[midPoint] UserTemplate - Role Assignment based on Org Assignment Property
Martin Marchese
mmarchese at identicum.com
Mon Nov 21 15:48:44 CET 2016
Ivan,
We run the same test within a 3.4.1 environment and within a 3.5-SNAPSHOT
one. Same objects. It worked OK in 3.5-SNAPSHOT but again, it did not work
in 3.4.1.
Any package logging you recommend to enable in order to debug this?
The following are our objects:
Student Role:
-------------------
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
oid="00000000-0000-1de4-0004-000000000010">
<name>STUDENT</name>
</role>
Teacher Role:
-------------------
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
oid="00000000-0000-1de4-0004-000000000011">
<name>TEACHER</name>
</role>
MetaRole:
--------------
<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
oid="00000000-0000-1de4-0004-000000000099">
<name>META_ROL</name>
<inducement id="1">
<targetRef oid="00000000-0000-1de4-0004-000000000010"
type="c:RoleType">STUDENT</targetRef>
<order>2</order>
<focusType>UserType</focusType>
<condition>
<source>
<c:path>$focusAssignment/extension/metaRelation</c:path>
</source>
<expression>
<script>
<code>metaRelation == 'STUDENT'</code>
</script>
</expression>
</condition>
</inducement>
<inducement id="2">
<targetRef oid="00000000-0000-1de4-0004-000000000011"
type="c:RoleType"></targetRef>
<order>2</order>
<focusType>UserType</focusType>
<condition>
<source>
<c:path>$focusAssignment/extension/metaRelation</c:path>
</source>
<expression>
<script>
<code>metaRelation == 'TEACHER'</code>
</script>
</expression>
</condition>
</inducement>
</role>
Org:
------
<org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
oid="00000000-0000-1de4-0010-000000000001">
<name>ORG21</name>
<assignment id="1">
<targetRef oid="00000000-0000-1de4-0004-000000000099"
type="c:RoleType"></targetRef>
</assignment>
</org>
Org Assignment to User:
-----------------------------------
<assignment id="1">
<extension xmlns:icfcassig="
http://midpoint.identicum.com/xml/ns/metaAssignment">
<icfcassig:metaRelation>STUDENT</icfcassig:metaRelation>
</extension>
<targetRef oid="00000000-0000-1de4-0010-000000000001"
type="c:OrgType"><!-- ORG1 --></targetRef>
</assignment>
Thanks in Advance
*Ing. Martín Marchese*
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
mmarchese at identicum.com
www.identicum.com
On Sat, Nov 19, 2016 at 8:52 AM, Ivan Noris <Ivan.Noris at evolveum.com> wrote:
> Hi Martin,
>
> that's a surprise for me, because I'm not using master but 3.4-based
> branch... and the main logic is similar to what I'm using, even in older
> versions...
>
> It just didn't work or there were some errors displayed/logged? Maybe the
> developers would know according to that behaviour.
>
> Regards,
> Ivan
>
> ------------------------------
>
> *From: *"Martin Marchese" <mmarchese at identicum.com>
> *To: *"midPoint General Discussion" <midpoint at lists.evolveum.com>
> *Sent: *Friday, November 18, 2016 11:20:18 PM
> *Subject: *Re: [midPoint] UserTemplate - Role Assignment based on
> Org Assignment Property
>
>
> Thanks Ivan that worked like charm! And it's a very nice solution!
>
> However, just to let you know, it worked only on MidPoint 3.5 snapshot, we
> tested that in 3.4.1 with no luck.
>
> Regards
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com
> www.identicum.com
>
> On Fri, Nov 18, 2016 at 4:19 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>> Hi,
>>
>> there might be a way how to do this in object template, but it could be
>> complicated.
>>
>> I would probably try metarole instead:
>>
>> 1. all organizations should have a metarole assigned (not induced)
>>
>> 2. roles STUDENT and TEACHER will be defined by you to do whatever needed
>> for users
>>
>> 3. the metarole would have two order=2 inducements for users which have
>> the organization assigned. One of the inducement would induce the STUDENT
>> role if the assignment parameter metaRelation for "this" organization is
>> STUDENT. The other would assign the TEACHER role if the assignment
>> parameter for "this" organization is TEACHER. The inducements would be
>> indirect, i.e. you would not see the STUDENT/TEACHER role assigned in
>> user's Assignments tab *(this may or may not be a problem for you)*.
