[midPoint] Fw: URGENT ... Role inducements lost on role updates
Pavol Mederly
mederly at evolveum.com
Thu Feb 12 17:37:16 CET 2015
Hello Dharmendra,
good question!
(I expected there is no existing <attribute> element.)
Actually, I'm not sure what would happen. I would suggest avoiding such
a situation.
So, if there is an existing <attribute> element, it is possible to
change the modification type (in line #3 in java source below) from ADD
to REPLACE. And list all the groups (groupA, groupB, groupC, groupD,
groupE) in it.
I've not tested that, but it should work.
Best regards,
Pavol
> Hey Pavol
>
> This thing works but i am not sure if it is correct because if there
> is a attribute posixGroup with values lets say groupA, groupB, groupC
> now if we add groupD and groupE using this approach it will add
> another posixGroup attribute.
> So basically inducement will now have two attributes with different
> values.
>
> Is it fine or will it cause some problem in inducement enforcement or
> reconciliation.
>
>
> Thanks
>
>
> On Thu, Feb 12, 2015 at 4:26 PM, Pavol Mederly <mederly at evolveum.com
> <mailto:mederly at evolveum.com>> wrote:
>
> Actually, it works. See last commit - this code:
>
> private static void modifyRoleModifyInducement(ModelPortType
> modelPort, String roleOid) throws IOException, SAXException,
> FaultMessage {
>
> ItemDeltaType inducementDelta = new ItemDeltaType();
>
> inducementDelta.setModificationType(ModificationTypeType.ADD);
>
> inducementDelta.setPath(ModelClientUtil.createItemPathType("inducement[3]/construction/attribute"));
>
> inducementDelta.getValue().add(ModelClientUtil.parseElement("<value>\n"
> +
>
> "<ref
> xmlns:ri=\"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3\"
> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3%5C>>ri:pager</ref>\n"
> +
>
> "<outbound>\n" +
>
> "<expression>\n" +
>
> "<value>00-000-001</value>\n" +
>
> "<value>00-000-003</value>\n" +
>
> "</expression>\n" +
>
> "</outbound>\n" +
>
> "</value>"));
>
> ObjectDeltaType deltaType = new ObjectDeltaType();
>
> deltaType.setObjectType(ModelClientUtil.getTypeQName(RoleType.class));
>
> deltaType.setChangeType(ChangeTypeType.MODIFY);
>
> deltaType.setOid(roleOid);
>
> deltaType.getItemDelta().add(inducementDelta);
>
> ObjectDeltaListType deltaListType = new ObjectDeltaListType();
>
> deltaListType.getDelta().add(deltaType);
>
> ObjectDeltaOperationListType objectDeltaOperationList =
> modelPort.executeChanges(deltaListType, null);
>
> }
>
> Best regards,
> Pavol
>
>> Hello Dharmendra,
>>
>> yes, I've not noticed that.
>>
>> In that case, there are two possibilities:
>>
>> (1) You can safely delete + recreate the inducement, as I
>> proposed. It should work.
>> (2) You can modify the inducement itself. The XML code would look
>> like this:
>>
>> <t:itemDelta>
>> <t:modificationType>*add*</t:modificationType>
>> <t:path>*inducement[2]/construction/attribute*</t:path>
>> <t:value>
>> <refxmlns:qn50="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>> <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>>qn50:posixGroups</ref>
>> <outbound>
>> <expression>
>> <value>cn=H2,ou=groups,dc=confluxsys,dc=com</value>
>> <value>cn=SudoUserGroup_Pset2678,ou=groups,dc=confluxsys,dc=com</value>
>> <value>cn=ads,ou=groups,dc=confluxsys,dc=com</value>
>> <value>cn=dba,ou=groups,dc=confluxsys,dc=com</value>
>> <value>cn=db2users,ou=groups,dc=confluxsys,dc=com</value>
>> <value>cn=devSvnAccess,ou=groups,dc=confluxsys,dc=com</value>
>> </expression>
>> </outbound>
>> </t:value>
>> </t:itemDelta>
>>
>> Actually, I've never done something like this. But it should work.
>> (If not, please let me know.)
>>
>> Best regards,
>> Pavol
>>
>>
>>> Hi Pavol
>>>
>>> I think here you are deleting the inducement itself but my goal
>>> was not to delete the resource inducement but modify some
>>> attributes of induced resource.
>>>
>>> Let me know if i am getting it incorrect.
>>>
>>> Thanks!
>>>
>>> On Thu, Feb 12, 2015 at 3:23 PM, Pavol Mederly
>>> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>>
>>> Yes, of course.
>>>
>>> I've just pushed a modified model-client-sample showing how
>>> to swap an inducement (with a known ID) in the role definition.
