[midPoint] Fw: URGENT ... Role inducements lost on role updates
Dharmendra Parakh
dharmendra at confluxsys.com
Thu Feb 12 14:32:39 CET 2015
Hey Pavol
This thing works but i am not sure if it is correct because if there is a
attribute posixGroup with values lets say groupA, groupB, groupC now if we
add groupD and groupE using this approach it will add another posixGroup
attribute.
So basically inducement will now have two attributes with different values.
Is it fine or will it cause some problem in inducement enforcement or
reconciliation.
Thanks
On Thu, Feb 12, 2015 at 4:26 PM, Pavol Mederly <mederly at evolveum.com> wrote:
> Actually, it works. See last commit - this code:
>
> private static void modifyRoleModifyInducement(ModelPortType
> modelPort, String roleOid) throws IOException, SAXException, FaultMessage {
>
> ItemDeltaType inducementDelta = new ItemDeltaType();
>
> inducementDelta.setModificationType(ModificationTypeType.ADD);
>
>
> inducementDelta.setPath(ModelClientUtil.createItemPathType("inducement[3]/construction/attribute"));
>
> inducementDelta.getValue().add(ModelClientUtil.parseElement("<value>\n"
> +
>
> " <ref xmlns:ri=\
> "http://midpoint.evolveum.com/xml/ns/public/resource/instance-3\"
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%5C>>ri:pager</ref>\n"
> +
>
> " <outbound>\n" +
>
> " <expression>\n" +
>
> " <value>00-000-001</value>\n" +
>
> " <value>00-000-003</value>\n" +
>
> " </expression>\n" +
>
> " </outbound>\n" +
>
> " </value>"));
>
>
>
> ObjectDeltaType deltaType = new ObjectDeltaType();
>
>
> deltaType.setObjectType(ModelClientUtil.getTypeQName(RoleType.class));
>
> deltaType.setChangeType(ChangeTypeType.MODIFY);
>
> deltaType.setOid(roleOid);
>
> deltaType.getItemDelta().add(inducementDelta);
>
>
>
> ObjectDeltaListType deltaListType = new ObjectDeltaListType();
>
> deltaListType.getDelta().add(deltaType);
>
> ObjectDeltaOperationListType objectDeltaOperationList =
> modelPort.executeChanges(deltaListType, null);
> }
>
> Best regards,
> Pavol
>
> Hello Dharmendra,
>
> yes, I've not noticed that.
>
> In that case, there are two possibilities:
>
> (1) You can safely delete + recreate the inducement, as I proposed. It
> should work.
> (2) You can modify the inducement itself. The XML code would look like
> this:
>
> <t:itemDelta>
> <t:modificationType>*add*</t:modificationType>
> <t:path>*inducement[2]/construction/attribute*</t:path>
> <t:value>
> <ref xmlns:qn50=
> "http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>
> >qn50:posixGroups</ref>
> <outbound>
> <expression>
> <value>cn=H2,ou=groups,dc=confluxsys,dc=com</value>
>
> <value>cn=SudoUserGroup_Pset2678,ou=groups,dc=confluxsys,dc=com</value>
> <value>cn=ads,ou=groups,dc=confluxsys,dc=com</value>
> <value>cn=dba,ou=groups,dc=confluxsys,dc=com</value>
> <value>cn=db2users,ou=groups,dc=confluxsys,dc=com</value>
> <value>cn=devSvnAccess,ou=groups,dc=confluxsys,dc=com
> </value>
> </expression>
> </outbound>
> </t:value>
> </t:itemDelta>
>
> Actually, I've never done something like this. But it should work.
> (If not, please let me know.)
>
> Best regards,
> Pavol
>
>
> Hi Pavol
>
> I think here you are deleting the inducement itself but my goal was not
> to delete the resource inducement but modify some attributes of induced
> resource.
>
> Let me know if i am getting it incorrect.
>
> Thanks!
>
> On Thu, Feb 12, 2015 at 3:23 PM, Pavol Mederly <mederly at evolveum.com>
> wrote:
>
>> Yes, of course.
