<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
Short answer: entitlements are now fully supported in midPoint
core engine (partially in midPoint 3.0, fully in midPoint 3.1 and
later). The GUI support is lacking behind a bit. Some improvements
were made in 3.1 and 3.2. The GUI support for entitlement is is
still not ideal, but as far as I can tell it is usable for
automation and basic use cases (see below). If you are interested
GUI enhancement can still be planned for 3.4 release.<br>
<br>
Entitlements are partially configured in the demo. When you open
user details page and expand an LDAP account you will see
"association" section. These are account associations to LDAP
groups. The LDAP groups are configured as entitlements. The demo
documentation needs and update (and thank you for pointing that
out).<br>
<br>
The current state of midPoint when it comes to entitlements is
focused mostly on automation. E.g. it is easy to use entitlements
in role definitions, it is easy to dynamically create entitlements
(e.g. LDAP or AD groups) for new organizational units or roles, it
is easy to automatically assign organizational unit member to
appropriate groups, etc. This functionality works well, it is well
tested (see
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test">https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test</a> and
other tests) and it is heavily used in several real-world
deployments. The GUI part is currently designed mostly to support
visibility. I.e. it can be used to inspect the entitlement
associations, but currently it is not designed to manage the
entitlements in a direct manual fashion. All our deployments
manage entitlements indirectly by managing organizational units
and roles. The change to organizational units and roles is then
automatically reflected to the entitlements and entitlement
associations.<br>
<br>
However, the GUI can be extended and currently we are in a period
of intensive GUI development. If you are interested in improving
GUI entitlement support you have the usual options:<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a><br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<br>
On 10/07/2015 06:56 PM, Manfredo Hopp wrote:<br>
</div>
<blockquote
cite="mid:CAB623R9LcvtR9O5f4w-ecriROFHO4CUrWfpNx98EG1m4GaxuKA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Hi,</div>
<div><br>
</div>
<div> we are evaluating midPoint as alternative for propagation
to an LDAP with the provisioning of new users from DB and
possibly changes to structure from db or through midPoints
API.</div>
<div><br>
</div>
<div>Actually our users are registered in DB and associated to
different application-roles one of which is selected from
user after login and forwarded to applications.<br>
</div>
<div>We also have an administrative system which maintains this
structure where we manage the concept of groups within roles
(grouping several roles), role delegation and have automatic
enrollment of users and role assigments.</div>
<div><br>
</div>
<div>Trying to get an overall knowledge about midPoint I was
following Live Demo and some documentation and found out that
the concept of midpoints Entitlement is what better suits our
need to reflect our Roles.</div>
<div><br>
</div>
<div>So I was trying to find out something about Entitlments in
demo with no results. There is still a reference to it which I
copy:</div>
<div><br>
</div>
<div>"Some of the roles and organizational units modify
membership in LDAP groups. However, there is a limitation to
this somehow caused by the incomplete design of the connector
framework. Quite an ugly trick is needed to work around this
in current midPoint version. The trick is an ad-hoc support
for <code>ldapGroups</code> attribute in the LDAP connector.
However the attribute is hidden and needs to be manually added
to the generated LDAP resource schema. This also means that
the LDAP groups are normally not displayed for LDAP account in
midPoint. However we are working hard on this. The next
version of midPoint will introduce the concept of <em>Entitlements</em>
that will provide an elegant and systematic solution to this
problem."<br>
</div>
<div><br>
</div>
<div>Also I found this in documentation:<br>
</div>
<div><br>
</div>
<div>"MidPoint can be configured to fully understand
entitlements. MidPoint can know which resource objects
represent groups. Therefore midPoint can manage group
membership in a structured and automated way. MidPoint can
list entitlements and therefore it can be used to create smart
and convenient user interfaces. MidPoint support for
entitlements goes beyond the capabilities of vast majority of
IDM solutions."<br>
</div>
<div>and <br>
</div>
<div><br>
</div>
<div>"The entitlements are supported in midPoint core engine but
the GUI support is currently very limited"<br>
</div>
<div><br>
</div>
<div>So here come my questions: <br>
</div>
<div><br>
</div>
<div>What is actual state of entitlements GUI? Is it that of
live Demo?</div>
<div><br>
</div>
<div>How could Entitelments administration be adressed?</div>
<div><br>
</div>
<div>Is there any midPoint Extension/Plugin that has been
developed ?</div>
<div><br>
</div>
<div>To what extent can midPoint be extended?</div>
<div><br>
</div>
<div><br>
</div>
<div>Sorry for all this long introduction.<br>
</div>
<div><br>
</div>
<div>Regards MHopp<br>
</div>
<br>
</div>
</blockquote>
</body>
</html>