Automating the process of requesting, creating and distributing access to an employee’s network folder through IDM Midpoint
A typical task: An employee needs a network folder on a Windows server. To create it, you need an Admin, to distribute rights to it, you need an Admin – we remove the Admin from this task using IDM Midpoint.
A simplified diagram to understand what is happening
1. An employee at Midpoint requested the Create Shared Folder role and got it immediately, or through negotiation with someone (ibid., Midpoint).
2. The role creates an entry for this user in the intermediate resource via a normal Scheme Handler in the CSV file. The fact of creating this record triggers the Additional Connector, which allows you to run a Powershell script on the server. Additional Connector reacts to creation, deletion, change events in a specific Scheme Handler.
3. The Powershell script creates a network folder, an AD group with read and edit rights. Adds a user to the editing group (can already use).
4. During the next AD synchronization of the Midpoint resource, the roles for the AD group created by the script are created. To issue them, the Approver is assigned to the employee who requested the network folder, this is done by the policy role Policy: Add Approver.
5. User B in his Midpoint office sees new roles in User A’s network folder and can request them. User A also approves or rejects the granting of access to his network folder in his office!
Let’s start setting up the output data:
– Midpoint 4.8.4 fully customized integration with Windows Server
– Windows Server 2019, LDAPS, Open-SSH (from components)
1. Create a CSV Shared Folder resource
We need a resource to run the script. They can be CSV or DB. For simplicity and clarity, we take CSV. Midpoint will keep a state in it – should the user have a network folder or not. When the role is issued, an account is created in the CSV resource, which runs the network folder creation script, when the role is removed, the account is deleted in the CSV resource, which runs the network folder deletion script.
On the Midpoint server in the folder
/opt/midpoint
create an empty file
shared_folder.csv
it has one line
hr_id;date_create;info_1;info_2;info_3;info_4
In the Midpoint admin, we create a CSV resource in Resources New Resource From Scratch, select CsvConnector
Then everything is as in the pictures, the name is CSV Shared Folder
Then everything is ok by default
Go to the CSV Shared Folder resource, click Edit Raw
and add before
the following code
account Account SCV Shared Folder Account SCV Shared Folder true ri:AccountObjectClass c:UserType ri:hr_id 01 HR ID to hr_id strong just for correlation strong personalNumber ri:info_1 02 FullName to info_1 strong ri:date_create 03 Date to date_create weak Corr HR ID personalNumber - c:personalNumber
unlinked deleted
This Scheme Handler takes the employee’s personalNumber from the Midpoint and inserts the hr_id file into the CSV file. Creation date in date_create and fullName in info_1. Two columns remain empty, just in case.
Now we configure the Additional Connector
We download the SSH Connector jar file from the page https://docs.evolveum.com/connectors/connectors/com.evolveum.polygon.connector.ssh.SshConnector/
We put it in a folder
/opt/midpoint/var/connid-connectors
And restart Midpoint
We look in the Repository Objects to see if the ConnId com.evolveum.polygon.connector.ssh.SshConnector v1.0 has appeared
we immediately take its OID
388af43f-fae8-4734-8f17-c549352d5939
Go to the CSV Shared Folder resource, click Edit Raw
and add after
the following code
ssh
192.168.1.168
midpoint
qwerty123
false
false
false
We also add before
The following code
add account Account SCV Shared Folder after
Two scripts are run here
We describe the argument passed to the script:
user_hr_id
$focus/personalNumber
And the launch bar on the Windows server
powershell.exe -File "C:\Users\midpoint\Documents\shared_folder_create.ps1" %*
It remains to put the scripts on Windows Server
Folder
C:\Users\midpoint\Documents\
Name
shared_folder_create.ps1
Code
param([string]$user_hr_id)
$SF_Name_Read = 'Shared_Folder_READ_' + $user_hr_id
$SF_Name_Edit="Shared_Folder_EDIT_" + $user_hr_id
$SF_Name_Folder="SF_" + $user_hr_id
$SF_Name_Path="C:\Shared Folder\" + $SF_Name_Folder
#Create AD Groups
New-ADGroup -Name $SF_Name_Read -SamAccountName $SF_Name_Read -GroupCategory Security -GroupScope Global -DisplayName $SF_Name_Read -Path "OU=Groups,OU=OOO_ODIN,DC=168testserverhome,DC=com" -Description $user_hr_id