>>
>> I've just pushed a modified model-client-sample showing how to swap an
>> inducement (with a known ID) in the role definition.
>>
>> See this (red = removal code, green = addition code):
>>
>> // removes inducement with a given ID and replaces it with a new one
>>
>> private static void modifyRoleReplaceInducement(ModelPortType
>> modelPort, String roleOid, int oldId, String newInducementOid) throws
>> FaultMessage, IOException, SAXException {
>>
>>
>>
>> ItemDeltaType inducementDeleteDelta = new ItemDeltaType();
>>
>>
>> inducementDeleteDelta.setModificationType(ModificationTypeType.DELETE);
>>
>>
>> inducementDeleteDelta.setPath(ModelClientUtil.createItemPathType("inducement"));
>>
>>
>> inducementDeleteDelta.getValue().add(ModelClientUtil.parseElement("<value><id>"+oldId+"</id></value>"));
>>
>>
>>
>> ItemDeltaType inducementAddDelta = new ItemDeltaType();
>>
>> inducementAddDelta.setModificationType(ModificationTypeType.ADD);
>>
>>
>> inducementAddDelta.setPath(ModelClientUtil.createItemPathType("inducement"));
>>
>>
>> inducementAddDelta.getValue().add(createRoleAssignment(newInducementOid));
>>
>>
>>
>> ObjectDeltaType deltaType = new ObjectDeltaType();
>>
>>
>> deltaType.setObjectType(ModelClientUtil.getTypeQName(RoleType.class));
>>
>> deltaType.setChangeType(ChangeTypeType.MODIFY);
>>
>> deltaType.setOid(roleOid);
>>
>> deltaType.getItemDelta().add(inducementDeleteDelta);
>>
>> deltaType.getItemDelta().add(inducementAddDelta);
>>
>>
>>
>> ObjectDeltaListType deltaListType = new ObjectDeltaListType();
>>
>> deltaListType.getDelta().add(deltaType);
>>
>> ObjectDeltaOperationListType objectDeltaOperationList =
>> modelPort.executeChanges(deltaListType, null);
>> }
>>
>> The corresponding XML is like this (again, red = removal code, green =
>> addition code):
>>
>> <soap:Body>
>> <ns8:executeChanges xmlns:ns10=
>> "http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
>> <http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
>> xmlns:ns11=
>> "http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"
>> <http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3>
>> xmlns:ns12="http://www.w3.org/2000/09/xmldsig#"
>> <http://www.w3.org/2000/09/xmldsig#> xmlns:ns13=
>> "http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
>> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3>
>> xmlns:ns14="http://www.w3.org/2001/04/xmlenc#"
>> <http://www.w3.org/2001/04/xmlenc#> xmlns:ns15=
>> "http://prism.evolveum.com/xml/ns/public/annotation-3"
>> <http://prism.evolveum.com/xml/ns/public/annotation-3> xmlns:ns16=
>> "http://midpoint.evolveum.com/xml/ns/public/common/fault-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/fault-3> xmlns:ns2=
>> "http://prism.evolveum.com/xml/ns/public/types-3"
>> <http://prism.evolveum.com/xml/ns/public/types-3> xmlns:ns3=
>> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3> xmlns:ns4=
>> "http://prism.evolveum.com/xml/ns/public/query-3"
>> <http://prism.evolveum.com/xml/ns/public/query-3> xmlns:ns5=
>> "http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>
>> xmlns:ns6=
>> "http://midpoint.evolveum.com/xml/ns/model/workflow/common-forms-3"
>> <http://midpoint.evolveum.com/xml/ns/model/workflow/common-forms-3>
>> xmlns:ns7=
>> "http://midpoint.evolveum.com/xml/ns/model/workflow/process-instance-state-3"
>> <http://midpoint.evolveum.com/xml/ns/model/workflow/process-instance-state-3>
