[midPoint] Weak construction and associations support for AD computers

Yakov Revyakin yrevyakin at gmail.com
Fri Feb 24 07:56:20 CET 2023 

I use mp4.4.3
I have metarole-role assign/revoke working for AD user accounts. I have no
any specific logic in group object definition
I also checked my case with  outbound mapping for associations set to
strong. Nothing happens.
Some posts ago I could see that weak construction with associations working
for someone - "LDAP Role not unassigned when validTo is reached". He used
mp4.6. Can it be the cause?


On Thu, 23 Feb 2023 at 23:12, Yakov Revyakin <yrevyakin at gmail.com> wrote:

> Hi again,
> I'm trying to apply weak construction described here
>
> https://docs.evolveum.com/midpoint/reference/roles-policies/assignment/configuration/#strong-and-weak-constructions
> for AD computer objects.
> I simply sync existing computer objects linking them with a user and after
> that apply some policies on them. The solution must work only with existing
> objects. So, computer creation/deletion is forbidden.
>
> The first policy is to control a computer's DN - this works fine.
> The second is to add the computer to a group applying role+metarole to a
> user who owns this computer.
>
> I'm not sure how to arrange this. I write a weak construction with
> association but I can't see any influence on computer membership. Could you
> help to complete this task?
>
> My meta-role computer's groups:
>
> <role>
>     <name>Meta IT Computer</name>
>     <costCenter>managed</costCenter>
>     <inducement>
>         <construction>
>             <strength>weak</strength>
>             <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" relation="org:default" type="c:ResourceType"/>
>             <kind>account</kind>
>             <intent>computer</intent>
>             <association>
>                 <ref>ri:group</ref>
>                 <outbound>
>                     <authoritative>true</authoritative>
>                     <expression>
>                         <associationFromLink>
>                             <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
>                                 <kind>entitlement</kind>
>                                 <intent>group</intent>
>                             </projectionDiscriminator>
>                         </associationFromLink>
>                     </expression>
>                 </outbound>
>             </association>
>         </construction>
>         <order>2</order>
>         <focusType>UserType</focusType>
>     </inducement>
> </role>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230224/aaa42fb3/attachment.htm>

More information about the midPoint mailing list