[midPoint] Assigning role to user when receiving a resource

Ivan Noris ivan.noris at evolveum.com
Wed Nov 30 08:49:40 CET 2016 

Hi Nicholas,

Show all assignments is computing just assignments, both direct and
indirect. It will show you all assigned:

a) roles (assigned directly or indirectly)

b) organizations

c) projections from inducements - name of resource, kind and intent

It will not show associations there.

If you want to see the "groups" of any account managed by midPoint, open
that user in midPoint, then Projections, expand the account and see
section "associations".

I have just checked my user with assigned organization, which as
assigned metarole and I can see the indirectly referenced resource
account which is provided by the metarole order=2 inducement.

Regards,

Ivan


On 11/29/2016 11:30 PM, Nicolas Rossi wrote:
> Hi Ivan. With the alternative #1 I can see the entitlement provisioned
> on the resource but I cannot see it under the midpoint GUI on the user
> panel -> assignments -> cog icon -> show all assignment. Regards
>
> El El mar, 29 de nov. de 2016 a las 18:26, Ivan Noris
> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> escribió:
>
>     Hi Nicolas,
>
>     I have tried to find some time at the evenings, to look for a problem.
>
>     The first alternative - ScriptedSQL-Grupo1.xml looks pretty much
>     same as my roles in one of my projects. If I understand correctly,
>     you've stated that "It works fine (entitlement is provisioned) but
>     we cannot see this assignment on the GUI." What do you mean by
>     "seeing" it? You should see that user has this association (Grupo
>     1) in Projections/the scriptedsql account/associations part. And
>     of course in Assignments you should see the "ScriptedSQL-Grupo 1"
>     role assigned.
>
>     If you cannot see the "associations" part in GUI with "Grupo 1"
>     value, can you ensure that the value is really there manually in
>     the target system and read that user again using midPoint? But as
>     you stated that this alternative "works (entitlement is
>     provisioned)", I'm confused.
>
>     What surprised me is the name of the association attribute
>     "<ref>ri:GroupObjectClass</ref>" used in inducements. Do you have
>     the same name configured in the resource object in:
>
>     <association>
>
>       <ref>ri:GroupObjectClass</ref>
>
>     ...
>
>     </association> ? If yes, it's just the name which confuses me.
>
>     The alternative ScriptedSQL-Grupo 3 using ScriptedSQL-MetaRole
>     looks also OK to me. I'm trying to find similar example, but so
>     far I don't remember any usage of association using
>     associationFromLink with another association in my projects.
>
>     Also ScriptedSQL-Metarole-3.xml looks fine.
>     Are you testing the setup on new users and assigning roles, or you
>     already have the (former) roles assigned and after that you change
>     the role definitions? (In the latter case I assume you did also
>     recompute of that user to apply the changed role definitions.)
>
>     Anyway, the assignment of ScriptedSQL-Grupo 1 (no metarole) should
>     work and be displayed in Assignments (as role) and in Projections
>     as association (Grupo 1).
>
>     I hope some of my coleagues will also have a good hint, for now
>     I'm out of ideas but I will try to find some new.
>
>     Best regards,
>     Ivan
>
>
>     On 11/29/2016 01:06 PM, Nicolas Rossi wrote:
>>     HI Ivan, have you seen something wrong with these configurations ?
>>
>>     Best regards 
>>
>>
>>
>>
>>
>>     Ing Nicolás Rossi
>>     Identicum S.A.
>>     Jorge Newbery 3226
>>     Tel: +54 (11) 4552-3050
>>     www.identicum.com <http://www.identicum.com>
>>
>>     On Fri, Nov 25, 2016 at 12:56 PM, Nicolas Rossi
>>     <nrossi at identicum.com <mailto:nrossi at identicum.com>> wrote:
>>
>>         Hi Ivan, here are the XMLs:
>>
>>           * ScriptedSQL-Grupo1.xml: A role with an association to an
>>             entitlement
>>           * ScriptedSQL-Grupo3.xml: A role with an assignment to a
>>             MetaRole
>>           * ScriptedSQL-MetaRole-1.xml: First alternative with
>>             another assignment
>>           * ScriptedSQL-MetaRole-2.xml: Second alternative with an
>>             inducement to Group 3
>>           * ScriptedSQL-MetaRole-3.xml: Second alternative with an
>>             inducement to Group 1
>>
