Automating the process of requesting, creating and distributing access to an employee’s network folder through IDM Midpoint

Automating the process of requesting, creating and distributing access to an employee’s network folder through IDM Midpoint

A typical task: An employee needs a network folder on a Windows server. To create it, you need an Admin, to distribute rights to it, you need an Admin – we remove the Admin from this task using IDM Midpoint.

A simplified diagram to understand what is happening

1. An employee at Midpoint requested the Create Shared Folder role and got it immediately, or through negotiation with someone (ibid., Midpoint).

2. The role creates an entry for this user in the intermediate resource via a normal Scheme Handler in the CSV file. The fact of creating this record triggers the Additional Connector, which allows you to run a Powershell script on the server. Additional Connector reacts to creation, deletion, change events in a specific Scheme Handler.

3. The Powershell script creates a network folder, an AD group with read and edit rights. Adds a user to the editing group (can already use).

4. During the next AD synchronization of the Midpoint resource, the roles for the AD group created by the script are created. To issue them, the Approver is assigned to the employee who requested the network folder, this is done by the policy role Policy: Add Approver.

5. User B in his Midpoint office sees new roles in User A’s network folder and can request them. User A also approves or rejects the granting of access to his network folder in his office!

Let’s start setting up the output data:

– Midpoint 4.8.4 fully customized integration with Windows Server

– Windows Server 2019, LDAPS, Open-SSH (from components)

1. Create a CSV Shared Folder resource

We need a resource to run the script. They can be CSV or DB. For simplicity and clarity, we take CSV. Midpoint will keep a state in it – should the user have a network folder or not. When the role is issued, an account is created in the CSV resource, which runs the network folder creation script, when the role is removed, the account is deleted in the CSV resource, which runs the network folder deletion script.

On the Midpoint server in the folder

/opt/midpoint

create an empty file

shared_folder.csv

it has one line

hr_id;date_create;info_1;info_2;info_3;info_4

In the Midpoint admin, we create a CSV resource in Resources New Resource From Scratch, select CsvConnector

Then everything is as in the pictures, the name is CSV Shared Folder

Then everything is ok by default

Go to the CSV Shared Folder resource, click Edit Raw

and add before

the following code


        
            account
            Account SCV Shared Folder
            Account SCV Shared Folder
            true
            
                ri:AccountObjectClass
            
            
                c:UserType
            
            
                ri:hr_id
                
                    01 HR ID to hr_id
                    strong
                    
                        $focus/personalNumber
                    
                
                
                    just for correlation
                    strong
                    
                        personalNumber
                    
                    synchronization
                
            
            
                ri:info_1
                
                    02 FullName to info_1
                    strong
                    
                        $focus/fullName
                    
                
            
            
                ri:date_create
                
                    03 Date to date_create
                    weak
                    
                        $focus/personalNumber
                    
                    
                        
                        
                    
                
            
            
                
                    
                        Corr HR ID personalNumber
                        
                            c:personalNumber
                        
                    
                
            
            
                
                    unlinked
                    
                        
                    
                
                
                    deleted
                    
                        
                    
                
            
        
    

This Scheme Handler takes the employee’s personalNumber from the Midpoint and inserts the hr_id file into the CSV file. Creation date in date_create and fullName in info_1. Two columns remain empty, just in case.

Now we configure the Additional Connector

We download the SSH Connector jar file from the page https://docs.evolveum.com/connectors/connectors/com.evolveum.polygon.connector.ssh.SshConnector/

We put it in a folder

/opt/midpoint/var/connid-connectors

And restart Midpoint

We look in the Repository Objects to see if the ConnId com.evolveum.polygon.connector.ssh.SshConnector v1.0 has appeared

we immediately take its OID

388af43f-fae8-4734-8f17-c549352d5939

Go to the CSV Shared Folder resource, click Edit Raw

and add after

the following code


        ssh
        
            
        
        
            
                192.168.1.168
                midpoint
                qwerty123
            
            
                false
                false
                false
            
        
        
            
                
                
            
            
                
            
        
    

– specifies your OID for the SSH Connector

– host

– Account login for AD management with all necessary rights (for example from AD Resource)

– the password, Midpoint will immediately encrypt it and will not show it explicitly in XML.

