<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Nicolas,</p>
<p>when I was working with parametric roles, I was using an approach
which I described here:
<a class="moz-txt-link-freetext" href="https://evolveum.com/blog/working-multi-tenant-roles/">https://evolveum.com/blog/working-multi-tenant-roles/</a></p>
<p>(The screenshots are from old midpoint :-) but you should get the
message.)</p>
<p>By default you can assign roles with parameters: orgRef or
tenantRef:</p>
<p>- orgRef: you select (probably any) of the organizations in
midPoint to be the parameter</p>
<p>- tenantRef: you select any organization marked as tenant in
midPoint to be the parameter</p>
<p>This might help you as it is (we were / are using this in
multiple deployments).<br>
</p>
<p>What we definitely want is to make this more configurable and
extensible. But I'm sure Radovan will prove more on this topic.<br>
</p>
<p>I believe the feature is tracked here:
<a class="moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-3515">https://jira.evolveum.com/browse/MID-3515</a><br>
</p>
Best regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 29.06.2018 00:11, Nicolas Rossi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAAxX8chwQKLtefupsArPia+kGCVTEEwfJucrcmGObJyoM4KJMA@mail.gmail.com">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">We
are working on a customer who needs to define some roles with
parameters to prevent role explosion scenario. I have found
lot of references to this issue on the wiki (<a
href="https://wiki.evolveum.com/display/midPoint/Role+Explosion"
moz-do-not-send="true">here</a>, <a
href="https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC#AdvancedHybridRBAC-ParametricRoles"
moz-do-not-send="true">here</a> and <a
href="https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-ParametricAssignments"
moz-do-not-send="true">here</a>). There were also <a
href="https://lists.evolveum.com/pipermail/midpoint/2013-July/000096.html"
moz-do-not-send="true">similar question</a>s on the mailing
list few years ago where Radovan explains that is was designed
but not implemented.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Regarding
the Radovan explanation I am not sure if we should extend the
AssociationType to add custom parameters or if we should
define role parameters (couldn't find any example on the
documentation).</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">On
the UI when and end-user request a new role, he can define
properties on the assignment (parameters) for each role,
but... is there any way to define that some properties /
parameters are required so the user can't request the role
without specifying some value for that parameter ?</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
apologize in advance for the lengthy e-mail</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Thanks,</div>
<div>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a
href="http://www.identicum.com"
target="_blank"
moz-do-not-send="true">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>