Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Using REST API

Following REST call will assign assigns role 'auditor' with parameter 'm2set' to the user 'aM2Auditor'  (it means that user aM2Auditor is an auditor for the Machine Set 2)

curl --user administrator:5ecr3t -H "Content-Type: application/xml" -X PATCH/POST http://localhost:8080/midpoint/ws/rest/users/9a316a63-271e-4974-8ca5-e2baaf4d03a5 -d @pathToMidpointGit/samples/stories/unix-ldap-advanced/modification-assign-parametric-role.xml -v

Result

After clicking on user details go to the Assignment tab panel. There is one assignment 'Machine Admin - Machine Set1 (Machine Auditor - Machine Set2). Now go to the Projection tab panel.There is one account created in OpenLDAP (with intent default) and this account is decorated with posixAccount object class - there is home dir, shell and unix uid number set.  After clicking on this account look at the associations. There are all the machines and access groups to which the user has access.

Use Case #2 - Create New Machine

Using midPoint GUI

Go to 'Organization structure -> Organization tree -> Machines' tab has to be selected and then:

  1. Select machine set to which a new machine is going to be added, e.g. click in the organization tree (left part) on Machine Set 1
  2. In the member table, click the gear wheel in the right corner and select 'Create member' - pop-up with the possible types for members will be shown
  3. Choose 'Service Type' from the combo box and click 'OK' button - form for new service is shown
  4. Fill attributes:
    1. Name = m1004
    2. DisplayName = Set 1 Machine 004
    3. Identifier = m1
    4. Type = machine
    5. .....
  5. Go to the Assignment tab panel
  6. In the right corner of the Assignments table click the gear wheel and select 'Assign) - popup with available roles, services, resource, orgs will be shown
  7. Select 'Metarole for Service' role and click the 'Add' button bellow
  8. Click 'Save' button bellow
  9. In the right corner of the Assignments table click the gear wheel and select 'Recompute direct members' - Recompute task will run, all the members will be recomputed and assigned to the group for the new machine according to the configuration

Using REST API

Following REST call creates new machine in midPoint, provisioning it to the OpenLDAP as a OpenLDAP group decorated with posixGroup and add this group as a member for parent group in OpenLDAP.

curl --user administrator:5ecr3t -H "Content-Type: application/xml" -X POST http://localhost:8080/midpoint/ws/rest/services -d @pathToMidpointGit/samples/stories/unix-ldap-advanced/create-new-machine.xml -v

Result

Go to the Organization and click on the Machine Set 1 in the left part. In the members table, blue table in the right part, new machine exist. Click on this new machine and go to the 'Assignments' tab panel. Two assignment exist - one is an assignment to the parent - Machine Set and second one is for the metarole - 'Metarole for Services'. Now go to the 'Projection' tab panel where one projection exists. It is OpenLDAP group decorated with posixAccount. After clicking on the projection details for the group are shown. Association part keep information about parent group (group for Machine Set) as it is stored in OpenLDAP.

Use Case #3 - New Users to LDAP are automatically added to MidPoint.

Create new user in ou=People, dc=example, dc=com using Apache Directory Studio or use .ldif file example from pathToGit/samples/stories/unix-ldap-advanced/create-user.ldif

Result

Go to the midPoint and navigate to Users -> List Users. Search for the user using 'name' attribute for instance. One result is returned. After clicking on user details, go to the 'Assignment' tab panel. There is one assignment for role 'Unix User'. Now go to the projection. There is one projection which corresponds to the account in OpenLDAP decorated with posixAccount auxiliary object class.

Use Case #4 - Deassign MP Super role, triggers removal from associated LDAP groups

Using midPoint GUI:

Got to 'Users -> List Users' and then:

  1. Click user details (e.g. aM1Admin)
  2. Go to the 'Assignments' tab panel
  3. Check the assignment which is going to be deleted.
  4. In the right corner of the Assignments table click the gear wheel and select 'Unassign' and confirm pop-up widow
  5. Click 'Save' button bellow

Using REST API

Following REST call assigns role 'auditor' with parameter 'm2set' to the user 'aM2Auditor'  (it means that user aM2Auditor is an auditor for the Machine Set 2)

curl --user administrator:5ecr3t -H "Content-Type: application/xml" -X PATCH/POST http://localhost:8080/midpoint/ws/rest/users/9a316a63-271e-4974-8ca5-e2baaf4d03a5 -d @pathToMidpointGit/samples/stories/unix-ldap-advanced/modification-unaassign-parametric-role.xml -v

Result

After clicking on user details go to the Assignment tab panel. There is no assignment 'Machine Admin - Machine Set1 (Machine Auditor - Machine Set2). Now go to the Projection tab panel. There is no projection and no account in OpenLDAP (with intent default). Open Apache Directory Studio and search for the user aM1Admin. There is no such user. Check groups for Machine Set 1, in any of them there is no memberUid with value aM1Admin.

