[midPoint] Accessing user extension attribute from different focus type.

Ivan Noris Ivan.Noris at evolveum.com
Thu Sep 11 10:54:40 CEST 2014


Hi Deepak,

I believe, there are at least two ways how to do it, although I have not yet needed the scenario for groups-per-user.

You need a construction section in your roles (assigned to your users) to actually create the group (additionally to the accounts for example).

E.g.

    <inducement>
        <construction>
                <!-- AD resource -->
                <resourceRef oid="00000000-dc00-dc00-0001-100000000002" type="c:ResourceType"/>
                <kind>entitlement</kind>
                <intent>YOURINTENT</intent>
        </construction>
    </inducement>

So just as in our generic synchronization scenario we are creating groups per orgs, you can create group per user.

The YOURINTENT intent is then defined in the resource schema handling. And you can access your focus (in this case, focus is User) attributes normally using paths, e.g. <path>$focus/name</path> is user's name attribute, you can use also extension attributes.

After short discussion with Radovan, you have two ways, where to specify the mappings:
1) in the schema handling for YOURINTENT. But if the YOURINTENT is used also for other than your user-groups, you should create another intent, with the corresponding synchronization (and correlation) configuration

2) in the roles. So you will pass attributes such as icfs:name etc. from the role. And roles for creating the group per user mayh have completely different mappings than the roles for creating other groups on the resource.


Regards,
Ivan

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com
  ___________________________________________
           "Idem per idem - semper idem Vix."

----- Original Message -----
> From: "Deepak Natarajan" <dnataraj at trilobytesystems.com>
> To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
> Sent: Thursday, September 11, 2014 10:05:24 AM
> Subject: Re: [midPoint] Accessing user extension attribute from different focus	type.
> 
> 
> Hi Ivan -
> 
> A very correct question - yes, I am creating groups for the user.
> 
> Our AD/LDAP groups have many properties that need to be populated. One
> of them is the "description" field which the customer actually populates
> with a network drive path :) (e.g //vejle kommune/aF_V/FFPP/userName" etc.
> 
> I need to get a cached user object (I have some java code for this) in
> order to build this and other properties.
> 
> So in my script expression, I would have :
> 
> user = getCachedUser(uid) --> uid is from user attr
> and then
> return user.getGroup(name).getDescription() --> here name is $focus/name
> for the group
> 
> My other option is to have extension attributes in RoleType but then I
> will need many of these and some complex XML constructs (which Radovan
> kinda ruled out) in order to represent a group in XML.
> 
> Any thoughts?
> 
> Thanks
> BR/Deepak
> 
> Ivan Noris wrote:
> > Hi Deepak,
> > 
> > to understand you question - you are creating groups for each user... ? Or
> > why you need user attributes for creating groups?
> > 
> > Regards,
> > 
> 
> --
> Deepak Natarajan
> 
> Trilobyte Systems ApS
> 
> Falkoner Alle 1, 3            Fredrikinkatu 61A, 6th Floor
> 2000 Frederiksberg         Business Center Papula
> Denmark                          00100 Helsinki
>                                         Finland
> 
> Tel : +45 29375068
> http://www.trilobytesystems.com
> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 



More information about the midPoint mailing list