[midPoint] Fw: URGENT ... Role inducements lost on role updates
Pavol Mederly
mederly at evolveum.com
Thu Feb 12 11:31:11 CET 2015
Hello Dharmendra,
yes, I've not noticed that.
In that case, there are two possibilities:
(1) You can safely delete + recreate the inducement, as I proposed. It
should work.
(2) You can modify the inducement itself. The XML code would look like this:
<t:itemDelta>
<t:modificationType>*add*</t:modificationType>
<t:path>*inducement[2]/construction/attribute*</t:path>
<t:value>
<refxmlns:qn50="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">qn50:posixGroups</ref>
<outbound>
<expression>
<value>cn=H2,ou=groups,dc=confluxsys,dc=com</value>
<value>cn=SudoUserGroup_Pset2678,ou=groups,dc=confluxsys,dc=com</value>
<value>cn=ads,ou=groups,dc=confluxsys,dc=com</value>
<value>cn=dba,ou=groups,dc=confluxsys,dc=com</value>
<value>cn=db2users,ou=groups,dc=confluxsys,dc=com</value>
<value>cn=devSvnAccess,ou=groups,dc=confluxsys,dc=com</value>
</expression>
</outbound>
</t:value>
</t:itemDelta>
Actually, I've never done something like this. But it should work.
(If not, please let me know.)
Best regards,
Pavol
> Hi Pavol
>
> I think here you are deleting the inducement itself but my goal was
> not to delete the resource inducement but modify some attributes of
> induced resource.
>
> Let me know if i am getting it incorrect.
>
> Thanks!
>
> On Thu, Feb 12, 2015 at 3:23 PM, Pavol Mederly <mederly at evolveum.com
> <mailto:mederly at evolveum.com>> wrote:
>
> Yes, of course.
>
> I've just pushed a modified model-client-sample showing how to
> swap an inducement (with a known ID) in the role definition.
>
> See this (red = removal code, green = addition code):
>
> // removes inducement with a given ID and replaces it with a new one
>
> private static void modifyRoleReplaceInducement(ModelPortType
> modelPort, String roleOid, int oldId, String newInducementOid)
> throws FaultMessage, IOException, SAXException {
>
> ItemDeltaType inducementDeleteDelta = new ItemDeltaType();
>
> inducementDeleteDelta.setModificationType(ModificationTypeType.DELETE);
>
> inducementDeleteDelta.setPath(ModelClientUtil.createItemPathType("inducement"));
>
> inducementDeleteDelta.getValue().add(ModelClientUtil.parseElement("<value><id>"+oldId+"</id></value>"));
>
> ItemDeltaType inducementAddDelta = new ItemDeltaType();
>
> inducementAddDelta.setModificationType(ModificationTypeType.ADD);
>
> inducementAddDelta.setPath(ModelClientUtil.createItemPathType("inducement"));
>
> inducementAddDelta.getValue().add(createRoleAssignment(newInducementOid));
>
> ObjectDeltaType deltaType = new ObjectDeltaType();
>
> deltaType.setObjectType(ModelClientUtil.getTypeQName(RoleType.class));
>
> deltaType.setChangeType(ChangeTypeType.MODIFY);
>
> deltaType.setOid(roleOid);
>
> deltaType.getItemDelta().add(inducementDeleteDelta);
>
> deltaType.getItemDelta().add(inducementAddDelta);
>
> ObjectDeltaListType deltaListType = new ObjectDeltaListType();
>
> deltaListType.getDelta().add(deltaType);
>
> ObjectDeltaOperationListType objectDeltaOperationList =
> modelPort.executeChanges(deltaListType, null);
>
> }
>
> The corresponding XML is like this (again, red = removal code,
> green = addition code):
>
> <soap:Body>
> <ns8:executeChanges
> xmlns:ns10="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
> <http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
> xmlns:ns11="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"
> <http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3>
> xmlns:ns12="http://www.w3.org/2000/09/xmldsig#"
> <http://www.w3.org/2000/09/xmldsig#>
> xmlns:ns13="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3>
> xmlns:ns14="http://www.w3.org/2001/04/xmlenc#"
> <http://www.w3.org/2001/04/xmlenc#>
> xmlns:ns15="http://prism.evolveum.com/xml/ns/public/annotation-3"
> <http://prism.evolveum.com/xml/ns/public/annotation-3>
> xmlns:ns16="http://midpoint.evolveum.com/xml/ns/public/common/fault-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/fault-3>
