[midPoint] Fw: URGENT ... Role inducements lost on role updates
Pavol Mederly
mederly at evolveum.com
Thu Feb 12 11:56:55 CET 2015
Actually, it works. See last commit - this code:
private static void modifyRoleModifyInducement(ModelPortType
modelPort, String roleOid) throws IOException, SAXException, FaultMessage {
ItemDeltaType inducementDelta = new ItemDeltaType();
inducementDelta.setModificationType(ModificationTypeType.ADD);
inducementDelta.setPath(ModelClientUtil.createItemPathType("inducement[3]/construction/attribute"));
inducementDelta.getValue().add(ModelClientUtil.parseElement("<value>\n" +
"<ref
xmlns:ri=\"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3\">ri:pager</ref>\n"
+
"<outbound>\n" +
"<expression>\n" +
"<value>00-000-001</value>\n" +
"<value>00-000-003</value>\n" +
"</expression>\n" +
"</outbound>\n" +
"</value>"));
ObjectDeltaType deltaType = new ObjectDeltaType();
deltaType.setObjectType(ModelClientUtil.getTypeQName(RoleType.class));
deltaType.setChangeType(ChangeTypeType.MODIFY);
deltaType.setOid(roleOid);
deltaType.getItemDelta().add(inducementDelta);
ObjectDeltaListType deltaListType = new ObjectDeltaListType();
deltaListType.getDelta().add(deltaType);
ObjectDeltaOperationListType objectDeltaOperationList =
modelPort.executeChanges(deltaListType, null);
}
Best regards,
Pavol
> Hello Dharmendra,
>
> yes, I've not noticed that.
>
> In that case, there are two possibilities:
>
> (1) You can safely delete + recreate the inducement, as I proposed. It
> should work.
> (2) You can modify the inducement itself. The XML code would look like
> this:
>
> <t:itemDelta>
> <t:modificationType>*add*</t:modificationType>
> <t:path>*inducement[2]/construction/attribute*</t:path>
> <t:value>
> <refxmlns:qn50="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">qn50:posixGroups</ref>
> <outbound>
> <expression>
> <value>cn=H2,ou=groups,dc=confluxsys,dc=com</value>
> <value>cn=SudoUserGroup_Pset2678,ou=groups,dc=confluxsys,dc=com</value>
> <value>cn=ads,ou=groups,dc=confluxsys,dc=com</value>
> <value>cn=dba,ou=groups,dc=confluxsys,dc=com</value>
> <value>cn=db2users,ou=groups,dc=confluxsys,dc=com</value>
> <value>cn=devSvnAccess,ou=groups,dc=confluxsys,dc=com</value>
> </expression>
> </outbound>
> </t:value>
> </t:itemDelta>
>
> Actually, I've never done something like this. But it should work.
> (If not, please let me know.)
>
> Best regards,
> Pavol
>
>
>> Hi Pavol
>>
>> I think here you are deleting the inducement itself but my goal was
>> not to delete the resource inducement but modify some attributes of
>> induced resource.
>>
>> Let me know if i am getting it incorrect.
>>
>> Thanks!
>>
>> On Thu, Feb 12, 2015 at 3:23 PM, Pavol Mederly <mederly at evolveum.com
>> <mailto:mederly at evolveum.com>> wrote:
>>
>> Yes, of course.
>>
>> I've just pushed a modified model-client-sample showing how to
>> swap an inducement (with a known ID) in the role definition.
