Usecase¶

System S1 (eg. Active Directory) containing

• User accounts
• Admin accounts
• Technical accounts
• Groups

All object types are being synchronized to the identity manager (User and admin accounts as identity accounts - Personal and other, Technical accounts as technical accounts and Groups as Roles).

We want to:

• Synchronize group memberships from the end system to the identity manager (role representing a given group is being assigned to the account owner in the IdM) - already possible
• Be able to add all of the mentioned objects to the group by assigning a role to either of them (Personal and technical accounts) - the aim of this ticket

The issue¶

Currently, it is forbidden to add multiple mapping to the same system to a single role. This in practice means that in order to achieve the use case above, the user must either:

• Create a specific role for each account type (system mapping), or
• Create multiple systems (one for each account type) and add mappings to those systems to the role representing the desired group.

Solution¶

To prevent the issue mentioned above, we will remove the constraint of adding multiple mappings from the same system to a single role. The goal of this ticket is to remove the constraint and analyze what was the initial need for having the constraint in place and make sure nothing breaks by removing the constraint