<objectTemplate>
...
<mapping>
<authoritative>true</authoritative>
<expression>
<value>
<targetRef oid="0fdcd3be-4134-11e7-a334-fb2404f54424" type="RoleType"/>
</value>
</expression>
<target>
<path>assignment</path>
</target>
</mapping>
...
</objectTemplate>Automatic Role Assignment
Assignment of orgs and roles is one the fundamental midPoint functionalities. Common requirement is automatic assignment of some roles based on expressions and conditions. The object template is the right place to implement such automatic assignment.
Unconditional Assignment
Easiest case is an assign of a specific role to all the users. This is easy to implement using an object template mapping with a static (literal) value:
Conditional Assignment
Most roles are assigned only if a specific condition is true. This approach is sometimes called Rule-Based RBAC (RB-RBAC). This is also easy to implement. Simply combine the static mapping with appropriate condition:
<objectTemplate>
...
<mapping>
<authoritative>true</authoritative>
<source>
<path>employeeType</path>
</source>
<expression>
<value>
<targetRef oid="0fdcd3be-4134-11e7-a334-fb2404f54424" type="RoleType"/>
</value>
</expression>
<target>
<path>assignment</path>
</target>
<condition>
<script>
<code>employeeType == 'executive'</code>
</script>
</condition>
</mapping>
...
</objectTemplate>MidPoint will take care that the condition is evaluated an appropriate action is taken.
When the condition becomes true then the role is assigned.
When the condition becomes false the role is unassgined (remebmer, midPoint is relativistic and that also applies to conditions).
Dynamic Assignment
The third option is fully dynamic assignment of roles, orgs and services. It is often infeasible to define a condition for every role. One big expression that decides role assignment is usually a better approach. MidPoint has special `assignmentTargetSearch`expression evaluator designed especially for this purpose. This evaluator can be used to dynamically look up assignment targets:
<objectTemplate>
...
<mapping>
<authoritative>true</authoritative>
<source>
<path>employeeType</path>
</source>
<expression>
<assignmentTargetSearch>
<targetType>RoleType</targetType>
<filter>
<q:equal>
<q:path>name</q:path>
<expression>
<script>
<code>'Employee:' + employeeType</code>
</script>
</expression>
</q:equal>
</filter>
</assignmentTargetSearch>
</expression>
<target>
<path>assignment</path>
</target>
</mapping>
...
</objectTemplate>This is an example of a dynamic assignment of roles based on the value of user’s employeeType property.
If the property has a value of executive, then role Employee:executive will be automatically assigned.
If the property has a value of superlative, then role Employee:superlative will be automatically assigned.
And so on.
The employeeType property is multi-valued, therefore the expression will be evaluated for each value.
If the employeeType property has two values then two roles will be assigned.
The role assignment follows changes in the source properties.
Therefore when employeeType values are deleted then corresponding roles are automatically unassigned.
Combinations
MidPoint mappings are automatically merged. Therefore you can have as many mappings for automatic assignment as you want and you can combine all these techniques as needed. MidPoint will take care that all of them are evaluated and that the results are properly merged.
Advanced Techniques
There are more tricks that can be used for role assignment. E.g. the target (role or org) can be dynamically created on demand (see OrgSync Story Test). Mapping domain and range can be used for more complex cases. And so on.
See Also
Was this page helpful?
YES
NO
Thanks for your feedback