We also add before

The following code


        
            add
            account
            Account SCV Shared Folder
            after
        
        
    

Two scripts are run here

add - operation of adding creation

account- Accounts

Account SCV Shared Folder - in Schem Handlere with such an intent

after - the script is launched after creating a record in the CSV resource

We describe the argument passed to the script:

            
                user_hr_id
                $focus/personalNumber
            

And the launch bar on the Windows server

powershell.exe -File "C:\Users\midpoint\Documents\shared_folder_create.ps1" %*

It remains to put the scripts on Windows Server

Folder

C:\Users\midpoint\Documents\

Name

shared_folder_create.ps1

Code

param([string]$user_hr_id) 

$SF_Name_Read = 'Shared_Folder_READ_' + $user_hr_id
$SF_Name_Edit="Shared_Folder_EDIT_" + $user_hr_id
$SF_Name_Folder="SF_" + $user_hr_id
$SF_Name_Path="C:\Shared Folder\" + $SF_Name_Folder

#Create AD Groups
New-ADGroup -Name $SF_Name_Read -SamAccountName $SF_Name_Read -GroupCategory Security -GroupScope Global -DisplayName $SF_Name_Read -Path "OU=Groups,OU=OOO_ODIN,DC=168testserverhome,DC=com" -Description $user_hr_id
New-ADGroup -Name $SF_Name_Edit -SamAccountName $SF_Name_Edit -GroupCategory Security -GroupScope Global -DisplayName $SF_Name_Read -Path "OU=Groups,OU=OOO_ODIN,DC=168testserverhome,DC=com" -Description $user_hr_id
#add owner user to edit group
Get-ADUser -Properties employeeNumber -Filter 'employeeNumber -eq $user_hr_id' | ForEach-Object {Add-ADGroupMember -Identity $SF_Name_Edit -Members $_.SamAccountName} 

#Create Shared Folder
New-Item -Path 'C:\Shared Folder\' -Name $SF_Name_Folder -ItemType 'directory'
$Parameters = @{
Name = $SF_Name_Folder
Path = $SF_Name_Path
ReadAccess = $SF_Name_Read
ChangeAccess = $SF_Name_Edit
}
New-SmbShare @Parameters
#Set access rights for AD groups
$ACL = Get-Acl -Path $SF_Name_Path
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($SF_Name_Edit,"ListDirectory,Read,ReadAndExecute,Write,Modify,FullControl","3","0","Allow") 
$AccessRule2 = New-Object System.Security.AccessControl.FileSystemAccessRule($SF_Name_Read,"ListDirectory,Read,ReadAndExecute","3","0","Allow")
$ACL.SetAccessRule($AccessRule)
$ACL.SetAccessRule($AccessRule2)
$ACL | Set-Acl -Path $SF_Name_Path

Folder

C:\Users\midpoint\Documents\

Name

shared_folder_delete.ps1

Code

param([string]$user_hr_id) 

$SF_Name_Read = 'Shared_Folder_READ_' + $user_hr_id
$SF_Name_Edit="Shared_Folder_EDIT_" + $user_hr_id
$SF_Name_Folder="SF_" + $user_hr_id
$SF_Name_Path="C:\Shared Folder\" + $SF_Name_Folder
$date = Get-Date -Format "yyyyMMddHHmm"
$SF_NEW_Name_Folder="ARC_" + $date + '_SF_' + $user_hr_id

#delete groups from shared folder ACL
$acl = Get-Acl $SF_Name_Path
$groupid = New-Object System.Security.Principal.Ntaccount($SF_Name_Read)
$acl.PurgeAccessRules($groupid)
$acl | Set-Acl $SF_Name_Path
$acl = Get-Acl $SF_Name_Path
$groupid = New-Object System.Security.Principal.Ntaccount($SF_Name_Edit)
$acl.PurgeAccessRules($groupid)
$acl | Set-Acl $SF_Name_Path

#delete share folder capability not data
Remove-FileShare -Name $SF_Name_Folder -confirm:$false
#rename ex shared folder
Rename-Item -Path $SF_Name_Path -NewName $SF_NEW_Name_Folder
#delete groups
Remove-ADGroup -Identity $SF_Name_Read  -confirm:$false
Remove-ADGroup -Identity $SF_Name_Edit  -confirm:$false

A network folder is created in C:\Shared Folder\

How the name is formed is also specified at the beginning of the script.