New-ADGroup -Name $SF_Name_Edit -SamAccountName $SF_Name_Edit -GroupCategory Security -GroupScope Global -DisplayName $SF_Name_Read -Path "OU=Groups,OU=OOO_ODIN,DC=168testserverhome,DC=com" -Description $user_hr_id
#add owner user to edit group
Get-ADUser -Properties employeeNumber -Filter 'employeeNumber -eq $user_hr_id' | ForEach-Object {Add-ADGroupMember -Identity $SF_Name_Edit -Members $_.SamAccountName}
#Create Shared Folder
New-Item -Path 'C:\Shared Folder\' -Name $SF_Name_Folder -ItemType 'directory'
$Parameters = @{
Name = $SF_Name_Folder
Path = $SF_Name_Path
ReadAccess = $SF_Name_Read
ChangeAccess = $SF_Name_Edit
}
New-SmbShare @Parameters
#Set access rights for AD groups
$ACL = Get-Acl -Path $SF_Name_Path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($SF_Name_Edit,"ListDirectory,Read,ReadAndExecute,Write,Modify,FullControl","3","0","Allow")
$AccessRule2 = New-Object System.Security.AccessControl.FileSystemAccessRule($SF_Name_Read,"ListDirectory,Read,ReadAndExecute","3","0","Allow")
$ACL.SetAccessRule($AccessRule)
$ACL.SetAccessRule($AccessRule2)
$ACL | Set-Acl -Path $SF_Name_Path
Folder
C:\Users\midpoint\Documents\
Name
shared_folder_delete.ps1
Code
param([string]$user_hr_id)
$SF_Name_Read = 'Shared_Folder_READ_' + $user_hr_id
$SF_Name_Edit="Shared_Folder_EDIT_" + $user_hr_id
$SF_Name_Folder="SF_" + $user_hr_id
$SF_Name_Path="C:\Shared Folder\" + $SF_Name_Folder
$date = Get-Date -Format "yyyyMMddHHmm"
$SF_NEW_Name_Folder="ARC_" + $date + '_SF_' + $user_hr_id
#delete groups from shared folder ACL
$acl = Get-Acl $SF_Name_Path
$groupid = New-Object System.Security.Principal.Ntaccount($SF_Name_Read)
$acl.PurgeAccessRules($groupid)
$acl | Set-Acl $SF_Name_Path
$acl = Get-Acl $SF_Name_Path
$groupid = New-Object System.Security.Principal.Ntaccount($SF_Name_Edit)
$acl.PurgeAccessRules($groupid)
$acl | Set-Acl $SF_Name_Path
#delete share folder capability not data
Remove-FileShare -Name $SF_Name_Folder -confirm:$false
#rename ex shared folder
Rename-Item -Path $SF_Name_Path -NewName $SF_NEW_Name_Folder
#delete groups
Remove-ADGroup -Identity $SF_Name_Read -confirm:$false
Remove-ADGroup -Identity $SF_Name_Edit -confirm:$false
A network folder is created in C:\Shared Folder\
How the name is formed is also specified at the beginning of the script.
Users in AD must have employeeNumber filled in and correspond to personalNumber in Midpoint, followed by a search and addition to the group for editing in the script
Get-ADUser -Properties employeeNumber -Filter 'employeeNumber -eq $user_hr_id' | ForEach-Object {Add-ADGroupMember -Identity $SF_Name_Edit -Members $_.SamAccountName}
In ADMINISTRATION\Role\All Roles, we simply create a role (black) called Create Shared Folder
We go to it, click Edit Raw
Insert before
the following code
account
Account SCV Shared Folder
We check how it works. Let's take the user User A, he already has an account in the AD resource. We give him the Create Shared Folder role.
Let's look immediately in the file
/opt/midpoint/shared_folder.csv
a record appeared
87328348;10/10/2024 09:35:39;Егеров Егеров Ким;;;
Let's see in AD
Everything worked out!
2. We create groups in Midpoint from the network folder from the AD resource
AD editing and reading groups for the user's network folder have been created in AD. But in Midpoint they are not there yet, if only because we did not start the synchronization of AD groups in the Midpoint role and the usual synchronization will not suit us - these groups and roles need to be assigned an approver for issuance when creating Midpoint.
Therefore, in Schem Handler'e, we configure a filter for other AD groups. In Resources\Your AD resource\Scheme Handler\Yout AD group ALL\Basic Attributes on the second page in Filter we write
attributes/cn not startsWith 'Shared_Folder_'
This Scheme Handler will only process AD groups that do not start with Shared_Folder_...
We create a Scheme Handler for network folders, I will call it Groups Shared Folder POC
In Resources \ Your AD resource \ Scheme Handler \ Add object type, fill in as in the pictures
Go to the created Schema Handler and edit further in the boxes
Groups Shared Folder POC\Mappings
02 - Here is the script
return true
05 - Here is the script ("Win-ikpur723q06" hostname Windows server)
"Rights for user HRID:" + input + " shared folder path \\\\Win-ikpur723q06\\sf_" + input
06 - We write in the Documentation attribute the roll number that was written in the Description in the AD group
03-04 – here is a construction for assigning a role by OID, it can only be inserted into the code, first make it empty, and then fill it.