>>
>> Technically it would mean that one person with 20 organizations assigned
>> as TEACHER would end with 20 assignments of the same role TEACHER, but I
>> believe that midPoint will "normalize" this and only one role TEACHER would
>> be assigned in real.
>>
>> The metarole should look similar to this (untested):
>>
>> <role ...>
>>
>> <name>Teacher/Student Org Metarole</name>
>>
>> <inducement>
>> <targetRef oid="00000000-dc00-dc00-0004-000000000078"
>> type="c:RoleType"><!-- STUDENT --></targetRef>
>>
>> <condition>
>> <source>
>> <path>$focusAssignment/xyz:metaRelation</path><!-- xyz
>> is your namespace -->
>> </source>
>> <expression>
>> <script>
>> <code>metaRelation == 'STUDENT'</code>
>> </script>
>> </expression>
>> </condition>
>>
>> <focusType>c:UserType</focusType><!-- to apply only to users even
>> if organization is assigned to another organization -->
>>
>> <order>2</order><!-- to apply to users which have the
>> organization assigned -->
>>
>> </inducement>
>>
>> <inducement>
>> <targetRef oid="00000000-dc00-dc00-0004-000000000111"
>> type="c:RoleType"><!-- TEACHER --></targetRef>
>>
>> <condition>
>> <source>
>> <path>$focusAssignment/xyz:metaRelation</path><!-- xyz
>> your namespace -->
>> </source>
>> <expression>
>> <script>
>> <code>metaRelation == 'TEACHER'</code>
>> </script>
>> </expression>
>> </condition>
>>
>> <focusType>c:UserType</focusType>
>>
>> <order>2</order>
>>
>> </inducement>
>> </role>
>>
>> I hope I'm correct. I have done similar stuff, but not this specific one.
>>
>> Regards,
>>
>> Ivan
>> On 11/18/2016 06:44 PM, Martin Marchese wrote:
>>
>> Hi Ivan thanks for your answer,
>>
>> Yes that's correct, they should be assigned without any parameters based
>> on the org assignment types.
>>
>> Regards
>>
>> *Ing. Martín Marchese*
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> mmarchese at identicum.com
>> www.identicum.com
>>
>> On Fri, Nov 18, 2016 at 12:34 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>>> Hi Martin,
>>>
>>> the STUDENT and TEACHER roles are "static" in means of assignment
>>> parameters? They are (should be) just assigned without any parameters
>>> whenever used has any org with STUDENT-type assignment or any role with
>>> TEACHER-type assignment?
>>>
>>>
>>> Ivan
>>>
>>>
>>> On 11/16/2016 08:37 PM, Martin Marchese wrote:
>>>
>>> Hi All,
>>>
>>> We had our AssignmentType extended with a "metaRelation" extension
>>> property.
>>>
>>> Users are assigned to an OrgType
>>>
>>> Our OrgType represent schools and within this "metaRelation" property,
>>> we store wether the assigned user is a STUDENT or a TEACHER.
>>>
>>> Besides, we have 2 Roles (STUDENT and TEACHER roles).
>>>
>>> We would like to use our user template to assign the corresponding role
>>> to the user based on shich "metaRelation" it has within the Org.
>>>
>>> Users could be STUDENT and/or TEACHER on more than one Org, so while the
>>> user has at least one of this assignments, it needs to have the
>>> corresponding role assigned.
>>>
>>> We are thinking if there's a way to query the user Org assignments
>>> within the template and use it as source for the target role assignment.
>>>
>>> Is this the best/correct way to do it? Do you recommend any other way?
>>>
>>> Thanks in Advance
>>> Regards,
>>>
>>> *Ing. Martín Marchese*
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050
>>> mmarchese at identicum.com
>>> www.identicum.com
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> --
>>> Ivan Noris
>>> Senior Identity Engineerevolveum.com
>>>
>>> _______________________________________________ midPoint mailing list
>>> midPoint at lists.evolveum.com http://lists.evolveum.com/
>>> mailman/listinfo/midpoint
>>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161121/fd05f11f/attachment.htm>
More information about the midPoint
mailing list