>> xmlns:ns8="http://midpoint.evolveum.com/xml/ns/public/model/model-3"
>> <http://midpoint.evolveum.com/xml/ns/public/model/model-3> xmlns:ns9=
>> "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
>> <http://midpoint.evolveum.com/xml/ns/public/common/api-types-3>>
>> <ns8:deltaList>
>> <ns9:delta>
>> <ns2:changeType>modify</ns2:changeType>
>> <ns2:objectType>ns3:RoleType</ns2:objectType>
>>
>> <ns2:oid>290acb64-f64c-4f01-8b5b-c5b745092f27</ns2:oid>
>> <ns2:itemDelta>
>>
>> <ns2:modificationType>delete</ns2:modificationType>
>> <ns2:path>declare default namespace '
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3';
>> inducement</ns2:path>
>> <ns2:value>
>> <id>2</id>
>> </ns2:value>
>> </ns2:itemDelta>
>> <ns2:itemDelta>
>> <ns2:modificationType>add</ns2:modificationType>
>> <ns2:path>declare default namespace '
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3';
>> inducement</ns2:path>
>> <ns2:value xmlns:xsi=
>> "http://www.w3.org/2001/XMLSchema-instance"
>> <http://www.w3.org/2001/XMLSchema-instance>
>> xsi:type="ns3:AssignmentType">
>> <ns3:targetRef
>> oid="12345678-d34d-b33f-f00d-987987cccccc" type="ns3:RoleType"/>
>> </ns2:value>
>> </ns2:itemDelta>
>> </ns9:delta>
>> </ns8:deltaList>
>> </ns8:executeChanges>
>> </soap:Body>
>>
>> Best regards,
>> Pavol
>>
>> Hi
>>
>> I got this point that i can add and delete individual attribute/value
>> but i want to know how can i achieve with java code or can you give me a
>> sample xml doing this.
>>
>> Regards
>> Dharmendra
>>
>> On Thu, Feb 12, 2015 at 1:53 PM, Pavol Mederly <mederly at evolveum.com>
>> wrote:
>>
>>> Hello Dharmendra,
>>>
>>> If the replace does not work how can i individually add/delete
>>> attributes/values ?
>>>
>>>
>>> REPLACE replaces the whole inducement, i.e. all of its values.
>>>
>>> If you want to replace just one value (e.g. you have a values of A, B, C
>>> and you want to make it A, B, D), you have to do the following:
>>> - delete C
>>> - add D
>>>
>>> You can (and perhaps, should) do this in one operation.
>>>
>>> Hope this helps.
>>> Pavol
>>>
>>>
>>>
>>> On 12. 2. 2015 9:01, Dharmendra Parakh wrote:
>>>
>>> HI Pavol
>>>
>>> Quick Background:
>>> My role had two inducements:
>>> id=1: Role
>>> id=2 Resource
>>> I wanted to replace the resource inducement.
>>>
>>> As per my understanding i was trying to replace the inducement with
>>> id=2. and that does not means to delete the other inducement (like id=1).
>>>
>>> If the replace does not work how can i individually add/delete
>>> attributes/values ?
>>>
>>> Thanks
>>> Dharmendra
>>>
>>>
>>> On Thu, Feb 12, 2015 at 1:22 PM, Pavol Mederly <mederly at evolveum.com>
>>> wrote:
>>>
>>>> Hello Dharmendra,
>>>>
>>>> looking at your WS request: it is of REPLACE type, see:
>>>>
>>>> <objectDelta ... >
>>>> ...
>>>> <t:itemDelta>
>>>> <t:modificationType>*replace*</t:modificationType>
>>>> <t:path>c:*inducement*</t:path>
>>>> <t:value id="2">
>>>> ...
>>>> </t:value>
>>>> </t:itemDelta>
>>>> ...
>>>>
>>>> So, basically you tell midPoint that you want to REPLACE the values of
>>>> *inducement* item with the ones you have provided.
>>>> And you've provided one value with id=2 and content of account
>>>> construction on resource d0811790-1d80-11e4-86b2-3c970e467874.
>>>> So after the operation, the original inducement with id=1 should be
>>>> gone.
>>>>
>>>> Is this what you wanted to do? Perhaps no.
