How is the access represented in midPoint can be described on following examples.
Following schema describes the access to application ABC. Access to the application ABC is managed via membership of LDAP groups. One user has access to the application configured directly in the application.
Access model of the application ABC:
members of ABC_R LDAP group have Reader access level to application ABC,
members of ABC_E LDAP group have Editor access level to application ABC,
members of ABC_M LDAP group have Manager access to application ABC,
user Clark Cooper has Manager access to application ABC.
User Adam Smith is member of ABC_R LDAP group and user Buster Blake is member of ABC_M group. These groups give them access to application ABC.
Environment and configuration of midPoint can be described by following picture:
Access model of application ABC is represented by roles directly induced to ABC service representing application and direct assignment of the ABC service to user Clark Cooper. Relations are describing business description of access level.
Such midPoint configuration may be interpreted by technical (IAM) language or by business language.
Adam Smith has role ABC:Readers assigned. Therefore he has account in LDAP_resource and is assigned in _ABC_R LDAP group. He has service ABC assigned.
Buster Blake has role ABC:Managers assigned. Therefore he has account in LDAP_resource and is assigned in _ABC_M LDAP group. He has service ABC assigned.
Clark Cooper has service ABC assigned.
This technical interpretation explains information necessary for provisioning, but will not tell much about user access to the application without additional knowledge of application access model.
This interpretation describes user access to the application. Clearly understandable by business.
Adam Smith has Reader access to application ABC via application role ABC:Readers.
Buster Blake has Manager access to application ABC via application role ABC:Managers.
Clark Cooper has Manager access to application ABC.
The application resource increases flexibility of access modelling and enables parametric access.
Application resources may be assigned directly, or via roles. When application resource is assigned directly, relation of this assignment defines access level of user to the application resource.
Following schema describes the access to Confluence space Project X. The space is represented by application resource. Access to the Confluence space is managed by direct assignment of user in the space. The schema also describes one user being administrator of whole Confluence application to display difference between managing access to whole application and just to the application resource.
Access model of Confluence application
members of conf_admins LDAP group have Administrator access level to Confluence application
Access model of Confluence space Project X
user Buster Blake has Editor access to the Confluence space Project X
Environment and configuration of midPoint can be described by following picture:
The user access to confluence space described in business (IGA) terminology:
Buster Blake has Editor access to Confluence space Project X.
Buster Blake has also access to Confluence application.
Additionally we can tell, that Adam Smith has Administrator access level to Confluence application.
| Probably we have missing feature - how we represent relation in shadow resource ? Association does not have relation. |
IGA is not being deployed on green field, but rather it must describe existing IT environment and complex access models. In the example above, the access was assigned directly to confluence space. In some real-life situations the access model may be hybrid - access to the application resource is assigned via membership in LDAP groups and also directly.
This example describes how to model such example.
Following schema describes the access to Confluence space Project X. The space is represented by application resource. Access to the Confluence space is managed by managing membership in LDAP groups. Additionaly one user are assigned to the space directly. The schema also describes one user being administrator of whole Confluence application to display difference between managing access to whole application and just to the application resource.
Access model of Confluence application
members of conf_admins LDAP group have Administrator access level to Confluence application
Access model of Confluence space Project X
members of px_readers LDAP group have Reader access level to Confluence space Project X
members of px_editors LDAP group have Editor access level to Confluence space Project X
user Buster Blake has Editor access to the Confluence space Project X
Environment and configuration of midPoint can be described by following picture:
The user access to confluence space described in business (IGA) terminology:
Clark Cooper has Reader access to Confluence space Project X via application role px_readers.
Buster Blake has Editor access to Confluence space Project X.
We can also tell, that Adam Smith has Administrator access level to Confluence application.