[midPoint] Fw: URGENT ... Role inducements lost on role updates
Pavol Mederly
mederly at evolveum.com
Thu Feb 12 10:53:03 CET 2015
Yes, of course.
I've just pushed a modified model-client-sample showing how to swap an
inducement (with a known ID) in the role definition.
See this (red = removal code, green = addition code):
// removes inducement with a given ID and replaces it with a new one
private static void modifyRoleReplaceInducement(ModelPortType modelPort,
String roleOid, int oldId, String newInducementOid) throws FaultMessage,
IOException, SAXException {
ItemDeltaType inducementDeleteDelta = new ItemDeltaType();
inducementDeleteDelta.setModificationType(ModificationTypeType.DELETE);
inducementDeleteDelta.setPath(ModelClientUtil.createItemPathType("inducement"));
inducementDeleteDelta.getValue().add(ModelClientUtil.parseElement("<value><id>"+oldId+"</id></value>"));
ItemDeltaType inducementAddDelta = new ItemDeltaType();
inducementAddDelta.setModificationType(ModificationTypeType.ADD);
inducementAddDelta.setPath(ModelClientUtil.createItemPathType("inducement"));
inducementAddDelta.getValue().add(createRoleAssignment(newInducementOid));
ObjectDeltaType deltaType = new ObjectDeltaType();
deltaType.setObjectType(ModelClientUtil.getTypeQName(RoleType.class));
deltaType.setChangeType(ChangeTypeType.MODIFY);
deltaType.setOid(roleOid);
deltaType.getItemDelta().add(inducementDeleteDelta);
deltaType.getItemDelta().add(inducementAddDelta);
ObjectDeltaListType deltaListType = new ObjectDeltaListType();
deltaListType.getDelta().add(deltaType);
ObjectDeltaOperationListType objectDeltaOperationList =
modelPort.executeChanges(deltaListType, null);
}
The corresponding XML is like this (again, red = removal code, green =
addition code):
<soap:Body>
<ns8:executeChanges
xmlns:ns10="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3" xmlns:ns11="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"
xmlns:ns12="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns13="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
xmlns:ns14="http://www.w3.org/2001/04/xmlenc#"
xmlns:ns15="http://prism.evolveum.com/xml/ns/public/annotation-3"
xmlns:ns16="http://midpoint.evolveum.com/xml/ns/public/common/fault-3"
xmlns:ns2="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:ns3="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:ns4="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ns5="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:ns6="http://midpoint.evolveum.com/xml/ns/model/workflow/common-forms-3"
xmlns:ns7="http://midpoint.evolveum.com/xml/ns/model/workflow/process-instance-state-3"
xmlns:ns8="http://midpoint.evolveum.com/xml/ns/public/model/model-3"
xmlns:ns9="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3">
<ns8:deltaList>
<ns9:delta>
<ns2:changeType>modify</ns2:changeType>
<ns2:objectType>ns3:RoleType</ns2:objectType>
<ns2:oid>290acb64-f64c-4f01-8b5b-c5b745092f27</ns2:oid>
<ns2:itemDelta>
<ns2:modificationType>delete</ns2:modificationType>
<ns2:path>declare default namespace
'http://midpoint.evolveum.com/xml/ns/public/common/common-3';
inducement</ns2:path>
<ns2:value>
<id>2</id>
</ns2:value>
</ns2:itemDelta>
<ns2:itemDelta>
<ns2:modificationType>add</ns2:modificationType>
<ns2:path>declare default namespace
'http://midpoint.evolveum.com/xml/ns/public/common/common-3';
inducement</ns2:path>
<ns2:value
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="ns3:AssignmentType">
<ns3:targetRef
oid="12345678-d34d-b33f-f00d-987987cccccc" type="ns3:RoleType"/>
</ns2:value>
</ns2:itemDelta>
</ns9:delta>
</ns8:deltaList>
</ns8:executeChanges>
</soap:Body>
Best regards,
Pavol
> Hi
>
> I got this point that i can add and delete individual attribute/value
> but i want to know how can i achieve with java code or can you give me
> a sample xml doing this.
>
> Regards
> Dharmendra
>
> On Thu, Feb 12, 2015 at 1:53 PM, Pavol Mederly <mederly at evolveum.com
> <mailto:mederly at evolveum.com>> wrote:
>
> Hello Dharmendra,
>
>> If the replace does not work how can i individually add/delete
>> attributes/values ?
>
> REPLACE replaces the whole inducement, i.e. all of its values.
>
> If you want to replace just one value (e.g. you have a values of
> A, B, C and you want to make it A, B, D), you have to do the
> following:
> - delete C
> - add D
>
> You can (and perhaps, should) do this in one operation.
>
> Hope this helps.
> Pavol
>
>
>
> On 12. 2. 2015 9:01, Dharmendra Parakh wrote:
>> HI Pavol
>>
>> Quick Background:
>> My role had two inducements:
>> id=1: Role
>> id=2 Resource
>> I wanted to replace the resource inducement.
>>
>> As per my understanding i was trying to replace the inducement
>> with id=2. and that does not means to delete the other inducement
>> (like id=1).
>>
>> If the replace does not work how can i individually add/delete
>> attributes/values ?
