> On Oct 20, 2016, at 9:05 AM, Patrick Brunmayr <[email protected]> wrote: > > Lets asume one is using Fortress as a central place for RBAC. Over time > there will be a lot or roles and groups > > for different things. As an integrator to other systems like in my case > Midpoint i am not interested in transfering all roles and groups. > > So my approach would be to write some aux classes and assign them to the > roles and groups. For instance auxclass MidpointObject. > > In my Midpoint connector i would only fetch roles and groups which have > aux class MidpointObject assigned. > > So i can only provide really those things which are midpoint specific > and not roles or groups which may not be of interest or even > > more import which security wise relevant. > > One use case for me would be i dont want to transfer all the Fortress > Roles to Midpoint where one would gain access to Fortress :) > > Does that make sense ?
Not quite. You need a discriminator to specify whether a given object was processed by midpoint or not? In other words if the object was created via a midpoint intermediary, you would decorate it with the objectclass attribute? What’s the rationale for that?
