[midPoint] Weak construction and associations support for AD computers

Ivan Noris ivan.noris at evolveum.com
Mon Feb 27 09:11:14 CET 2023 

Hi,

I was certainly usign weak constructions with associations.

The following is a fragment from metarole from our Advanced training 
(4.0-based, but I tested it on 4.4.x).

Resource is OpenLDAP (nor AD).

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" 
xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" 
oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6">
     <name>LDAP Org Group Metarole</name>
     <description>If assigning this metarole, organization name 
(numeric) prefixed with 'org-' will be used for group name.</description>
     <inducement>
         <description>Inducement to create a group as a projection of 
midPoint organization</description>
         <construction>
             <description>Creates an object (group) for 
organization</description>
             <resourceRef oid="3961ffc8-2209-11e8-8018-7738b0ea3fa2" 
type="c:ResourceType"/>
             <kind>entitlement</kind>
             <intent>ldapOrgGroup</intent>
         </construction>
     </inducement>
     <inducement>
         <description>Inducement to create an account as a projection of 
user having assigned an organization with this metarole.</description>
         <construction>
             <description>Creates an account for user, and associates 
with group created for the organization assigned to the user.</description>
             <resourceRef oid="3961ffc8-2209-11e8-8018-7738b0ea3fa2" 
type="c:ResourceType"/>
             <kind>account</kind>
             <intent>default</intent>
             <association>
                 <ref>ri:ldapOrgGroup</ref>
                 <outbound>
                     <strength>strong</strength>
                     <source>
<path>$focusAssignment/targetRef</path>
                         <!-- XXX to get relation -->
                     </source>
                     <expression>
                         <associationFromLink>
                             <projectionDiscriminator>
<kind>entitlement</kind>
<intent>ldapOrgGroup</intent>
                             </projectionDiscriminator>
                         </associationFromLink>
                     </expression>
                 </outbound>
             </association>
             <strength>weak</strength>
             <!-- Will not create account unless it already exists -->
         </construction>
         <order>2</order>
         <focusType>UserType</focusType>
     </inducement>
</role>

Hope this helps. If it does not work with newer midPoint, either there 
is something different in the configuration since then (I doubt it) or 
you have encountered a regression bug.

Best regards,

Ivan

On 26. 2. 2023 22:16, Yakov Revyakin via midPoint wrote:
> As I understood there is no chance to add association via weak 
> construction. We can modify plain attributes using this type of 
> construction but it doesn't cover associations. Even association 
> mapping is strong. We even can't see an indirect resource assignment 
> among assignments.
> This is a bit strange.
>
>
> On Fri, 24 Feb 2023 at 08:56, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
>     I use mp4.4.3
>     I have metarole-role assign/revoke working for AD user accounts. I
>     have no any specific logic in group object definition
>     I also checked my case with  outbound mapping for associations set
>     to strong. Nothing happens.
>     Some posts ago I could see that weak construction with
>     associations working for someone - "LDAP Role not unassigned when
>     validTo is reached". He used mp4.6. Can it be the cause?
>
>
>     On Thu, 23 Feb 2023 at 23:12, Yakov Revyakin <yrevyakin at gmail.com>
>     wrote:
>
>         Hi again,
>         I'm trying to apply weak construction described here
>         https://docs.evolveum.com/midpoint/reference/roles-policies/assignment/configuration/#strong-and-weak-constructions
>         for AD computer objects.
>         I simply sync existing computer objects linking them with a
>         user and after that apply some policies on them. The solution
>         must work only with existing objects. So, computer
>         creation/deletion is forbidden.
>
>         The first policy is to control a computer's DN - this works fine.
>         The second is to add the computer to a group applying
>         role+metarole to a user who owns this computer.
>
>         I'm not sure how to arrange this. I write a weak construction
>         with association but I can't see any influence on computer
>         membership. Could you help to complete this task?
>
>         My meta-role computer's groups:
>
>         <role> <name>Meta IT Computer</name> <costCenter>managed</costCenter> <inducement> <construction> <strength>weak</strength> <resourceRef
>         oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
>         relation="org:default" type="c:ResourceType"/> <kind>account</kind> <intent>computer</intent> <association> <ref>ri:group</ref> <outbound> <authoritative>true</authoritative> <expression> <associationFromLink>
>         <projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
>         <kind>entitlement</kind> <intent>group</intent> </projectionDiscriminator> </associationFromLink>
>         </expression> </outbound> </association> </construction> <order>2</order> <focusType>UserType</focusType> </inducement> </role>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Expert Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230227/6672282c/attachment-0001.htm>

More information about the midPoint mailing list