>>         Thanks in advance ! 
>>
>>         Best regards
>>
>>
>>
>>         Ing Nicolás Rossi
>>         Identicum S.A.
>>         Jorge Newbery 3226
>>         Tel: +54 (11) 4552-3050
>>         www.identicum.com <http://www.identicum.com>
>>
>>         On Thu, Nov 24, 2016 at 6:20 PM, Ivan Noris
>>         <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>>             Hi Nicolas,
>>
>>             can you paste the (three) attempts how the MetaRole
>>             looks, anonymized if necessary? Maybe I will have an idea
>>             by looking at it.
>>
>>             Regards,
>>
>>             Ivan
>>
>>
>>             On 11/24/2016 09:52 PM, Nicolas Rossi wrote:
>>>             Hi guys. We are still working on this issue. We have
>>>             tried 3 alternatives to achieve it. All of them working
>>>             on the resource MetaRole:
>>>
>>>             1) Add a new association on the existing inducement
>>>             constructor directly to the entitlement on the resource.
>>>             It works fine (entitlement is provisioned) but we cannot
>>>             see this assignment on the GUI.
>>>
>>>             2) Add an inducement to an existing role which has an
>>>             assignment to the resource MetaRole. I can see the
>>>             assignment on the GUI but the entitlement is not
>>>             provisioned to the resource.
>>>
>>>             3) Add an inducement to an existing role which has an
>>>             inducement with association to the entitlement on the
>>>             resource. I can see the assignment on the GUI but the
>>>             entitlement is not provisioned to the resource.
>>>
>>>             Is there any other possible configuration ?
>>>
>>>             ​Best regards,
>>>>>>
>>>
>>>             Ing Nicolás Rossi
>>>             Identicum S.A.
>>>             Jorge Newbery 3226
>>>             Tel: +54 (11) 4552-3050
>>>             www.identicum.com <http://www.identicum.com>
>>>
>>>             On Mon, Nov 21, 2016 at 5:56 PM, Ana Pereyra
>>>             <apereyra at identicum.com <mailto:apereyra at identicum.com>>
>>>             wrote:
>>>
>>>                 Hi everyone,
>>>
>>>                 We are having the following issue:
>>>
>>>                 We need to assign the role B to users after being
>>>                 created in resource A, automatically. 
>>>
>>>                 We are using a scripted sql driver, and a meta role
>>>                 for creating users and groups in the database; and
>>>                 role B is a group in resource A.
>>>
>>>                 We have been trying to assign indirectly role B to
>>>                 users using the meta role, with no luck. Any ideas
>>>                 on how to approach this?
>>>
>>>                 Thanks in advance.
>>>                 Regards
>>>
>>>                 -- 
>>>                 *Ana Pereyra*
>>>                  Identicum S.A.
>>>                 /Jorge Newbery 3226, Argentina
>>>                 Tel: +54 (11) //4552.3050/
>>>                 /apereyra at identicum.com <mailto:apereyra at identicum.com>/
>>>                 www.identicum.com <http://www.identicum.com/>
>>>
>>>                 _______________________________________________
>>>                 midPoint mailing list
>>>                 midPoint at lists.evolveum.com
>>>                 <mailto:midPoint at lists.evolveum.com>
>>>                 http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>             _______________________________________________
>>>             midPoint mailing list
>>>             midPoint at lists.evolveum.com
>>>             <mailto:midPoint at lists.evolveum.com>
>>>             http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>             -- 
>>             Ivan Noris
>>             Senior Identity Engineer
>>             evolveum.com <http://evolveum.com>
>>
>>             _______________________________________________ midPoint
>>             mailing list midPoint at lists.evolveum.com
>>             <mailto:midPoint at lists.evolveum.com>
>>             http://lists.evolveum.com/mailman/listinfo/midpoint 
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>     -- 
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com <http://evolveum.com>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161130/7f51f106/attachment.htm>

More information about the midPoint mailing list