role>
>
>
>   <objectTemplate oid="516a979a-824d-497d-ac44-53f8af592a12">
>     <name>User AD role auto assigment</name>
>     <mapping>
> <authoritative>true</authoritative>
>       <source>
>         <path>employeeNumber</path>
>       </source>
>       <expression>
>         <value>
>           <targetRef oid="e8fe3a12-6701-4943-8180-c3aff2d132e6" 
> type="RoleType"/>
>         </value>
>       </expression>
>       <target>
>         <path>assignment</path>
>       </target>
>       <condition>
>         <script>
>           <code>employeeNumber == '12345'</code>
>         </script>
>       </condition>
>     </mapping>
>   </objectTemplate>
>
>
>   <systemConfiguration>
>     ...
>     <roleManagement>
>       <roleCatalogRef oid="20000000-7798-11e2-964e-200000000100" 
> relation="org:default" type="c:OrgType">
>         <!-- IT Department -->
>       </roleCatalogRef>
>       <roleCatalogCollections>
>         <collection>
>           
> <collectionUri>http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog</collectionUri>
>         </collection>
>         <collection>
>           
> <collectionUri>http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allRoles</collectionUri>
>         </collection>
>       </roleCatalogCollections>
>       <defaultCollection>
>         
> <collectionUri>http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog</collectionUri>
>       </defaultCollection>
> <autoassignEnabled>true</autoassignEnabled>
>     </roleManagement>
>     ...
>     <defaultObjectPolicyConfiguration>
>       <objectTemplateRef oid="516a979a-824d-497d-ac44-53f8af592a12" 
> relation="org:default" type="c:ObjectTemplateType">
>         <!-- User Template -->
>       </objectTemplateRef>
>       <type>UserType</type>
>     </defaultObjectPolicyConfiguration>
>     ...
>   </systemConfiguration>
> </config>
>
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220420/a74d48c5/attachment.htm>

More information about the midPoint mailing list