[midPoint] Assigning role to user when receiving a resource

Nicolas Rossi nrossi at identicum.com
Tue Nov 29 23:30:40 CET 2016 

Hi Ivan. With the alternative #1 I can see the entitlement provisioned on
the resource but I cannot see it under the midpoint GUI on the user panel
-> assignments -> cog icon -> show all assignment.

Regards

El El mar, 29 de nov. de 2016 a las 18:26, Ivan Noris <
ivan.noris at evolveum.com> escribió:

> Hi Nicolas,
>
> I have tried to find some time at the evenings, to look for a problem.
>
> The first alternative - ScriptedSQL-Grupo1.xml looks pretty much same as
> my roles in one of my projects. If I understand correctly, you've stated
> that "It works fine (entitlement is provisioned) but we cannot see this
> assignment on the GUI." What do you mean by "seeing" it? You should see
> that user has this association (Grupo 1) in Projections/the scriptedsql
> account/associations part. And of course in Assignments you should see the
> "ScriptedSQL-Grupo 1" role assigned.
>
> If you cannot see the "associations" part in GUI with "Grupo 1" value, can
> you ensure that the value is really there manually in the target system and
> read that user again using midPoint? But as you stated that this
> alternative "works (entitlement is provisioned)", I'm confused.
>
> What surprised me is the name of the association attribute
> "<ref>ri:GroupObjectClass</ref>" used in inducements. Do you have the same
> name configured in the resource object in:
>
> <association>
>
>   <ref>ri:GroupObjectClass</ref>
>
> ...
>
> </association> ? If yes, it's just the name which confuses me.
>
> The alternative ScriptedSQL-Grupo 3 using ScriptedSQL-MetaRole looks also
> OK to me. I'm trying to find similar example, but so far I don't remember
> any usage of association using associationFromLink with another association
> in my projects.
> Also ScriptedSQL-Metarole-3.xml looks fine.
> Are you testing the setup on new users and assigning roles, or you already
> have the (former) roles assigned and after that you change the role
> definitions? (In the latter case I assume you did also recompute of that
> user to apply the changed role definitions.)
>
> Anyway, the assignment of ScriptedSQL-Grupo 1 (no metarole) should work
> and be displayed in Assignments (as role) and in Projections as association
> (Grupo 1).
>
> I hope some of my coleagues will also have a good hint, for now I'm out of
> ideas but I will try to find some new.
>
> Best regards,
> Ivan
>
>
> On 11/29/2016 01:06 PM, Nicolas Rossi wrote:
>
> HI Ivan, have you seen something wrong with these configurations ?
>
> Best regards
>
>
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
> On Fri, Nov 25, 2016 at 12:56 PM, Nicolas Rossi <nrossi at identicum.com>
> wrote:
>
> Hi Ivan, here are the XMLs:
>
>    - ScriptedSQL-Grupo1.xml: A role with an association to an entitlement
>    - ScriptedSQL-Grupo3.xml: A role with an assignment to a MetaRole
>    - ScriptedSQL-MetaRole-1.xml: First alternative with another assignment
>    - ScriptedSQL-MetaRole-2.xml: Second alternative with an inducement to
>    Group 3
>    - ScriptedSQL-MetaRole-3.xml: Second alternative with an inducement to
>    Group 1
>
> Thanks in advance !
>
> Best regards
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
> On Thu, Nov 24, 2016 at 6:20 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
> Hi Nicolas,
>
> can you paste the (three) attempts how the MetaRole looks, anonymized if
> necessary? Maybe I will have an idea by looking at it.
>
> Regards,
>
> Ivan
>
> On 11/24/2016 09:52 PM, Nicolas Rossi wrote:
>
> Hi guys. We are still working on this issue. We have tried 3 alternatives
> to achieve it. All of them working on the resource MetaRole:
>
> 1) Add a new association on the existing inducement constructor directly
> to the entitlement on the resource. It works fine (entitlement is
> provisioned) but we cannot see this assignment on the GUI.
>
> 2) Add an inducement to an existing role which has an assignment to the
> resource MetaRole. I can see the assignment on the GUI but the entitlement
> is not provisioned to the resource.
>
> 3) Add an inducement to an existing role which has an inducement with
> association to the entitlement on the resource. I can see the assignment
> on the GUI but the entitlement is not provisioned to the resource.
>
> Is there any other possible configuration ?
>
> ​Best regards,
>>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
>
> On Mon, Nov 21, 2016 at 5:56 PM, Ana Pereyra <apereyra at identicum.com>
> wrote:
>
> Hi everyone,
>
> We are having the following issue:
>
> We need to assign the role B to users after being created in resource A,
> automatically.
>
> We are using a scripted sql driver, and a meta role for creating users and
> groups in the database; and role B is a group in resource A.
>
> We have been trying to assign indirectly role B to users using the meta
> role, with no luck. Any ideas on how to approach this?
>
> Thanks in advance.
> Regards
>
> --
> *Ana Pereyra*
>  Identicum S.A.
>
> *Jorge Newbery 3226, Argentina Tel: +54 (11) **4552.3050*
> *apereyra at identicum.com <apereyra at identicum.com>*
> www.identicum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
> _______________________________________________ midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161129/34e370cb/attachment.htm>

More information about the midPoint mailing list