Users in AD must have employeeNumber filled in and correspond to personalNumber in Midpoint, followed by a search and addition to the group for editing in the script

Get-ADUser -Properties employeeNumber -Filter 'employeeNumber -eq $user_hr_id' | ForEach-Object {Add-ADGroupMember -Identity $SF_Name_Edit -Members $_.SamAccountName}

In ADMINISTRATION\Role\All Roles, we simply create a role (black) called Create Shared Folder

We go to it, click Edit Raw

Insert before

the following code


        
            
                
            
            account
            Account SCV Shared Folder
        
    

- OID of the CSV Shared Folder resource, you will have your own

We check how it works. Let's take the user User A, he already has an account in the AD resource. We give him the Create Shared Folder role.

Let's look immediately in the file

/opt/midpoint/shared_folder.csv

a record appeared

87328348;10/10/2024 09:35:39;Егеров Егеров Ким;;;

Let's see in AD

Everything worked out!

2. We create groups in Midpoint from the network folder from the AD resource

AD editing and reading groups for the user's network folder have been created in AD. But in Midpoint they are not there yet, if only because we did not start the synchronization of AD groups in the Midpoint role and the usual synchronization will not suit us - these groups and roles need to be assigned an approver for issuance when creating Midpoint.

Therefore, in Schem Handler'e, we configure a filter for other AD groups. In Resources\Your AD resource\Scheme Handler\Yout AD group ALL\Basic Attributes on the second page in Filter we write

attributes/cn not startsWith 'Shared_Folder_'

This Scheme Handler will only process AD groups that do not start with Shared_Folder_...

We create a Scheme Handler for network folders, I will call it Groups Shared Folder POC

In Resources \ Your AD resource \ Scheme Handler \ Add object type, fill in as in the pictures

Go to the created Schema Handler and edit further in the boxes

Groups Shared Folder POC\Mappings

02 - Here is the script

return true

05 - Here is the script ("Win-ikpur723q06" hostname Windows server)

"Rights for user HRID:" + input + " shared folder path \\\\Win-ikpur723q06\\sf_" + input

06 - We write in the Documentation attribute the roll number that was written in the Description in the AD group

03-04 – here is a construction for assigning a role by OID, it can only be inserted into the code, first make it empty, and then fill it.


                    03 add POLICY add approver from role atribute
                    active
                    strong
                    
                        
                            c:RoleType
                            a0f4de80-c941-43bd-9216-966bc3a62d3e
                        
                    
                    
                        $focus/assignment
                    
                

The role in mapping 03 that will assign the approver has not yet been created. And role mapping 04 copies the role for normal AD groups, only with its own names.

Groups Shared Folder POC\Synchronization

Groups Shared Folder POC\Correlation

According to the Scheme Handler settings, almost everything, we need to create a role that will add an approver in the role of network folders and write its OID in the mapping 03

Fully coded Scheme Handler Groups Shared Folder POC


            entitlement
            intent Groups Shared Folder POC
            Groups Shared Folder POC
            
                ri:group
                
                    attributes/cn startsWith 'Shared_Folder_'
                
            
            
                c:RoleType
            
            
                ri:cn
                
                    01 name is name
                    strong
                    
                        name
                    
                
                
                    02 set requestable mark
                    strong
                    
                        
                        
                    
                    
                        requestable
                    
                
                
                    03 add POLICY add approver from role atribute
                    active
                    strong
                    
                        
                            c:RoleType
                            a0f4de80-c941-43bd-9216-966bc3a62d3e
                        
                    
                    
                        $focus/assignment
                    
                
                
                    04 add ADD AD group SHARED FOLDER
                    active
                    strong
                    
                        
                            c:RoleType
                            99cefb8d-2aa8-4015-b427-b9fde2fe50a9
                        
                    
                    
