Hi!

I am trying to create a simple RBAC using standard objects of FIM Service. So i am associating type "Set" with role, expanding it with multivalue reference attribute "ListOfPermissions". I want to achieve the next behavior: when user dynamically join to the set the MPR is executing custom workflow that adds this user to the members of according permission object. Rather simple, BUT is there a way not to specify MPR for every set manualy, but specify it ones with next logic for example: when someone join to any set with IsRole flag set to 1 the MPR is executed and etc... as described above? The straight-line methods have not yielded results.

Need any help, thanks in advance!

I am using the idea from here and some other similar sources.

But i do not understand how to achive such behaviour without specifing MPR for each set. I think - such architecture is very hard for supporting. For example if local admins want to add a new role they need to add at least set, corresponding entitlements, two MPR with special workflows - it is not userfriendly i think. 

Somebody, who implemented RBAC using FIM Service and Portal - please share you ideas, I will be very grateful!

is there a way (...) to specify it ones with next logic for example: when someone join to any set with IsRole flag set to 1 the MPR is executed and etc... as described above?

Yes, there is - you have to create a Set that have members of other sets inside it. Let's say "Master Set". So you can create MPR that runs a MasterWorkflow after entering Master Set.

But here is some tricky part - if you have multiple sets with IsRole flag and each set gives different roles assignment, in workflow you have to check where user belongs (to which set) and based on that calculate his membership.

So I am not really sure if it would be easier. Even if it would look cleaner in FIM Portal, it would be harder to check what gone wrong in case of any failure. And it would be harder to add new roles/sets as you would have to rebuild such workflow.

Hi Dominik,

thank you again!

This may be a stupid question, but how do I set the condition to form a set that contains all members of sets, which has IsRole flag set to 1? This is my actual problem :)

After thinking about it, the easiest way here would be to create Criteria-based Set, where Criteria is something like here:

But you would have to remember to add additional Sets here once your RBAC model would be growing

Dominik, thank you very match!

I think it is more suteble solution than create separate MPR. Thank you again!

Now i only need to decide how to send to the workflow information about in which set user exactly was joined. But i hope, that i will solve this problem :)