No the other way round! I would decorate Fortress roles and groups with
an additional objectclass to have some
filter possibilities. Basically in my connector i would only query
objects from fortress having aux class "exposeMidpoint"
to only expose those roles and groups. Not everything in Fortress should
go to Midpoint :)
Am 21.10.2016 um 15:35 schrieb Shawn McKinney:
On Oct 20, 2016, at 9:05 AM, Patrick Brunmayr <[email protected]> wrote:
Lets asume one is using Fortress as a central place for RBAC. Over time
there will be a lot or roles and groups
for different things. As an integrator to other systems like in my case
Midpoint i am not interested in transfering all roles and groups.
So my approach would be to write some aux classes and assign them to the
roles and groups. For instance auxclass MidpointObject.
In my Midpoint connector i would only fetch roles and groups which have
aux class MidpointObject assigned.
So i can only provide really those things which are midpoint specific
and not roles or groups which may not be of interest or even
more import which security wise relevant.
One use case for me would be i dont want to transfer all the Fortress
Roles to Midpoint where one would gain access to Fortress :)
Does that make sense ?
Not quite. You need a discriminator to specify whether a given object was
processed by midpoint or not? In other words if the object was created via a
midpoint intermediary, you would decorate it with the objectclass attribute?
What’s the rationale for that?
LINZ AG für Energie, Telekommunikation, Verkehr und Kommunale Dienste
A-4021 Linz, Wiener Straße 151, Postfach 1300, Tel. +43/732/3400-0, E-Mail:
[email protected]