>>
>> See this (red = removal code, green = addition code):
>>
>> // removes inducement with a given ID and replaces it with a new one
>>
>> private static void modifyRoleReplaceInducement(ModelPortType
>> modelPort, String roleOid, int oldId, String newInducementOid)
>> throws FaultMessage, IOException, SAXException {
>>
>> ItemDeltaType inducementDeleteDelta = new ItemDeltaType();
>>
>> inducementDeleteDelta.setModificationType(ModificationTypeType.DELETE);
>>
>> inducementDeleteDelta.setPath(ModelClientUtil.createItemPathType("inducement"));
>>
>> inducementDeleteDelta.getValue().add(ModelClientUtil.parseElement("<value><id>"+oldId+"</id></value>"));
>>
>> ItemDeltaType inducementAddDelta = new ItemDeltaType();
>>
>> inducementAddDelta.setModificationType(ModificationTypeType.ADD);
>>
>> inducementAddDelta.setPath(ModelClientUtil.createItemPathType("inducement"));
>>
>> inducementAddDelta.getValue().add(createRoleAssignment(newInducementOid));
>>
>> ObjectDeltaType deltaType = new ObjectDeltaType();
>>
>> deltaType.setObjectType(ModelClientUtil.getTypeQName(RoleType.class));
>>
>> deltaType.setChangeType(ChangeTypeType.MODIFY);
>>
>> deltaType.setOid(roleOid);
>>
>> deltaType.getItemDelta().add(inducementDeleteDelta);
>>
>> deltaType.getItemDelta().add(inducementAddDelta);
>>
>> ObjectDeltaListType deltaListType = new ObjectDeltaListType();
>>
>> deltaListType.getDelta().add(deltaType);
>>
>> ObjectDeltaOperationListType objectDeltaOperationList =
>> modelPort.executeChanges(deltaListType, null);
>>
>> }
>>
>> The corresponding XML is like this (again, red = removal code,
>> green = addition code):
>>
>> <soap:Body>
>> <ns8:executeChanges
>> xmlns:ns10="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
>> <http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
>> xmlns:ns11="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"
>> <http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3>
>> xmlns:ns12="http://www.w3.org/2000/09/xmldsig#"
>> <http://www.w3.org/2000/09/xmldsig#>
>> xmlns:ns13="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
>> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3>
>> xmlns:ns14="http://www.w3.org/2001/04/xmlenc#"
>> <http://www.w3.org/2001/04/xmlenc#>
>> xmlns:ns15="http://prism.evolveum.com/xml/ns/public/annotation-3"
>> <http://prism.evolveum.com/xml/ns/public/annotation-3>
>> xmlns:ns16="http://midpoint.evolveum.com/xml/ns/public/common/fault-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/fault-3>
>> xmlns:ns2="http://prism.evolveum.com/xml/ns/public/types-3"
>> <http://prism.evolveum.com/xml/ns/public/types-3>
>> xmlns:ns3="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>> xmlns:ns4="http://prism.evolveum.com/xml/ns/public/query-3"
>> <http://prism.evolveum.com/xml/ns/public/query-3>
>> xmlns:ns5="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>
>> xmlns:ns6="http://midpoint.evolveum.com/xml/ns/model/workflow/common-forms-3"
>> <http://midpoint.evolveum.com/xml/ns/model/workflow/common-forms-3>
>> xmlns:ns7="http://midpoint.evolveum.com/xml/ns/model/workflow/process-instance-state-3"
>> <http://midpoint.evolveum.com/xml/ns/model/workflow/process-instance-state-3>
>> xmlns:ns8="http://midpoint.evolveum.com/xml/ns/public/model/model-3"
>> <http://midpoint.evolveum.com/xml/ns/public/model/model-3>
>> xmlns:ns9="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/api-types-3>>
>> <ns8:deltaList>
>> <ns9:delta>
>> <ns2:changeType>modify</ns2:changeType>
>> <ns2:objectType>ns3:RoleType</ns2:objectType>
>> <ns2:oid>290acb64-f64c-4f01-8b5b-c5b745092f27</ns2:oid>
>> <ns2:itemDelta>
>> <ns2:modificationType>delete</ns2:modificationType>
>> <ns2:path>declare default namespace
>> 'http://midpoint.evolveum.com/xml/ns/public/common/common-3';
>> inducement</ns2:path>
>> <ns2:value>
>> <id>2</id>
>> </ns2:value>
>> </ns2:itemDelta>
>> <ns2:itemDelta>
>> <ns2:modificationType>add</ns2:modificationType>
>> <ns2:path>declare default namespace
>> 'http://midpoint.evolveum.com/xml/ns/public/common/common-3';
>> inducement</ns2:path>
>> <ns2:value
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> <http://www.w3.org/2001/XMLSchema-instance>
>> xsi:type="ns3:AssignmentType">
>> <ns3:targetRef
>> oid="12345678-d34d-b33f-f00d-987987cccccc" type="ns3:RoleType"/>
>> </ns2:value>
>> </ns2:itemDelta>
>> </ns9:delta>
>> </ns8:deltaList>
>> </ns8:executeChanges>
>> </soap:Body>
>>
>> Best regards,
>> Pavol
>>
>>> Hi
>>>
>>> I got this point that i can add and delete individual
>>> attribute/value but i want to know how can i achieve with java
>>> code or can you give me a sample xml doing this.