> xmlns:ns2="http://prism.evolveum.com/xml/ns/public/types-3"
> <http://prism.evolveum.com/xml/ns/public/types-3>
> xmlns:ns3="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> xmlns:ns4="http://prism.evolveum.com/xml/ns/public/query-3"
> <http://prism.evolveum.com/xml/ns/public/query-3>
> xmlns:ns5="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>
> xmlns:ns6="http://midpoint.evolveum.com/xml/ns/model/workflow/common-forms-3"
> <http://midpoint.evolveum.com/xml/ns/model/workflow/common-forms-3> xmlns:ns7="http://midpoint.evolveum.com/xml/ns/model/workflow/process-instance-state-3"
> <http://midpoint.evolveum.com/xml/ns/model/workflow/process-instance-state-3>
> xmlns:ns8="http://midpoint.evolveum.com/xml/ns/public/model/model-3"
> <http://midpoint.evolveum.com/xml/ns/public/model/model-3>
> xmlns:ns9="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/api-types-3>>
> <ns8:deltaList>
> <ns9:delta>
> <ns2:changeType>modify</ns2:changeType>
> <ns2:objectType>ns3:RoleType</ns2:objectType>
> <ns2:oid>290acb64-f64c-4f01-8b5b-c5b745092f27</ns2:oid>
> <ns2:itemDelta>
> <ns2:modificationType>delete</ns2:modificationType>
> <ns2:path>declare default namespace
> 'http://midpoint.evolveum.com/xml/ns/public/common/common-3';
> inducement</ns2:path>
> <ns2:value>
> <id>2</id>
> </ns2:value>
> </ns2:itemDelta>
> <ns2:itemDelta>
> <ns2:modificationType>add</ns2:modificationType>
> <ns2:path>declare default namespace
> 'http://midpoint.evolveum.com/xml/ns/public/common/common-3';
> inducement</ns2:path>
> <ns2:value
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> <http://www.w3.org/2001/XMLSchema-instance>
> xsi:type="ns3:AssignmentType">
> <ns3:targetRef
> oid="12345678-d34d-b33f-f00d-987987cccccc" type="ns3:RoleType"/>
> </ns2:value>
> </ns2:itemDelta>
> </ns9:delta>
> </ns8:deltaList>
> </ns8:executeChanges>
> </soap:Body>
>
> Best regards,
> Pavol
>
>> Hi
>>
>> I got this point that i can add and delete individual
>> attribute/value but i want to know how can i achieve with java
>> code or can you give me a sample xml doing this.
>>
>> Regards
>> Dharmendra
>>
>> On Thu, Feb 12, 2015 at 1:53 PM, Pavol Mederly
>> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>
>> Hello Dharmendra,
>>
>>> If the replace does not work how can i individually
>>> add/delete attributes/values ?
>>
>> REPLACE replaces the whole inducement, i.e. all of its values.
>>
>> If you want to replace just one value (e.g. you have a values
>> of A, B, C and you want to make it A, B, D), you have to do
>> the following:
>> - delete C
>> - add D
>>
>> You can (and perhaps, should) do this in one operation.
>>
>> Hope this helps.
>> Pavol
>>
>>
>>
>> On 12. 2. 2015 9:01, Dharmendra Parakh wrote:
>>> HI Pavol
>>>
>>> Quick Background:
>>> My role had two inducements:
>>> id=1: Role
>>> id=2 Resource
>>> I wanted to replace the resource inducement.
>>>
>>> As per my understanding i was trying to replace the
>>> inducement with id=2. and that does not means to delete the
>>> other inducement (like id=1).
>>>
>>> If the replace does not work how can i individually
>>> add/delete attributes/values ?
>>>
>>> Thanks
>>> Dharmendra
>>>
>>>
>>> On Thu, Feb 12, 2015 at 1:22 PM, Pavol Mederly
>>> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>>
>>> Hello Dharmendra,
>>>
>>> looking at your WS request: it is of REPLACE type, see:
>>>
>>> <objectDelta ... >
>>> ...
>>> <t:itemDelta>
>>> <t:modificationType>*replace*</t:modificationType>
>>> <t:path>c:*inducement*</t:path>
>>> <t:value id="2">
>>> ...
>>> </t:value>
>>> </t:itemDelta>
>>> ...
>>>
>>> So, basically you tell midPoint that you want to REPLACE
>>> the values of *inducement***item with the ones you have
>>> provided.
>>> And you've provided one value with id=2 and content of
>>> account construction on resource
>>> d0811790-1d80-11e4-86b2-3c970e467874.
>>> So after the operation, the original inducement with
>>> id=1 should be gone.
>>>
>>> Is this what you wanted to do? Perhaps no.
