Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

midPoint is using a (very) extended version of Role-Based Access Control (RBAC) mechanism. RBAC is originally defined as mostly static structure of users and roles. The original RBAC defines that user assigned to the role gets all the rights implied by the role. If two users have the same role, they have the same rights. However, this leads to the problem of Role Explosion. We hope to solve that problem by enhancing RBAC model with logic. We add ability to specify expressions in role definitions that determine how and when the role is used. Therefore the role can adapt to the attributes of user that has the role or even the role assignment itself can be parametrized. This allows to construct RBAC structures that are using fewer roles and that are much more manageable.

...

The (simplified) role definitions in XML is as follows:

Code Block
xml
xml

<role oid="9991">
    <name>Captain</name>
    <accountConstruction><inducement>
        <construction>
            <resourceRef oid="88828881" type="c:ResourceType"/>
            <kind>account</kind>
        </accountConstruction>construction>
    <accountConstruction></inducement>
    <inducement>
        <construction>
            <resourceRef oid="88818882" type="c:ResourceType"/>
            <kind>account</kind>
        </accountConstruction>construction>
    </inducement>
</role>

<role oid="9992">
    <name>Pirate</name>
<inducement>
   <accountConstruction>     <construction>
            <resourceRef oid="8881" type="c:ResourceType"/>
            <kind>account</kind>
        </accountConstruction>construction>
    <accountConstruction></inducement>
    <inducement>
        <construction>
            <resourceRef oid="8883" type="c:ResourceType"/>
            <kind>account</kind>
        </accountConstruction>construction>
    </inducement>
</role>

Implied Accounts

If the captain and pirate roles get assigned to Jack, the result should be that Jack has three accounts: Maritime Information System account, Rum Supply Management account and Shipwreck Cove account. Roles imply or construct these accounts. A user assigned to a role will get accounts on all resources that the role implies (unless he already has such accounts).

...

The implied accounts are defined by the Account Construction XML structure. It basically defines the resource in which the appropriate kind of resource object (in this case an account) has to be created, . It may also specify the object intent (account type), attribute values and an optional condition.

If two or more roles imply accounts in the same resource, usually only one account will be created. The specific behavior depends on account types the use of intent definition (still work in progress).

...

The XML role definition illustrated by this example is as follows:

Code Block
xml
xml

<role oid="9991">
    <name>Captain</name>
    <accountConstruction><inducement>
        <construction>
            <resourceRef oid="8881" type="c:ResourceType"/>
            <kind>account</kind>
            <attribute>
                <ref>rum:mugSize</ref>
                <outbound>
                    <expression>
                        <value>BIG</value>
                    </expression>
                </outbound>
            </attribute>
            <attribute>
                <ref>rum:mugName</ref>
                <outbound>
                    <source>
                        <path>$user/givenName</path>
                    </source>
                <outbound>
            </attribute>
        </accountConstruction>construction>
    </inducement>
</role>

The role is implying account on Rum Supply System resource. It is also implying that the attribute mugSize of such account should be set to value BIG and the attribute mugName should be set to the value of user property givenName. The figure above illustrate how the attribute values "flow" through the definitions.

The figure above is somehow simplified. In fact the role definitions are using mappings to determine attribute values. It is the same mechanism that is used in assignments and resource schema handling section therefore the same features and limitations apply here. Following diagram provides more detailed illustration of use of mappings in the roles. Each mapping has three parts: source, value constructor and target (see Mapping). However some of these parts can be determined by the context in which the mapping is used. Therefore not all parts of the mapping needs to be present when constructing the roles. This is illustrated in the following diagram where the implicit parts of the mappings are marked by dashed outlines. The first mapping in the following diagram determines target the value of account mugSize attribute. As it is places inside attribute section of accountConstruction a construction definition the system can automatically determine mapping target. Therefore only a value constructor is explicitly defined. In this case it is value clause that constructs a static value BIG (see the XML snippet above). The second mapping in the following diagram is slightly more complex. It is using user property givenName as a source (written as $user/givenName). This is then passed without any modification through asIs value constructor. This constructor is the default constructor in a mapping therefore there it is omitted in the role specification above. Mapping target is also determined implicitly by the context.

...

The XML role definition is as follows:

Code Block
xml
xml

<role oid="9991">
    <name>Captain</name>
    <accountConstruction><inducement>
        <construction>
            <resourceRef oid="8882" type="c:ResourceType"/>
            <kind>entitlement</kind>
            <!-- TODO -->
            <entitlement objectClass="mis:GroupObjectClass">
            <value>
                <mis:id>captains</mis:id>
            </value>
        </entitlement>construction>
    </accountConstruction>inducement>
</role>

Assignments

Assignment is a generic concept of associating user with the things that he should have or belong to. Assignment may associate user with a role, organizational unit or any other kind of object. However, roles and organizational units are the most common object types that are assigned to a user.

Roles are associated to to users using assignment as illustrated by the following example:

Code Block
xml
xml

<user oid="0001">
    <name>jack</name>
    <fullName>Jack Sparrow</fullName>
    ...
    <assignment>
        <targetRef oid="9991" type="c:RoleType"/>
    </assignment>
    ...
</user>

...

See Assignment page for more details about assignments. See Advanced RBAC Examples for more information on how to use role parameters.

Role Hierarchy

...

Inducements

Simply speaking inducements are indirect assignments. Unlike assignments inducements do not apply to the object in which they are specified. Inducements apply to the object that is has assigned the object which contains inducements. E.g. inducements specified in a role will not be applied to the role itself. The inducements will be applied to the user that is assigned to such role.

In all other aspects the inducement and assignment are identical. Both may contain target reference, construction, condition, etc. Unless you are creating a very complex setup there is a simple rule of the thumb to adhere to:

  • Users have assignments
  • Roles have inducements

 

Info
titleWhy we need both assignments and inducements?

 Assignments and inducements are internally identical. And in fact there was only an assignment which was used both directly and indirectly in previous midPoint versions (prior to version 2.2). This simple approach works well as long as we only deal with users and accounts. But the situation gets very complex once we allow roles and organizational units to have associated shadows in a similar way that user has account shadow. This is a very powerful feature that is planned for future midPoint versions. Therefore we had to refine and clean up the data model to allow for greater flexibility and expressive power. And therefore we need both (direct) assignment and (indirect) inducement. While it may seem a bit overcomplicated now having a clean and unambiguous data model will greatly pay off in the future.

Role Hierarchy

Roles contain inducements which have identical structure to user assignments. Therefore a role may be (indirectly) assigned to another role using the inducement. This simple principle creates quite a complex and flexible structure of role hierarchy. An example of a role hierarchy is provided in the following diagram.

...