>>>
>>> Regards
>>> Dharmendra
>>>
>>> On Thu, Feb 12, 2015 at 1:53 PM, Pavol Mederly
>>> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>>
>>> Hello Dharmendra,
>>>
>>>> If the replace does not work how can i individually
>>>> add/delete attributes/values ?
>>>
>>> REPLACE replaces the whole inducement, i.e. all of its values.
>>>
>>> If you want to replace just one value (e.g. you have a
>>> values of A, B, C and you want to make it A, B, D), you have
>>> to do the following:
>>> - delete C
>>> - add D
>>>
>>> You can (and perhaps, should) do this in one operation.
>>>
>>> Hope this helps.
>>> Pavol
>>>
>>>
>>>
>>> On 12. 2. 2015 9:01, Dharmendra Parakh wrote:
>>>> HI Pavol
>>>>
>>>> Quick Background:
>>>> My role had two inducements:
>>>> id=1: Role
>>>> id=2 Resource
>>>> I wanted to replace the resource inducement.
>>>>
>>>> As per my understanding i was trying to replace the
>>>> inducement with id=2. and that does not means to delete the
>>>> other inducement (like id=1).
>>>>
>>>> If the replace does not work how can i individually
>>>> add/delete attributes/values ?
>>>>
>>>> Thanks
>>>> Dharmendra
>>>>
>>>>
>>>> On Thu, Feb 12, 2015 at 1:22 PM, Pavol Mederly
>>>> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>>>
>>>> Hello Dharmendra,
>>>>
>>>> looking at your WS request: it is of REPLACE type, see:
>>>>
>>>> <objectDelta ... >
>>>> ...
>>>> <t:itemDelta>
>>>> <t:modificationType>*replace*</t:modificationType>
>>>> <t:path>c:*inducement*</t:path>
>>>> <t:value id="2">
>>>> ...
>>>> </t:value>
>>>> </t:itemDelta>
>>>> ...
>>>>
>>>> So, basically you tell midPoint that you want to
>>>> REPLACE the values of *inducement***item with the ones
>>>> you have provided.
>>>> And you've provided one value with id=2 and content of
>>>> account construction on resource
>>>> d0811790-1d80-11e4-86b2-3c970e467874.
>>>> So after the operation, the original inducement with
>>>> id=1 should be gone.
>>>>
>>>> Is this what you wanted to do? Perhaps no.
>>>>
>>>> If you want to replace only one value in multi-valued
>>>> item, you have to
>>>> 1) delete old value
>>>> 2) add new value
>>>>
>>>> And, I'm not quite sure about your first mail (Manish
>>>> Baid, received 01:14). Aren't the contents of files
>>>> "original.xml" and "after_addRoleInducement.xml"
>>>> swapped? Because original.xml corresponds to the state
>>>> with only one inducement, while the file
>>>> "after_addRoleInducement.xml" contains two inducements.
>>>> Just opposite as I would expect, given the messages you
>>>> wrote.
>>>>
>>>> Best regards,
>>>> Pavol
>>>>
>>>>
>>>>
>>>> On 12. 2. 2015 8:39, Dharmendra Parakh wrote:
>>>>> Hi Ivan
>>>>>
>>>>> Thanks for your reply. jira you have pointed is might
>>>>> be related to UI only and what i observed is if i use
>>>>> model web service to modify one inducement it is
>>>>> deleting other inducements.