03 add POLICY add approver from role atribute
active
strong
c:RoleType
a0f4de80-c941-43bd-9216-966bc3a62d3e
$focus/assignment
The role in mapping 03 that will assign the approver has not yet been created. And role mapping 04 copies the role for normal AD groups, only with its own names.
Groups Shared Folder POC\Synchronization
Groups Shared Folder POC\Correlation
According to the Scheme Handler settings, almost everything, we need to create a role that will add an approver in the role of network folders and write its OID in the mapping 03
Fully coded Scheme Handler Groups Shared Folder POC
entitlement intent Groups Shared Folder POC Groups Shared Folder POC ri:group attributes/cn startsWith 'Shared_Folder_' c:RoleType ri:cn 01 name is name strong name 02 set requestable mark strong requestable 03 add POLICY add approver from role atribute active strong c:RoleType a0f4de80-c941-43bd-9216-966bc3a62d3e $focus/assignment 04 add ADD AD group SHARED FOLDER active strong c:RoleType 99cefb8d-2aa8-4015-b427-b9fde2fe50a9 $focus/assignment ri:objectGUID ri:description 05 some human readable text strong description 06 user HR id for approver set strong documentation ri:dn 07 dn for identifier strong identifier - c:identifier
unlinked linked unmatched
Cannot add approver via mapping by known methods. Therefore, we create a role with a policy that runs a script that can do everything. We assign this policy role to each AD group role created in the Scheme Handler Groups Shared Folder POC.
In ADMINISTRATION\Role\All Roles, we simply create a role (black) called POLICY add approver from role attribute
We go to it, click Edit Raw
Insert before
The following code
add approver from role atribute
- c:documentation
some script
execute-script
script
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
import com.evolveum.midpoint.prism.delta.builder.*
import com.evolveum.midpoint.model.api.*
import com.evolveum.midpoint.schema.constants.SchemaConstants
import javax.xml.namespace.QName
role = midpoint.getObject(RoleType.class, input.oid)
userId = basic.stringify(role.documentation)
query_user = midpoint.queryFor(UserType.class, "personalNumber="$userId"")
result_USER = midpoint.searchObjects(query_user)
userApprover = new ObjectReferenceType()
userApprover.setOid(input.oid)
userApprover.setType(RoleType.COMPLEX_TYPE)
userApprover.setRelation(SchemaConstants.ORG_APPROVER)
addAssignment = new AssignmentType()
addAssignment.setTargetRef(userApprover)
def delta = []
delta = prismContext.deltaFor(UserType.class).item(FocusType.F_ASSIGNMENT).add(addAssignment.asPrismContainerValue()).asObjectDelta(result_USER.oid)
midpoint.modifyObject(delta, ModelExecuteOptions.createRaw())
midpoint.recompute(UserType.class, basic.stringify(result_USER.oid))
c:RoleType
When changing the role of the documentation attribute (this includes its first filling), a script will be launched that assigns the approver of this role to the person whose roll number (HRID) is specified in the role of the documentation attribute.
We take the OID of the POLICY add approver from role attribute and insert it into the Groups Shared Folder POC in map 03
Now in the AD resource you can start synchronization of Scheme Handler Groups Shared Folder POC
Group AD roles begin to appear
Name as cn in AD (must be sure it will be unique to Midpoint as well as AD). Description is filled in according to the script. And Requestable is set to True.
User with ID number 87328348 is an approver of the Shared_Folder_EDIT_87328348 role.
3. We ask for rights to the network folder
We have two users with roles at Midpoint
User A
- End User
- Approver
- AD account
- Create Shared Folder
- Shared_Folder_EDIT_87328348
- Shared_Folder_EDIT_87328348
- Shared_Folder_READ_87328348
User B
- End User
- AD account
End User is a standard Midpoint role, what we need from it is that it allows you to go to the Midpoint GUI and request roles marked by Requestable as True
Approver is a standard Midpoint role that allows you to approve requests to be added to a role
Shared_Folder_EDIT_87328348 - in the user it will be visible as two separate roles, in the list they are visible as the same. One will come as issued with AD sync and the other will be marked as functional approver.
Go to User B in Midpoint, go to Request Access and request the Shared_Folder_READ_87328348 role.
Now we go to Midpoint under User A, we see the incoming request, we approve it
We enter Midpoint again as User B, on the main page we can see in My accesses that the requested role has appeared, and the My Request itself can also be seen to have been approved.
Now we log in as User B on a Windows PC, if we logged in earlier, we log out and log in again, and we see that we can read, but not edit!