>>
>> Thanks
>> Dharmendra
>>
>>
>> On Thu, Feb 12, 2015 at 1:22 PM, Pavol Mederly
>> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>
>> Hello Dharmendra,
>>
>> looking at your WS request: it is of REPLACE type, see:
>>
>> <objectDelta ... >
>> ...
>> <t:itemDelta>
>> <t:modificationType>*replace*</t:modificationType>
>> <t:path>c:*inducement*</t:path>
>> <t:value id="2">
>> ...
>> </t:value>
>> </t:itemDelta>
>> ...
>>
>> So, basically you tell midPoint that you want to REPLACE the
>> values of *inducement***item with the ones you have provided.
>> And you've provided one value with id=2 and content of
>> account construction on resource
>> d0811790-1d80-11e4-86b2-3c970e467874.
>> So after the operation, the original inducement with id=1
>> should be gone.
>>
>> Is this what you wanted to do? Perhaps no.
>>
>> If you want to replace only one value in multi-valued item,
>> you have to
>> 1) delete old value
>> 2) add new value
>>
>> And, I'm not quite sure about your first mail (Manish Baid,
>> received 01:14). Aren't the contents of files "original.xml"
>> and "after_addRoleInducement.xml" swapped? Because
>> original.xml corresponds to the state with only one
>> inducement, while the file "after_addRoleInducement.xml"
>> contains two inducements. Just opposite as I would expect,
>> given the messages you wrote.
>>
>> Best regards,
>> Pavol
>>
>>
>>
>> On 12. 2. 2015 8:39, Dharmendra Parakh wrote:
>>> Hi Ivan
>>>
>>> Thanks for your reply. jira you have pointed is might be
>>> related to UI only and what i observed is if i use model web
>>> service to modify one inducement it is deleting other
>>> inducements.
>>>
>>> We are using the master branch so latest midpoint version.
>>>
>>> Regards
>>> Dharmendra
>>>
>>> On Thu, Feb 12, 2015 at 1:01 PM, Ivan Noris
>>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>>> wrote:
>>>
>>> Hi,
>>>
>>> I believe this is the issue:
>>> https://jira.evolveum.com/browse/MID-2113 and it should
>>> be fixed, but please see the comment in JIRA.
>>>
>>> Also, what version of midPoint are you using?
>>>
>>> Thanks,
>>> regards
>>> Ivan
>>>
>>>
>>> On 02/12/2015 08:08 AM, Dharmendra Parakh wrote:
>>>> Hi Radovan
>>>>
>>>> Additional Information:
>>>>
>>>> We have a requirement to update the role inducement
>>>> from web service client, where we have to add/delete
>>>> some resource attributes.
>>>>
>>>> In our scenario we have a role with multiple
>>>> inducements (let say one role and one resource
>>>> inducement). Now i want to add some additional
>>>> attribute-values in resource inducement. To do this we
>>>> calculate the correct inducement (AssignmentType)
>>>> object with all current attributes and try to replace
>>>> this inducement.
>>>> Earlier this was working for us but now when we do this
>>>> other inducement information is lost (induced role is
>>>> no longer available in role).
>>>>
>>>> I am attaching the request xml with the mail...
>>>>
>>>>
>>>>
>>>>
>>>> Regards
>>>> Dharmendra
>>>>
>>>>
>>>> On Thu, Feb 12, 2015 at 12:03 PM, Manish Baid
>>>> <baid_manish at yahoo.com <mailto:baid_manish at yahoo.com>>
>>>> wrote:
>>>>
>>>> Hi Radovan,
>>>> We are showing a demo to our clients, looks like
>>>> with recent 3.1 release, inducement update is
>>>> behaving differently.
>>>>
>>>> If you can work with Dharmendra to work through
>>>> this (he is in India timezone, will be available in
>>>> your mornings), it would be of great help.
>>>>
>>>>
>>>>
>>>> Thanks
>>>>
>>>> ----- Forwarded Message -----
>>>> *From:* Manish Baid <baid_manish at yahoo.com
>>>> <mailto:baid_manish at yahoo.com>>
>>>> *To:* midPoint General Discussion
>>>> <midpoint at lists.evolveum.com
>>>> <mailto:midpoint at lists.evolveum.com>>
>>>> *Cc:* Dharmendra Parakh <dharmendra at confluxsys.com
>>>> <mailto:dharmendra at confluxsys.com>>; Indrajit
>>>> Chauhan <indrajit at confluxsys.com
>>>> <mailto:indrajit at confluxsys.com>>
>>>> *Sent:* Wednesday, February 11, 2015 4:14 PM
>>>> *Subject:* URGENT ... Role inducements lost on role
>>>> updates
>>>>
>>>> Hi,
>>>> With 3.1 release code (and also after MID-2194),
>>>> when inducement/s is/are updated in a role, other
>>>> related indcuments are removed.
>>>>
>>>> Here is an example:
>>>>
>>>> * Role had an indcument: "LDAP Account" with 3
>>>> group memberships
>>>> * Role is modified to add a role inducement (role
>>>> hierarchy)
>>>>
>>>> Observation: 3 group memberships that were part of
>>>> "Ldap Account" inducments are removed.
>>>>
>>>> Please see object XMLs of before and after.
>>>>
>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> --
>>> Ing. Ivan Noris
>>> Senior Identity Management Engineer
>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>> _____________________________________________
>>> "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150212/bb599ea5/attachment.htm>
More information about the midPoint
mailing list