>>>>>
>>>>> We are using the master branch so latest midpoint version.
>>>>>
>>>>> Regards
>>>>> Dharmendra
>>>>>
>>>>> On Thu, Feb 12, 2015 at 1:01 PM, Ivan Noris
>>>>> <ivan.noris at evolveum.com
>>>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I believe this is the issue:
>>>>> https://jira.evolveum.com/browse/MID-2113 and it
>>>>> should be fixed, but please see the comment in JIRA.
>>>>>
>>>>> Also, what version of midPoint are you using?
>>>>>
>>>>> Thanks,
>>>>> regards
>>>>> Ivan
>>>>>
>>>>>
>>>>> On 02/12/2015 08:08 AM, Dharmendra Parakh wrote:
>>>>>> Hi Radovan
>>>>>>
>>>>>> Additional Information:
>>>>>>
>>>>>> We have a requirement to update the role
>>>>>> inducement from web service client, where we have
>>>>>> to add/delete some resource attributes.
>>>>>>
>>>>>> In our scenario we have a role with multiple
>>>>>> inducements (let say one role and one resource
>>>>>> inducement). Now i want to add some additional
>>>>>> attribute-values in resource inducement. To do
>>>>>> this we calculate the correct inducement
>>>>>> (AssignmentType) object with all current
>>>>>> attributes and try to replace this inducement.
>>>>>> Earlier this was working for us but now when we
>>>>>> do this other inducement information is lost
>>>>>> (induced role is no longer available in role).
>>>>>>
>>>>>> I am attaching the request xml with the mail...
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>> Dharmendra
>>>>>>
>>>>>>
>>>>>> On Thu, Feb 12, 2015 at 12:03 PM, Manish Baid
>>>>>> <baid_manish at yahoo.com
>>>>>> <mailto:baid_manish at yahoo.com>> wrote:
>>>>>>
>>>>>> Hi Radovan,
>>>>>> We are showing a demo to our clients, looks
>>>>>> like with recent 3.1 release, inducement
>>>>>> update is behaving differently.
>>>>>>
>>>>>> If you can work with Dharmendra to work
>>>>>> through this (he is in India timezone, will
>>>>>> be available in your mornings), it would be
>>>>>> of great help.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> ----- Forwarded Message -----
>>>>>> *From:* Manish Baid <baid_manish at yahoo.com
>>>>>> <mailto:baid_manish at yahoo.com>>
>>>>>> *To:* midPoint General Discussion
>>>>>> <midpoint at lists.evolveum.com
>>>>>> <mailto:midpoint at lists.evolveum.com>>
>>>>>> *Cc:* Dharmendra Parakh
>>>>>> <dharmendra at confluxsys.com
>>>>>> <mailto:dharmendra at confluxsys.com>>; Indrajit
>>>>>> Chauhan <indrajit at confluxsys.com
>>>>>> <mailto:indrajit at confluxsys.com>>
>>>>>> *Sent:* Wednesday, February 11, 2015 4:14 PM
>>>>>> *Subject:* URGENT ... Role inducements lost
>>>>>> on role updates
>>>>>>
>>>>>> Hi,
>>>>>> With 3.1 release code (and also after
>>>>>> MID-2194), when inducement/s is/are updated
>>>>>> in a role, other related indcuments are removed.
>>>>>>
>>>>>> Here is an example:
>>>>>>
>>>>>> * Role had an indcument: "LDAP Account" with
>>>>>> 3 group memberships
>>>>>> * Role is modified to add a role inducement
>>>>>> (role hierarchy)
>>>>>>
>>>>>> Observation: 3 group memberships that were
>>>>>> part of "Ldap Account" inducments are removed.
>>>>>>
>>>>>> Please see object XMLs of before and after.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>> --
>>>>> Ing. Ivan Noris
>>>>> Senior Identity Management Engineer
>>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>> _____________________________________________
>>>>> "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150212/f7a83fb5/attachment.htm>
More information about the midPoint
mailing list