The identity governance and administration world is not just about identities and their accounts. It is also about their access rights, e.g., group membership. But how can midPoint adopt the existing access rights, present them as roles, and start managing them? What if midPoint is not allowed to manage some groups at a given time or not at all? Furthermore, what if I don’t know so much about midPoint and only have completed the First Steps Live training or the First Steps self-paced training? Is there any hope left for me?
Simply speaking: yes, sure! You are, actually, lucky!
In 2024, Evolveum has invested a lot of time and effort to create the Group Synchronization Methodology. It allows simple, safe, and flexible access rights management. The methodology uses new midPoint features, which are part of the midPoint 4.9 release. Additionally, we have also prepared a new training: MidPoint Deployment: Group Synchronization. Isn’t this a perfect synergy with the new midPoint release?
In this webinar, we presented our approach to group management with an emphasis on existing groups: how to migrate their management to midPoint, group by group, iteratively, and interactively. MidPoint understands groups as projections of roles and group membership as role assignments. Therefore, midPoint is going to manage roles and their assignments. The roles are the key. The groups need to be migrated to the midPoint roles.
We base the approach described in the webinar on our Group Synchronization Methodology. It allows midPoint to gradually take over the management of existing groups and their membership, allowing the creation of new groups via roles even if external tools still manage some groups.
The main concept of the migration of group management to midPoint leverages a clever usage of unmanaged and managed marks, the default operation policy, and simulations. In this webinar, we performed the following steps:
- Import groups (to create roles)
- Import group membership (to create role assignments)
- Migrate group management to midPoint (starting with a few explicitly migrated groups, then all except legacy groups)
- Automate group integration (to finish the migration of legacy groups, enforce group membership, detect unauthorized group creation and deletion, and provide automatic group membership for new users)
Please note: we have based the webinar’s initial configuration on the First Steps training outcomes and additional purely GUI-based configuration of a resource. We prepared the configuration in advance before the webinar. We made this decision as the migration process execution is crucial. MidPoint configuration files for the webinar’s initial state are available here.
For more information about the approach, please refer to the Group Synchronization Methodology.
You can access the webinar slides here.
The MidPoint Deployment: Group Synchronization training will be available soon.