>>>
>>> If you want to replace only one value in multi-valued
>>> item, you have to
>>> 1) delete old value
>>> 2) add new value
>>>
>>> And, I'm not quite sure about your first mail (Manish
>>> Baid, received 01:14). Aren't the contents of files
>>> "original.xml" and "after_addRoleInducement.xml"
>>> swapped? Because original.xml corresponds to the state
>>> with only one inducement, while the file
>>> "after_addRoleInducement.xml" contains two inducements.
>>> Just opposite as I would expect, given the messages you
>>> wrote.
>>>
>>> Best regards,
>>> Pavol
>>>
>>>
>>>
>>> On 12. 2. 2015 8:39, Dharmendra Parakh wrote:
>>>> Hi Ivan
>>>>
>>>> Thanks for your reply. jira you have pointed is might
>>>> be related to UI only and what i observed is if i use
>>>> model web service to modify one inducement it is
>>>> deleting other inducements.
>>>>
>>>> We are using the master branch so latest midpoint version.
>>>>
>>>> Regards
>>>> Dharmendra
>>>>
>>>> On Thu, Feb 12, 2015 at 1:01 PM, Ivan Noris
>>>> <ivan.noris at evolveum.com
>>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I believe this is the issue:
>>>> https://jira.evolveum.com/browse/MID-2113 and it
>>>> should be fixed, but please see the comment in JIRA.
>>>>
>>>> Also, what version of midPoint are you using?
>>>>
>>>> Thanks,
>>>> regards
>>>> Ivan
>>>>
>>>>
>>>> On 02/12/2015 08:08 AM, Dharmendra Parakh wrote:
>>>>> Hi Radovan
>>>>>
>>>>> Additional Information:
>>>>>
>>>>> We have a requirement to update the role
>>>>> inducement from web service client, where we have
>>>>> to add/delete some resource attributes.
>>>>>
>>>>> In our scenario we have a role with multiple
>>>>> inducements (let say one role and one resource
>>>>> inducement). Now i want to add some additional
>>>>> attribute-values in resource inducement. To do
>>>>> this we calculate the correct inducement
>>>>> (AssignmentType) object with all current
>>>>> attributes and try to replace this inducement.
>>>>> Earlier this was working for us but now when we do
>>>>> this other inducement information is lost (induced
>>>>> role is no longer available in role).
>>>>>
>>>>> I am attaching the request xml with the mail...
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Regards
>>>>> Dharmendra
>>>>>
>>>>>
>>>>> On Thu, Feb 12, 2015 at 12:03 PM, Manish Baid
>>>>> <baid_manish at yahoo.com
>>>>> <mailto:baid_manish at yahoo.com>> wrote:
>>>>>
>>>>> Hi Radovan,
>>>>> We are showing a demo to our clients, looks
>>>>> like with recent 3.1 release, inducement
>>>>> update is behaving differently.
>>>>>
>>>>> If you can work with Dharmendra to work
>>>>> through this (he is in India timezone, will be
>>>>> available in your mornings), it would be of
>>>>> great help.
>>>>>
>>>>>
>>>>>
>>>>> Thanks
>>>>>
>>>>> ----- Forwarded Message -----
>>>>> *From:* Manish Baid <baid_manish at yahoo.com
>>>>> <mailto:baid_manish at yahoo.com>>
>>>>> *To:* midPoint General Discussion
>>>>> <midpoint at lists.evolveum.com
>>>>> <mailto:midpoint at lists.evolveum.com>>
>>>>> *Cc:* Dharmendra Parakh
>>>>> <dharmendra at confluxsys.com
>>>>> <mailto:dharmendra at confluxsys.com>>; Indrajit
>>>>> Chauhan <indrajit at confluxsys.com
>>>>> <mailto:indrajit at confluxsys.com>>
>>>>> *Sent:* Wednesday, February 11, 2015 4:14 PM
>>>>> *Subject:* URGENT ... Role inducements lost on
>>>>> role updates
>>>>>
>>>>> Hi,
>>>>> With 3.1 release code (and also after
>>>>> MID-2194), when inducement/s is/are updated in
>>>>> a role, other related indcuments are removed.
>>>>>
>>>>> Here is an example:
>>>>>
>>>>> * Role had an indcument: "LDAP Account" with 3
>>>>> group memberships
>>>>> * Role is modified to add a role inducement
>>>>> (role hierarchy)
>>>>>
>>>>> Observation: 3 group memberships that were
>>>>> part of "Ldap Account" inducments are removed.
>>>>>
>>>>> Please see object XMLs of before and after.
>>>>>
>>>>> Thanks
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>> --
>>>> Ing. Ivan Noris
>>>> Senior Identity Management Engineer
>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>> _____________________________________________
>>>> "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150212/28649367/attachment.htm>
More information about the midPoint
mailing list