                        $focus/assignment
                    
                
            
            
                ri:objectGUID
            
            
                ri:description
                
                    05 some human readable text
                    strong
                    
                        
                    
                    
                        description
                    
                
                
                    06 user HR id for approver set
                    strong
                    
                        documentation
                    
                
            
            
                ri:dn
                
                    07 dn for identifier
                    strong
                    
                        identifier
                    
                
            
            
                
                    
                        
                            c:identifier
                        
                    
                
            
            
                
                    unlinked
                    
                        
                    
                
                
                    linked
                    
                        
                    
                
                
                    unmatched
                    
                        
                    
                
            
        

Cannot add approver via mapping by known methods. Therefore, we create a role with a policy that runs a script that can do everything. We assign this policy role to each AD group role created in the Scheme Handler Groups Shared Folder POC.

In ADMINISTRATION\Role\All Roles, we simply create a role (black) called POLICY add approver from role attribute

We go to it, click Edit Raw

Insert before

The following code


        
            add approver from role atribute
            
                
                    c:documentation
                
            
            
                
                    some script
                    
                        
                            
                                execute-script
                                
                                    script
                                    
                                        
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
import com.evolveum.midpoint.prism.delta.builder.*
import com.evolveum.midpoint.model.api.*
import com.evolveum.midpoint.schema.constants.SchemaConstants
import javax.xml.namespace.QName


role = midpoint.getObject(RoleType.class, input.oid)
userId = basic.stringify(role.documentation)
query_user = midpoint.queryFor(UserType.class, "personalNumber="$userId"") 
result_USER = midpoint.searchObjects(query_user)

userApprover = new ObjectReferenceType()
userApprover.setOid(input.oid)
userApprover.setType(RoleType.COMPLEX_TYPE)
userApprover.setRelation(SchemaConstants.ORG_APPROVER)
addAssignment = new AssignmentType()
addAssignment.setTargetRef(userApprover)
def delta = []
delta = prismContext.deltaFor(UserType.class).item(FocusType.F_ASSIGNMENT).add(addAssignment.asPrismContainerValue()).asObjectDelta(result_USER.oid)
midpoint.modifyObject(delta, ModelExecuteOptions.createRaw())
midpoint.recompute(UserType.class, basic.stringify(result_USER.oid))


                                    
                                
                            
                        
                    
                
            
        
        c:RoleType
    

When changing the role of the documentation attribute (this includes its first filling), a script will be launched that assigns the approver of this role to the person whose roll number (HRID) is specified in the role of the documentation attribute.

We take the OID of the POLICY add approver from role attribute and insert it into the Groups Shared Folder POC in map 03

Now in the AD resource you can start synchronization of Scheme Handler Groups Shared Folder POC

Group AD roles begin to appear

Name as cn in AD (must be sure it will be unique to Midpoint as well as AD). Description is filled in according to the script. And Requestable is set to True.

User with ID number 87328348 is an approver of the Shared_Folder_EDIT_87328348 role.

3. We ask for rights to the network folder

We have two users with roles at Midpoint

User A

- End User

- Approver

- AD account

- Create Shared Folder

- Shared_Folder_EDIT_87328348

- Shared_Folder_EDIT_87328348

- Shared_Folder_READ_87328348

User B

- End User

- AD account

End User is a standard Midpoint role, what we need from it is that it allows you to go to the Midpoint GUI and request roles marked by Requestable as True

Approver is a standard Midpoint role that allows you to approve requests to be added to a role

Shared_Folder_EDIT_87328348 - in the user it will be visible as two separate roles, in the list they are visible as the same. One will come as issued with AD sync and the other will be marked as functional approver.

Go to User B in Midpoint, go to Request Access and request the Shared_Folder_READ_87328348 role.

Now we go to Midpoint under User A, we see the incoming request, we approve it

We enter Midpoint again as User B, on the main page we can see in My accesses that the requested role has appeared, and the My Request itself can also be seen to have been approved.

Now we log in as User B on a Windows PC, if we logged in earlier, we log out and log in again, and we see that we can read, but not edit!

Related posts