[midPoint] UserTemplate - Role Assignment based on Org Assignment Property
Martin Marchese
mmarchese at identicum.com
Thu Dec 1 13:26:27 CET 2016
Hi Ivan,
We have a support-3.4 environment (3.4.2-SNAPSHOT). With the same objects
that I sent in my last email. However, we still have no luck.
If you'd like to take a look at our installation I can send you URL and
credentials thru a private channel for you to see it.
Thanks in advance
*Ing. Martín Marchese*
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
mmarchese at identicum.com
www.identicum.com
On Tue, Nov 22, 2016 at 10:06 AM, Ivan Noris <ivan.noris at evolveum.com>
wrote:
> Hi Martin,
>
> could you please try with midPoint built from git branch named support-3.4?
>
> Thanks,
>
> Ivan
>
> On 11/21/2016 03:48 PM, Martin Marchese wrote:
>
> Ivan,
>
> We run the same test within a 3.4.1 environment and within a 3.5-SNAPSHOT
> one. Same objects. It worked OK in 3.5-SNAPSHOT but again, it did not work
> in 3.4.1.
>
> Any package logging you recommend to enable in order to debug this?
>
> The following are our objects:
>
> Student Role:
> -------------------
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> oid="00000000-0000-1de4-0004-000000000010">
> <name>STUDENT</name>
> </role>
>
> Teacher Role:
> -------------------
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> oid="00000000-0000-1de4-0004-000000000011">
> <name>TEACHER</name>
> </role>
>
> MetaRole:
> --------------
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> oid="00000000-0000-1de4-0004-000000000099">
> <name>META_ROL</name>
> <inducement id="1">
> <targetRef oid="00000000-0000-1de4-0004-000000000010"
> type="c:RoleType">STUDENT</targetRef>
> <order>2</order>
> <focusType>UserType</focusType>
> <condition>
> <source>
> <c:path>$focusAssignment/extension/metaRelation</c:path>
> </source>
> <expression>
> <script>
> <code>metaRelation == 'STUDENT'</code>
> </script>
> </expression>
> </condition>
> </inducement>
> <inducement id="2">
> <targetRef oid="00000000-0000-1de4-0004-000000000011"
> type="c:RoleType"></targetRef>
> <order>2</order>
> <focusType>UserType</focusType>
> <condition>
> <source>
> <c:path>$focusAssignment/extension/metaRelation</c:path>
> </source>
> <expression>
> <script>
> <code>metaRelation == 'TEACHER'</code>
> </script>
> </expression>
> </condition>
> </inducement>
> </role>
>
> Org:
> ------
>
> <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> oid="00000000-0000-1de4-0010-000000000001">
> <name>ORG21</name>
> <assignment id="1">
> <targetRef oid="00000000-0000-1de4-0004-000000000099"
> type="c:RoleType"></targetRef>
> </assignment>
> </org>
>
>
> Org Assignment to User:
> -----------------------------------
>
> <assignment id="1">
> <extension xmlns:icfcassig="http://midpoint.identicum.com/xml/ns/
> metaAssignment">
> <icfcassig:metaRelation>STUDENT</icfcassig:metaRelation>
> </extension>
> <targetRef oid="00000000-0000-1de4-0010-000000000001"
> type="c:OrgType"><!-- ORG1 --></targetRef>
> </assignment>
>
> Thanks in Advance
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com
> www.identicum.com
>
> On Sat, Nov 19, 2016 at 8:52 AM, Ivan Noris <Ivan.Noris at evolveum.com>
> wrote:
>
>> Hi Martin,
>>
>> that's a surprise for me, because I'm not using master but 3.4-based
>> branch... and the main logic is similar to what I'm using, even in older
>> versions...
>>
>> It just didn't work or there were some errors displayed/logged? Maybe the
>> developers would know according to that behaviour.
>>
>> Regards,
>> Ivan
>>
>> ------------------------------
>>
>> *From: *"Martin Marchese" <mmarchese at identicum.com>
>> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
>> *Sent: *Friday, November 18, 2016 11:20:18 PM
>> *Subject: *Re: [midPoint] UserTemplate - Role Assignment based on
>> Org Assignment Property
>>
>>
>> Thanks Ivan that worked like charm! And it's a very nice solution!
>>
>> However, just to let you know, it worked only on MidPoint 3.5 snapshot,
>> we tested that in 3.4.1 with no luck.
>>
>> Regards
>>
>> *Ing. Martín Marchese*
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> mmarchese at identicum.com
>> www.identicum.com
>>
>> On Fri, Nov 18, 2016 at 4:19 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>> Hi,
>>>
>>> there might be a way how to do this in object template, but it could be
>>> complicated.
>>>
>>> I would probably try metarole instead:
>>>
>>> 1. all organizations should have a metarole assigned (not induced)
>>>
>>> 2. roles STUDENT and TEACHER will be defined by you to do whatever
>>> needed for users
>>>
>>> 3. the metarole would have two order=2 inducements for users which have
>>> the organization assigned. One of the inducement would induce the STUDENT
>>> role if the assignment parameter metaRelation for "this" organization is
>>> STUDENT. The other would assign the TEACHER role if the assignment
>>> parameter for "this" organization is TEACHER. The inducements would be
>>> indirect, i.e. you would not see the STUDENT/TEACHER role assigned in
>>> user's Assignments tab *(this may or may not be a problem for you)*.
