[midPoint] Group association with accounts of different intents
Yakov Revyakin
yrevyakin at gmail.com
Tue Apr 23 14:49:23 CEST 2024
I understood how to select which account intent to use when applying roles
using a metarole. Using the assignment attribute "subtype" as a parameter
we can configure our meta-role to which account we want to apply a role.
Subtype can be set in UI in assignment or in business role xml.
<role>
<name>meta</name>
<inducement>
<construction>
<resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
relation="org:default" type="c:ResourceType"/>
<kind>account</kind>
<intent>default</intent>
<association>
<ref>ri:group</ref>
<outbound>
<authoritative>true</authoritative>
<expression>
<associationFromLink>
<projectionDiscriminator
xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<focusType>UserType</focusType>
<condition>
<expression>
<script>
<code>
import
com.evolveum.midpoint.model.api.context.AssignmentPathSegment
import
com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType
AssignmentType a = ((AssignmentPathSegment)
assignmentPath.beforeLast(2)).getAssignment()
return basic.isEmpty(a.getSubtype()) ||
basic.contains(a.getSubtype(), "default")
</code>
</script>
</expression>
</condition>
</inducement>
<inducement>
<construction>
<resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
relation="org:default" type="c:ResourceType"/>
<kind>account</kind>
<intent>admin</intent>
<association>
<ref>ri:group</ref>
<outbound>
<authoritative>true</authoritative>
<expression>
<associationFromLink>
<projectionDiscriminator
xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<focusType>UserType</focusType>
<condition>
<expression>
<script>
<code>
import
com.evolveum.midpoint.model.api.context.AssignmentPathSegment
import
com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType
AssignmentType a = ((AssignmentPathSegment)
assignmentPath.beforeLast(2)).getAssignment()
return !basic.isEmpty(a.getSubtype()) &&
basic.contains(a.getSubtype(), "admin")
</code>
</script>
</expression>
</condition>
</inducement>
</role>
<role>
<name>business</name>
<inducement>
<documentation>target below is a group role managed by
metarole</documentation>
<subtype>admin</subtype>
<targetRef oid="3ed7ec5c-6bf6-4eaa-b214-afb83bfb7d03"
relation="org:default" type="c:RoleType"/>
<focusType>c:UserType</focusType>
</inducement>
</role>
On Fri, 12 Apr 2024 at 13:45, Yakov Revyakin <yrevyakin at gmail.com> wrote:
> I have AD group roles - name of role is equal to group name and the role
> has the group shadow linked.
> I am able to assign this role to a user using the standard metarole
> approach resulting in appropriate association and membership. This works
> excellent if there is a single account object type intent. The metarole
> knows which intent to consider.
> I'd like to be able to associate AD accounts of different intents with
> those groups.
> Have you any idea how to implement this? Probably something like an
> intermediate role which knows what intent to use...
> Thanks,
> Yakov
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240423/121eac65/attachment.htm>
More information about the midPoint
mailing list