[midPoint] How to make Entitlement association strong / enforced ?

Ivan Noris ivan.noris at evolveum.com
Thu Jan 25 14:24:48 CET 2018 

Hi,

yes, as "strength" element is used both in construction and also in
mapping, it always looks confusing. But the two strengths are for
completely different things :)

To allow midpoint to always apply the "group membership" (by
association), the strong outbound mapping for association does the trick.

To force midpoint to remove group membership from groups that are not
assigned by midpoint, tolerant=false might be set in resource
association definition (not in role!)

And finally, weak strength set in construction means that even if this
role constructs (creates) an account and adds the account to a role,
unless other role for the same projection is assigned with strong
strength in construction, the account will not be created. The use case
behind it is: if organization structure is replicated to target system
(AD for example), and user is assigned to organization in midPoint,
which is replicated to target system, the account would be created
immediately, even if the user has no other roles. Strength=weak in
construction prohibits this, and the user must be assigned different
role e.g. Employee and only then the account is created the the groups
assigned.

Let's hope I will be able to put it this way during our training next
week :)

Best regards,

Ivan


On 25.01.2018 14:16, Alcides Carlos de Moraes Neto wrote:
> Thanks Ivan, that was it. I didn't notice I could set strenght in the
> association mapping.
> I have a weak construction with a strong mapping, that's a bit crazy,
> but it works. :)
>
> My metarole is thus:
>
> <inducement id="1">
>       <description>Group construction</description>
>       <construction>
>          <resourceRef oid="3341f1ce-f96f-43fe-8bc9-7a9ec051b71b"
>                       relation="org:default"
>                       type="c:ResourceType"><!-- AD --></resourceRef>
>          <kind>entitlement</kind>
>          <intent>org-group</intent>
>       </construction>
>    </inducement>
>    <inducement id="2">
>       <description>Add users to group</description>
>       <construction>
>          <strength>weak</strength>
>          <resourceRef oid="3341f1ce-f96f-43fe-8bc9-7a9ec051b71b"
>                       relation="org:default"
>                       type="c:ResourceType"><!-- AD --></resourceRef>
>          <kind>account</kind>
>          <intent>default</intent>
>          <association>
>             <c:ref>ri:group</c:ref>
>             <tolerant>false</tolerant>
>             <outbound>
>               *<strength>strong</strength>*
>                <expression>
>                   <associationFromLink
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                                       
> xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
>                      <projectionDiscriminator>
>                         <kind>entitlement</kind>
>                         <intent>org-group</intent>
>                      </projectionDiscriminator>
>                   </associationFromLink>
>                </expression>
>             </outbound>
>          </association>
>       </construction>
>       <order>2</order>
>       <condition>
>          <expression>
>             <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                     xsi:type="c:ScriptExpressionEvaluatorType">
>                <code>focus.getClass() ==
> com.evolveum.midpoint.xml.ns._public.common.common_3.UserType.class
> && (focus.getEmployeeType().contains("TYPE1") ||
> focus.getEmployeeType().contains("TYPE2"))</code>
>             </script>
>          </expression>
>       </condition>
>    </inducement>
>
> 2018-01-25 6:29 GMT-02:00 Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>>:
>
>     Hi,
>
>     can you share the role (in your case probably the metarole)? I
>     think you might be missing strong in the outbound mapping for
>     association for order=2 mapping.
>
>     Ivan
>
>
>     On 24.01.2018 23:08, Alcides Carlos de Moraes Neto wrote:
>>     Hello list,
>>
>>     I have a OrgType -> AD Group projection, with construction and
>>     entitlement association all done in a single Meta Role. This
>>     works, the groups are created and the Org Members are added to
>>     the group.
>>
>>     However, if the AD user account already is a member of any other
>>     group, its not added to the Org AD Group. And if I remove a user
>>     account from the AD group from within Windows Server, Midpoint
>>     does not create the association again. It's behaving like a weak
>>     mapping.
>>     How do I make Midpoint enforce the group membership? The
>>     association definition has tolerant attribute set to FALSE . I've
>>     tried setting assignmentPolicyEnforcement to FULL for the
>>     resource, it does not work either.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>     -- 
>     Ivan Noris
>     Senior Identity Engineer
>     evolveum.com <http://evolveum.com>
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>     <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
Ivan Noris
Senior Identity Engineer
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180125/e807d8ea/attachment.htm>

More information about the midPoint mailing list