[midPoint] Weak construction and associations support for AD computers

Yakov Revyakin yrevyakin at gmail.com
Sun Feb 26 22:16:04 CET 2023


As I understood there is no chance to add association via weak
construction. We can modify plain attributes using this type of
construction but it doesn't cover associations. Even association mapping is
strong. We even can't see an indirect resource assignment among
assignments.
This is a bit strange.


On Fri, 24 Feb 2023 at 08:56, Yakov Revyakin <yrevyakin at gmail.com> wrote:

> I use mp4.4.3
> I have metarole-role assign/revoke working for AD user accounts. I have no
> any specific logic in group object definition
> I also checked my case with  outbound mapping for associations set to
> strong. Nothing happens.
> Some posts ago I could see that weak construction with associations
> working for someone - "LDAP Role not unassigned when validTo is reached".
> He used mp4.6. Can it be the cause?
>
>
> On Thu, 23 Feb 2023 at 23:12, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
>> Hi again,
>> I'm trying to apply weak construction described here
>>
>> https://docs.evolveum.com/midpoint/reference/roles-policies/assignment/configuration/#strong-and-weak-constructions
>> for AD computer objects.
>> I simply sync existing computer objects linking them with a user and
>> after that apply some policies on them. The solution must work only with
>> existing objects. So, computer creation/deletion is forbidden.
>>
>> The first policy is to control a computer's DN - this works fine.
>> The second is to add the computer to a group applying role+metarole to a
>> user who owns this computer.
>>
>> I'm not sure how to arrange this. I write a weak construction with
>> association but I can't see any influence on computer membership. Could you
>> help to complete this task?
>>
>> My meta-role computer's groups:
>>
>> <role>
>>     <name>Meta IT Computer</name>
>>     <costCenter>managed</costCenter>
>>     <inducement>
>>         <construction>
>>             <strength>weak</strength>
>>             <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" relation="org:default" type="c:ResourceType"/>
>>             <kind>account</kind>
>>             <intent>computer</intent>
>>             <association>
>>                 <ref>ri:group</ref>
>>                 <outbound>
>>                     <authoritative>true</authoritative>
>>                     <expression>
>>                         <associationFromLink>
>>                             <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
>>                                 <kind>entitlement</kind>
>>                                 <intent>group</intent>
>>                             </projectionDiscriminator>
>>                         </associationFromLink>
>>                     </expression>
>>                 </outbound>
>>             </association>
>>         </construction>
>>         <order>2</order>
>>         <focusType>UserType</focusType>
>>     </inducement>
>> </role>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230226/734d040d/attachment.htm>


More information about the midPoint mailing list