[midPoint] UserTemplate - Role Assignment based on Org Assignment Property

Ivan Noris ivan.noris at evolveum.com
Fri Nov 18 20:19:20 CET 2016 

Hi,

there might be a way how to do this in object template, but it could be
complicated.

I would probably try metarole instead:

1. all organizations should have a metarole assigned (not induced)

2. roles STUDENT and TEACHER will be defined by you to do whatever
needed for users

3. the metarole would have two order=2 inducements for users which have
the organization assigned. One of the inducement would induce the
STUDENT role if the assignment parameter metaRelation for "this"
organization is STUDENT. The other would assign the TEACHER role if the
assignment parameter for "this" organization is TEACHER. The inducements
would be indirect, i.e. you would not see the STUDENT/TEACHER role
assigned in user's Assignments tab *(this may or may not be a problem
for you)*.

Technically it would mean that one person with 20 organizations assigned
as TEACHER would end with 20 assignments of the same role TEACHER, but I
believe that midPoint will "normalize" this and only one role TEACHER
would be assigned in real.

The metarole should look similar to this (untested):

<role ...>

  <name>Teacher/Student Org Metarole</name>

    <inducement>
      <targetRef oid="00000000-dc00-dc00-0004-000000000078"
type="c:RoleType"><!-- STUDENT --></targetRef>

        <condition>
            <source>
                <path>$focusAssignment/xyz:metaRelation</path><!-- xyz
is your namespace -->
            </source>
            <expression>
                <script>
                    <code>metaRelation == 'STUDENT'</code>
                </script>
            </expression>
        </condition>

       <focusType>c:UserType</focusType><!-- to apply only to users even
if organization is assigned to another organization -->

        <order>2</order><!-- to apply to users which have the
organization assigned -->

   </inducement>

    <inducement>
      <targetRef oid="00000000-dc00-dc00-0004-000000000111"
type="c:RoleType"><!-- TEACHER --></targetRef>

        <condition>
            <source>
                <path>$focusAssignment/xyz:metaRelation</path><!-- xyz
your namespace -->
            </source>
            <expression>
                <script>
                    <code>metaRelation == 'TEACHER'</code>
                </script>
            </expression>
        </condition>

       <focusType>c:UserType</focusType>

        <order>2</order>

   </inducement>
</role>

I hope I'm correct. I have done similar stuff, but not this specific one.

Regards,

Ivan

On 11/18/2016 06:44 PM, Martin Marchese wrote:
> Hi Ivan thanks for your answer,
>
> Yes that's correct, they should be assigned without any parameters
> based on the org assignment types.
>
> Regards
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
> www.identicum.com <http://www.identicum.com>
>
> On Fri, Nov 18, 2016 at 12:34 PM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
>     Hi Martin,
>
>     the STUDENT and TEACHER roles are "static" in means of assignment
>     parameters? They are (should be) just assigned without any
>     parameters whenever used has any org with STUDENT-type assignment
>     or any role with TEACHER-type assignment?
>
>
>     Ivan
>
>
>     On 11/16/2016 08:37 PM, Martin Marchese wrote:
>>     Hi All,
>>
>>     We had our AssignmentType extended with a "metaRelation"
>>     extension property.
>>
>>     Users are assigned to an OrgType
>>
>>     Our OrgType represent schools and within this "metaRelation"
>>     property, we store wether the assigned user is a STUDENT or a
>>     TEACHER.
>>
>>     Besides, we have 2 Roles (STUDENT and TEACHER roles).
>>
>>     We would like to use our user template to assign the
>>     corresponding role to the user based on shich "metaRelation" it
>>     has within the Org.
>>
>>     Users could be STUDENT and/or TEACHER on more than one Org, so
>>     while the user has at least one of this assignments, it needs to
>>     have the corresponding role assigned.
>>
>>     We are thinking if there's a way to query the user Org
>>     assignments within the template and use it as source for the
>>     target role assignment.
>>
>>     Is this the best/correct way to do it? Do you recommend any other
>>     way?
>>
>>     Thanks in Advance
>>     Regards,
>>
>>     *Ing. Martín Marchese*
>>     Identicum S.A.
>>     Jorge Newbery 3226
>>     Tel: +54 (11) 4552-3050
>>     mmarchese at identicum.com <mailto:mmarchese at identicum.com>
>>     www.identicum.com <http://www.identicum.com>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>     -- 
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com <http://evolveum.com>
>
>     _______________________________________________ midPoint mailing
>     list midPoint at lists.evolveum.com
>     <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint> 
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-- 
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161118/d8aa7232/attachment.htm>

More information about the midPoint mailing list