[midPoint] Weak construction and associations support for AD computers
Yakov Revyakin
yrevyakin at gmail.com
Thu Feb 23 22:12:13 CET 2023
Hi again,
I'm trying to apply weak construction described here
https://docs.evolveum.com/midpoint/reference/roles-policies/assignment/configuration/#strong-and-weak-constructions
for AD computer objects.
I simply sync existing computer objects linking them with a user and after
that apply some policies on them. The solution must work only with existing
objects. So, computer creation/deletion is forbidden.
The first policy is to control a computer's DN - this works fine.
The second is to add the computer to a group applying role+metarole to a
user who owns this computer.
I'm not sure how to arrange this. I write a weak construction with
association but I can't see any influence on computer membership. Could you
help to complete this task?
My meta-role computer's groups:
<role>
<name>Meta IT Computer</name>
<costCenter>managed</costCenter>
<inducement>
<construction>
<strength>weak</strength>
<resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
relation="org:default" type="c:ResourceType"/>
<kind>account</kind>
<intent>computer</intent>
<association>
<ref>ri:group</ref>
<outbound>
<authoritative>true</authoritative>
<expression>
<associationFromLink>
<projectionDiscriminator
xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<focusType>UserType</focusType>
</inducement>
</role>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230223/620c8c48/attachment.htm>
More information about the midPoint
mailing list