[midPoint] Mapping problems

Pertti Kellomäki pertti.kellomaki at datactica.fi
Thu Nov 24 10:56:50 CET 2016 

23.11.2016, 16:32, Ivan Noris kirjoitti:

> Ah, so you are creating groups only when you assign the role to user...?
>
Yes. Here's the problem statement:

* There is a smallish fixed set of services, say X, Y, Z.
* An unbounded set of organizations A, B, C, ... can take those services 
in use. Different people in the organizations have different usage 
rights to the services, say 'reader' and 'writer'. It is possible for a 
person to have different rights in the context of different organizations.
* I need to answer queries of the form "which rights does user U have 
for service X as a member of organization A?"

My game plan is to model the usage rights as ldap groups. User U having 
'reader' rights for service X as a member of organization A maps to U 
being member of the ldap group 'cn=reader,ou=X,ou=A'.

So far I have the following roles:
   'reader': induces group creation in ldap. The dn of the group is 
constructed by a Groovy script from the orgRef given when role is 
assigned to user, and the name of the previous role in the inducement chain.
   'writer': ditto

   'X reader': induces role 'reader'
   'X writer': induces role 'writer'
   same for services Y and Z.

The reason I was attempting to move ldap group creation from the 
'reader' and 'writer' roles into the resource was this fragment of xml 
in the ldap group metarole in the samples:

     		<association>
			<ref>ri:ldapGroup</ref>
			<outbound>
				<strength>strong</strength>
				<expression>
					<associationFromLink>
						<projectionDiscriminator>
							<kind>entitlement</kind>
							<intent>ldapGroup</intent>
						</projectionDiscriminator>
					</associationFromLink>
				</expression>
			</outbound>
		</association>


If I interpret this correctly, it says "make a projection of 
<kind>entitlement</kind><intent>ldapGroup</intent>, and associate the 
focal object with that group.

So my thinking was that if I could move the calculation of the group 
name into the resource, I could use the same expression. But as it does 
not seem possible, do I simply need to copy here the Groovy script I use 
for calculating the group name in the inducement that creates the group? 
My first instinct was to avoid code duplication by refactoring, but it 
seems it may not be practical in this case.

Thanks, Pertti

More information about the midPoint mailing list