none
Implementing Enterprise RBAC System RRS feed

  • Question

  • Hi Everyone,

    i wish to use FIM SET and Group as Enterprise RBAC. I have gone through the article at the link below. I wish to take this further by extending the application Role with attributes that will be required for entitlement (literally serving as permission) in the target application.

    My question is how do I query the members of the Resultant Group to sync to the Target application such that iterating through the Group membership (users) actually surface the defined Permission attributes on the Group Object. I don't want to define the Custom attributes on the user object. Is this doable and Any XPATH query sample that can help ?

    Help appreciated in advance

    https://social.technet.microsoft.com/wiki/contents/articles/3982.fim-2010-use-sets-and-groups-as-enterprise-rbac-system.aspx 


    Akinzo

    Friday, December 14, 2018 3:05 PM

Answers

  • You won't be able to use the reference attributes in export flow rules to your app in the sync engine (assuming this is what you're doing). So, I'd either a) have just text attributes on the user and have your workflow do the transformation or b) have a set of reference attributes that a workflow copies, and then have a second set of text attributes that a second workflow updates when the reference attributes change. 

    Option B is more complicated but may give you more flexibility down the road.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by David Ayodele Friday, December 14, 2018 5:55 PM
    Friday, December 14, 2018 5:35 PM
    Moderator

All replies

  • The ComputedMember attribute of the group (or set) would give you everyone who is in that set. If in your app the permissions are properties of the user rather than a group, you'd need to have the memberships reflected on the user so you can sync them out. If you don't want to use workflows to duplicate this data, looping your users and groups through a SQL database that has a view which calculates the user attributes is another option. 

    Thanks,
    Brian

    Consulting | Blog | AD Book

    Friday, December 14, 2018 3:33 PM
    Moderator
  • Thanks Brian,

    My app expects permissions as properties of the user.Just to clarify, if I opt for the first approach, do I need to extend the User object in the MIM schema with a reference attribute that will hold the Group object, and then use WF XPATH query to lookup the permissions to sync out ?


    Akinzo

    Friday, December 14, 2018 5:32 PM
  • You won't be able to use the reference attributes in export flow rules to your app in the sync engine (assuming this is what you're doing). So, I'd either a) have just text attributes on the user and have your workflow do the transformation or b) have a set of reference attributes that a workflow copies, and then have a second set of text attributes that a second workflow updates when the reference attributes change. 

    Option B is more complicated but may give you more flexibility down the road.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    • Marked as answer by David Ayodele Friday, December 14, 2018 5:55 PM
    Friday, December 14, 2018 5:35 PM
    Moderator
  • Thanks a lot

    Akinzo

    Friday, December 14, 2018 5:55 PM