>>>>
>>>> If you want to replace only one value in multi-valued item, you have to
>>>> 1) delete old value
>>>> 2) add new value
>>>>
>>>> And, I'm not quite sure about your first mail (Manish Baid, received
>>>> 01:14). Aren't the contents of files "original.xml" and
>>>> "after_addRoleInducement.xml" swapped? Because original.xml corresponds to
>>>> the state with only one inducement, while the file
>>>> "after_addRoleInducement.xml" contains two inducements. Just opposite as I
>>>> would expect, given the messages you wrote.
>>>>
>>>> Best regards,
>>>> Pavol
>>>>
>>>>
>>>>
>>>> On 12. 2. 2015 8:39, Dharmendra Parakh wrote:
>>>>
>>>> Hi Ivan
>>>>
>>>> Thanks for your reply. jira you have pointed is might be related to UI
>>>> only and what i observed is if i use model web service to modify one
>>>> inducement it is deleting other inducements.
>>>>
>>>> We are using the master branch so latest midpoint version.
>>>>
>>>> Regards
>>>> Dharmendra
>>>>
>>>> On Thu, Feb 12, 2015 at 1:01 PM, Ivan Noris <ivan.noris at evolveum.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I believe this is the issue: https://jira.evolveum.com/browse/MID-2113
>>>>> and it should be fixed, but please see the comment in JIRA.
>>>>>
>>>>> Also, what version of midPoint are you using?
>>>>>
>>>>> Thanks,
>>>>> regards
>>>>> Ivan
>>>>>
>>>>>
>>>>> On 02/12/2015 08:08 AM, Dharmendra Parakh wrote:
>>>>>
>>>>> Hi Radovan
>>>>>
>>>>> Additional Information:
>>>>>
>>>>> We have a requirement to update the role inducement from web service
>>>>> client, where we have to add/delete some resource attributes.
>>>>>
>>>>> In our scenario we have a role with multiple inducements (let say
>>>>> one role and one resource inducement). Now i want to add some additional
>>>>> attribute-values in resource inducement. To do this we calculate the
>>>>> correct inducement (AssignmentType) object with all current attributes and
>>>>> try to replace this inducement.
>>>>> Earlier this was working for us but now when we do this other
>>>>> inducement information is lost (induced role is no longer available in
>>>>> role).
>>>>>
>>>>> I am attaching the request xml with the mail...
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Regards
>>>>> Dharmendra
>>>>>
>>>>>
>>>>> On Thu, Feb 12, 2015 at 12:03 PM, Manish Baid <baid_manish at yahoo.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Radovan,
>>>>>> We are showing a demo to our clients, looks like with recent 3.1
>>>>>> release, inducement update is behaving differently.
>>>>>>
>>>>>> If you can work with Dharmendra to work through this (he is in
>>>>>> India timezone, will be available in your mornings), it would be of great
>>>>>> help.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> ----- Forwarded Message -----
>>>>>> *From:* Manish Baid <baid_manish at yahoo.com>
>>>>>> *To:* midPoint General Discussion <midpoint at lists.evolveum.com>
>>>>>> *Cc:* Dharmendra Parakh <dharmendra at confluxsys.com>; Indrajit
>>>>>> Chauhan <indrajit at confluxsys.com>
>>>>>> *Sent:* Wednesday, February 11, 2015 4:14 PM
>>>>>> *Subject:* URGENT ... Role inducements lost on role updates
>>>>>>
>>>>>> Hi,
>>>>>> With 3.1 release code (and also after MID-2194), when inducement/s
>>>>>> is/are updated in a role, other related indcuments are removed.
>>>>>>
>>>>>> Here is an example:
>>>>>>
>>>>>> * Role had an indcument: "LDAP Account" with 3 group memberships
>>>>>> * Role is modified to add a role inducement (role hierarchy)
>>>>>>
>>>>>> Observation: 3 group memberships that were part of "Ldap Account"
>>>>>> inducments are removed.
>>>>>>
>>>>>> Please see object XMLs of before and after.
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> --
>>>>> Ing. Ivan Noris
>>>>> Senior Identity Management Engineer
>>>>> evolveum.com evolveum.com/blog/
>>>>> _____________________________________________
>>>>> "Semper Id(e)M Vix."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150212/f5fcdc39/attachment.htm>
More information about the midPoint
mailing list