Use Case #5 - Add MP administrative users for varying levels / domains

After assigning one of the role 'admin', 'auditor' or 'user' to the user, he/she automatically gets access right for the midPoint. Authorizations are configured on different levels for different roles and are also dependent on the Machine Set which is selected while assigning role to the user. 

Machine Admin for Machine Set 1 - is a user who has assigned role admin with the parameter Machine Set 1

Such a user is an administrator with restriction to the Machine Set 1. It means, he/she can manage all objects in midPoint which belongs to the Machine Set 1 represented as organization in midPoint. You can add any objects (except node, shadow) to the organization using midPoint GUI. Navigate to the member table for selected organization (blue table in the right part bellow), click on the gear wheel and select assign member. Pop-up with available objects is shown. Select type of object you want to assign, check object which should be assigned and click 'Add' button bellow. The task (ExecuteChanges) starts to run to create assignemnt/link for the objects to the organization.

Machine Auditor for Machine Set 1 - is a user who has assigned role auditor with the parameter Machine Set 1

Such a user is an auditor with restriction to the Machine Set 1. He/She can view all the users whose have also access to the Machine Set 1 (on different access level). This user can modify some of the attributes and can also assign/unassign roles for the users. As this user is an auditor he/she is also allowed to run certification campaigns and so decide about users access rights.

Machine User for Machine Set 1 - is a user who has assigned role user with the parameter Machine Set 1

Such a user is an user with restriction to the Machine Set 1. User with this role is allowed to log in to midPoint and manage his/her account. He/she can change the password, some of the base attributes (profile-like) and he/she can also request a new role.

Use Case #6 - Self-service functions

 After user log in to midPoint, self service functions are available in the left navigation panel above. User is able to:

  • change some attributes (e.g. family name, given name, ...), 
  • change password,
  • request a new role

Use Case #7 - Workflow

Assign role 'Auditor for Machine Set 2' to a user as a user with role 'Admin for Machine Set 2' - role is automatically approved, no additional approval are needed

Assign role 'Auditor for Machine Set 2' to a user as a user with role 'Admin for Machine Set 1' - workflow process starts to run, this assignment has to be approved by one of the administrators for Machine Set 2

Assign role 'X for Machine Set 2' to a user as a user with role 'Auditor for Machine Set X' - workflow process starts to run, this assignment has to be approved by one of the administrators for Machine Set 2

Assign role 'X for Machine Set 2' to a user as a user with role 'User for Machine Set X' - workflow process starts to run, this assignment has to be approved by one of the administrators for Machine Set 2
(this rules apply for all machine sets)

Use Case #8 - Temporal Constraints

Using midPoint GUI:

Got to 'Users -> List Users' and then:

  1. Click user details (e.g. aM1Admin)
  2. Go to the 'Assignments' tab panel
  3. In the right corner of the Assignments table click the gear wheel and select 'Assign) - popup with available roles, services, resource, orgs will be shown
  4. From the showed pop-up (roles listed) select 'admin' role and click the 'Add' button bellow
  5. Click on the newly created assignment panel for 'Machine Admin' role and then click on the pencil button for 'Organization Unit/Project' - popup with available machine sets will be shown
  6. Select Machine Set by clicking on the name for which the user should be administrator, e.g. select m1set
  7. In the Activation part for Assignment fill in valid to date (e.g. in three days)
  8. Click 'Save' button bellow
  9. Check user details - projection and its associations
  10. Go to the Configuration -> Internals configuration
  11. Change time (e.g. in 4 days), click 'Change time' button
  12. Go to the Server tasks -> List tasks
  13. Search for Validity scanner and open it
  14. Click 'Run now' button bellow

Using REST API

Following REST call assigns role 'auditor' with parameter 'm2set' to the user 'aM2Auditor'  (it means that user aM2Auditor is an auditor for the Machine Set 2)

curl --user administrator:5ecr3t -H "Content-Type: application/xml" -X PATCH/POST http://localhost:8080/midpoint/ws/rest/users/9a316a63-271e-4974-8ca5-e2baaf4d03a5 -d @pathToMidpointGit/samples/stories/unix-ldap-advanced/modification-unassign-parametric-role.xml -v

Result

After clicking on user details go to the Assignment tab panel. There is one assignment 'Machine Admin - Machine Set1 (Machine Auditor - Machine Set2). Now go to the Projection tab panel.There is no projection and no account in OpenLDAP (with intent default). Open Apache Directory Studio and search for the user aM1Admin. There is no such user. Check groups for Machine Set 1, in any of them there is no memberUid with value aM1Admin.

See also

...