[midPoint] Assigning role to user when receiving a resource

Ivan Noris ivan.noris at evolveum.com
Tue Nov 29 22:24:12 CET 2016 

Hi Nicolas,

I have tried to find some time at the evenings, to look for a problem.

The first alternative - ScriptedSQL-Grupo1.xml looks pretty much same as
my roles in one of my projects. If I understand correctly, you've stated
that "It works fine (entitlement is provisioned) but we cannot see this
assignment on the GUI." What do you mean by "seeing" it? You should see
that user has this association (Grupo 1) in Projections/the scriptedsql
account/associations part. And of course in Assignments you should see
the "ScriptedSQL-Grupo 1" role assigned.

If you cannot see the "associations" part in GUI with "Grupo 1" value,
can you ensure that the value is really there manually in the target
system and read that user again using midPoint? But as you stated that
this alternative "works (entitlement is provisioned)", I'm confused.

What surprised me is the name of the association attribute
"<ref>ri:GroupObjectClass</ref>" used in inducements. Do you have the
same name configured in the resource object in:

<association>

  <ref>ri:GroupObjectClass</ref>

...

</association> ? If yes, it's just the name which confuses me.

The alternative ScriptedSQL-Grupo 3 using ScriptedSQL-MetaRole looks
also OK to me. I'm trying to find similar example, but so far I don't
remember any usage of association using associationFromLink with another
association in my projects.

Also ScriptedSQL-Metarole-3.xml looks fine.
Are you testing the setup on new users and assigning roles, or you
already have the (former) roles assigned and after that you change the
role definitions? (In the latter case I assume you did also recompute of
that user to apply the changed role definitions.)

Anyway, the assignment of ScriptedSQL-Grupo 1 (no metarole) should work
and be displayed in Assignments (as role) and in Projections as
association (Grupo 1).

I hope some of my coleagues will also have a good hint, for now I'm out
of ideas but I will try to find some new.

Best regards,
Ivan

On 11/29/2016 01:06 PM, Nicolas Rossi wrote:
> HI Ivan, have you seen something wrong with these configurations ?
>
> Best regards 
>
>
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com>
>
> On Fri, Nov 25, 2016 at 12:56 PM, Nicolas Rossi <nrossi at identicum.com
> <mailto:nrossi at identicum.com>> wrote:
>
>     Hi Ivan, here are the XMLs:
>
>       * ScriptedSQL-Grupo1.xml: A role with an association to an
>         entitlement
>       * ScriptedSQL-Grupo3.xml: A role with an assignment to a MetaRole
>       * ScriptedSQL-MetaRole-1.xml: First alternative with another
>         assignment
>       * ScriptedSQL-MetaRole-2.xml: Second alternative with an
>         inducement to Group 3
>       * ScriptedSQL-MetaRole-3.xml: Second alternative with an
>         inducement to Group 1
>
>     Thanks in advance ! 
>
>     Best regards
>
>
>
>     Ing Nicolás Rossi
>     Identicum S.A.
>     Jorge Newbery 3226
>     Tel: +54 (11) 4552-3050
>     www.identicum.com <http://www.identicum.com>
>
>     On Thu, Nov 24, 2016 at 6:20 PM, Ivan Noris
>     <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>
>         Hi Nicolas,
>
>         can you paste the (three) attempts how the MetaRole looks,
>         anonymized if necessary? Maybe I will have an idea by looking
>         at it.
>
>         Regards,
>
>         Ivan
>
>
>         On 11/24/2016 09:52 PM, Nicolas Rossi wrote:
>>         Hi guys. We are still working on this issue. We have tried 3
>>         alternatives to achieve it. All of them working on the
>>         resource MetaRole:
>>
>>         1) Add a new association on the existing inducement
>>         constructor directly to the entitlement on the resource. It
>>         works fine (entitlement is provisioned) but we cannot see
>>         this assignment on the GUI.
>>
>>         2) Add an inducement to an existing role which has an
>>         assignment to the resource MetaRole. I can see the assignment
>>         on the GUI but the entitlement is not provisioned to the
>>         resource.
>>
>>         3) Add an inducement to an existing role which has an
>>         inducement with association to the entitlement on the
>>         resource. I can see the assignment on the GUI but the
>>         entitlement is not provisioned to the resource.
>>
>>         Is there any other possible configuration ?
>>
>>         ​Best regards,
>>>>
>>
>>         Ing Nicolás Rossi
>>         Identicum S.A.
>>         Jorge Newbery 3226
>>         Tel: +54 (11) 4552-3050
>>         www.identicum.com <http://www.identicum.com>
>>
>>         On Mon, Nov 21, 2016 at 5:56 PM, Ana Pereyra
>>         <apereyra at identicum.com <mailto:apereyra at identicum.com>> wrote:
>>
>>             Hi everyone,
>>
>>             We are having the following issue:
>>
>>             We need to assign the role B to users after being created
>>             in resource A, automatically. 
>>
>>             We are using a scripted sql driver, and a meta role for
>>             creating users and groups in the database; and role B is
>>             a group in resource A.
>>
>>             We have been trying to assign indirectly role B to users
>>             using the meta role, with no luck. Any ideas on how to
>>             approach this?
>>
>>             Thanks in advance.
>>             Regards
>>
>>             -- 
>>             *Ana Pereyra*
>>              Identicum S.A.
>>             /Jorge Newbery 3226, Argentina
>>             Tel: +54 (11) //4552.3050/
>>             /apereyra at identicum.com <mailto:apereyra at identicum.com>/
>>             www.identicum.com <http://www.identicum.com/>
>>
>>             _______________________________________________
>>             midPoint mailing list
>>             midPoint at lists.evolveum.com
>>             <mailto:midPoint at lists.evolveum.com>
>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>             <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>>
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>         <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>         -- 
>         Ivan Noris
>         Senior Identity Engineer
>         evolveum.com <http://evolveum.com>
>
>         _______________________________________________ midPoint
>         mailing list midPoint at lists.evolveum.com
>         <mailto:midPoint at lists.evolveum.com>
>         http://lists.evolveum.com/mailman/listinfo/midpoint
>         <http://lists.evolveum.com/mailman/listinfo/midpoint> 
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-- 
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161129/30534e08/attachment.htm>

More information about the midPoint mailing list