>>>
>>> Technically it would mean that one person with 20 organizations assigned
>>> as TEACHER would end with 20 assignments of the same role TEACHER, but I
>>> believe that midPoint will "normalize" this and only one role TEACHER would
>>> be assigned in real.
>>>
>>> The metarole should look similar to this (untested):
>>>
>>> <role ...>
>>>
>>> <name>Teacher/Student Org Metarole</name>
>>>
>>> <inducement>
>>> <targetRef oid="00000000-dc00-dc00-0004-000000000078"
>>> type="c:RoleType"><!-- STUDENT --></targetRef>
>>>
>>> <condition>
>>> <source>
>>> <path>$focusAssignment/xyz:metaRelation</path><!-- xyz
>>> is your namespace -->
>>> </source>
>>> <expression>
>>> <script>
>>> <code>metaRelation == 'STUDENT'</code>
>>> </script>
>>> </expression>
>>> </condition>
>>>
>>> <focusType>c:UserType</focusType><!-- to apply only to users
>>> even if organization is assigned to another organization -->
>>>
>>> <order>2</order><!-- to apply to users which have the
>>> organization assigned -->
>>>
>>> </inducement>
>>>
>>> <inducement>
>>> <targetRef oid="00000000-dc00-dc00-0004-000000000111"
>>> type="c:RoleType"><!-- TEACHER --></targetRef>
>>>
>>> <condition>
>>> <source>
>>> <path>$focusAssignment/xyz:metaRelation</path><!-- xyz
>>> your namespace -->
>>> </source>
>>> <expression>
>>> <script>
>>> <code>metaRelation == 'TEACHER'</code>
>>> </script>
>>> </expression>
>>> </condition>
>>>
>>> <focusType>c:UserType</focusType>
>>>
>>> <order>2</order>
>>>
>>> </inducement>
>>> </role>
>>>
>>> I hope I'm correct. I have done similar stuff, but not this specific one.
>>>
>>> Regards,
>>>
>>> Ivan
>>> On 11/18/2016 06:44 PM, Martin Marchese wrote:
>>>
>>> Hi Ivan thanks for your answer,
>>>
>>> Yes that's correct, they should be assigned without any parameters based
>>> on the org assignment types.
>>>
>>> Regards
>>>
>>> *Ing. Martín Marchese*
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050
>>> mmarchese at identicum.com
>>> www.identicum.com
>>>
>>> On Fri, Nov 18, 2016 at 12:34 PM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>> Hi Martin,
>>>>
>>>> the STUDENT and TEACHER roles are "static" in means of assignment
>>>> parameters? They are (should be) just assigned without any parameters
>>>> whenever used has any org with STUDENT-type assignment or any role with
>>>> TEACHER-type assignment?
>>>>
>>>>
>>>> Ivan
>>>>
>>>>
>>>> On 11/16/2016 08:37 PM, Martin Marchese wrote:
>>>>
>>>> Hi All,
>>>>
>>>> We had our AssignmentType extended with a "metaRelation" extension
>>>> property.
>>>>
>>>> Users are assigned to an OrgType
>>>>
>>>> Our OrgType represent schools and within this "metaRelation" property,
>>>> we store wether the assigned user is a STUDENT or a TEACHER.
>>>>
>>>> Besides, we have 2 Roles (STUDENT and TEACHER roles).
>>>>
>>>> We would like to use our user template to assign the corresponding role
>>>> to the user based on shich "metaRelation" it has within the Org.
>>>>
>>>> Users could be STUDENT and/or TEACHER on more than one Org, so while
>>>> the user has at least one of this assignments, it needs to have the
>>>> corresponding role assigned.
>>>>
>>>> We are thinking if there's a way to query the user Org assignments
>>>> within the template and use it as source for the target role assignment.
>>>>
>>>> Is this the best/correct way to do it? Do you recommend any other way?
>>>>
>>>> Thanks in Advance
>>>> Regards,
>>>>
>>>> *Ing. Martín Marchese*
>>>> Identicum S.A.
>>>> Jorge Newbery 3226
>>>> Tel: +54 (11) 4552-3050
>>>> mmarchese at identicum.com
>>>> www.identicum.com
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>> --
>>>> Ivan Noris
>>>> Senior Identity Engineerevolveum.com
>>>>
>>>> _______________________________________________ midPoint mailing list
>>>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>>>> man/listinfo/midpoint
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> --
>>> Ivan Noris
>>> Senior Identity Engineerevolveum.com
>>>
>>> _______________________________________________ midPoint mailing list
>>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>>> man/listinfo/midpoint
>>
>> _______________________________________________ midPoint mailing list
>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>> man/listinfo/midpoint
>>
>> --
>> Ivan Noris Senior Identity Engineer evolveum.com
>> _______________________________________________ midPoint mailing list
>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>> man/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161201/78c80059/attachment.htm>
More information about the midPoint
mailing list