>>>
>>> See this (red = removal code, green = addition code):
>>>
>>> // removes inducement with a given ID and replaces it with a
>>> new one
>>>
>>> private static void
>>> modifyRoleReplaceInducement(ModelPortType modelPort, String
>>> roleOid, int oldId, String newInducementOid) throws
>>> FaultMessage, IOException, SAXException {
>>>
>>> ItemDeltaType inducementDeleteDelta = new ItemDeltaType();
>>>
>>> inducementDeleteDelta.setModificationType(ModificationTypeType.DELETE);
>>>
>>> inducementDeleteDelta.setPath(ModelClientUtil.createItemPathType("inducement"));
>>>
>>> inducementDeleteDelta.getValue().add(ModelClientUtil.parseElement("<value><id>"+oldId+"</id></value>"));
>>>
>>> ItemDeltaType inducementAddDelta = new ItemDeltaType();
>>>
>>> inducementAddDelta.setModificationType(ModificationTypeType.ADD);
>>>
>>> inducementAddDelta.setPath(ModelClientUtil.createItemPathType("inducement"));
>>>
>>> inducementAddDelta.getValue().add(createRoleAssignment(newInducementOid));
>>>
>>> ObjectDeltaType deltaType = new ObjectDeltaType();
>>>
>>> deltaType.setObjectType(ModelClientUtil.getTypeQName(RoleType.class));
>>>
>>> deltaType.setChangeType(ChangeTypeType.MODIFY);
>>>
>>> deltaType.setOid(roleOid);
>>>
>>> deltaType.getItemDelta().add(inducementDeleteDelta);
>>>
>>> deltaType.getItemDelta().add(inducementAddDelta);
>>>
>>> ObjectDeltaListType deltaListType = new ObjectDeltaListType();
>>>
>>> deltaListType.getDelta().add(deltaType);
>>>
>>> ObjectDeltaOperationListType objectDeltaOperationList =
>>> modelPort.executeChanges(deltaListType, null);
>>>
>>> }
>>>
>>> The corresponding XML is like this (again, red = removal
>>> code, green = addition code):
>>>
>>> <soap:Body>
>>> <ns8:executeChanges
>>> xmlns:ns10="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
>>> xmlns:ns11="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3>
>>> xmlns:ns12="http://www.w3.org/2000/09/xmldsig#"
>>> <http://www.w3.org/2000/09/xmldsig#>
>>> xmlns:ns13="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3>
>>> xmlns:ns14="http://www.w3.org/2001/04/xmlenc#"
>>> <http://www.w3.org/2001/04/xmlenc#>
>>> xmlns:ns15="http://prism.evolveum.com/xml/ns/public/annotation-3"
>>> <http://prism.evolveum.com/xml/ns/public/annotation-3>
>>> xmlns:ns16="http://midpoint.evolveum.com/xml/ns/public/common/fault-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/fault-3>
>>> xmlns:ns2="http://prism.evolveum.com/xml/ns/public/types-3"
>>> <http://prism.evolveum.com/xml/ns/public/types-3>
>>> xmlns:ns3="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>>> xmlns:ns4="http://prism.evolveum.com/xml/ns/public/query-3"
>>> <http://prism.evolveum.com/xml/ns/public/query-3>
>>> xmlns:ns5="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>
>>> xmlns:ns6="http://midpoint.evolveum.com/xml/ns/model/workflow/common-forms-3"
>>> <http://midpoint.evolveum.com/xml/ns/model/workflow/common-forms-3>
>>> xmlns:ns7="http://midpoint.evolveum.com/xml/ns/model/workflow/process-instance-state-3"
>>> <http://midpoint.evolveum.com/xml/ns/model/workflow/process-instance-state-3>
>>> xmlns:ns8="http://midpoint.evolveum.com/xml/ns/public/model/model-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/model/model-3>
>>> xmlns:ns9="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
>>> <http://midpoint.evolveum.com/xml/ns/public/common/api-types-3>>
>>> <ns8:deltaList>
>>> <ns9:delta>
>>> <ns2:changeType>modify</ns2:changeType>
>>> <ns2:objectType>ns3:RoleType</ns2:objectType>
>>> <ns2:oid>290acb64-f64c-4f01-8b5b-c5b745092f27</ns2:oid>
>>> <ns2:itemDelta>
>>> <ns2:modificationType>delete</ns2:modificationType>
>>> <ns2:path>declare default namespace
>>> 'http://midpoint.evolveum.com/xml/ns/public/common/common-3'; inducement</ns2:path>
>>> <ns2:value>
>>> <id>2</id>
>>> </ns2:value>
>>> </ns2:itemDelta>
>>> <ns2:itemDelta>
>>> <ns2:modificationType>add</ns2:modificationType>
>>> <ns2:path>declare default namespace
>>> 'http://midpoint.evolveum.com/xml/ns/public/common/common-3'; inducement</ns2:path>
>>> <ns2:value
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> <http://www.w3.org/2001/XMLSchema-instance>
>>> xsi:type="ns3:AssignmentType">
>>> <ns3:targetRef oid="12345678-d34d-b33f-f00d-987987cccccc"
>>> type="ns3:RoleType"/>
>>> </ns2:value>
>>> </ns2:itemDelta>
>>> </ns9:delta>
>>> </ns8:deltaList>
>>> </ns8:executeChanges>
>>> </soap:Body>
>>>
>>> Best regards,
>>> Pavol
>>>
>>>> Hi
>>>>
>>>> I got this point that i can add and delete individual
>>>> attribute/value but i want to know how can i achieve with
>>>> java code or can you give me a sample xml doing this.
>>>>
>>>> Regards
>>>> Dharmendra
>>>>
>>>> On Thu, Feb 12, 2015 at 1:53 PM, Pavol Mederly
>>>> <mederly at evolveum.com <mailto:mederly at evolveum.com>> wrote:
>>>>
>>>> Hello Dharmendra,
>>>>
>>>>> If the replace does not work how can i individually
>>>>> add/delete attributes/values ?
>>>>
>>>> REPLACE replaces the whole inducement, i.e. all of its
>>>> values.
>>>>
>>>> If you want to replace just one value (e.g. you have a
>>>> values of A, B, C and you want to make it A, B, D), you
>>>> have to do the following:
>>>> - delete C
>>>> - add D
>>>>
>>>> You can (and perhaps, should) do this in one operation.
>>>>
>>>> Hope this helps.
>>>> Pavol
>>>>
>>>>
>>>>
>>>> On 12. 2. 2015 9:01, Dharmendra Parakh wrote:
>>>>> HI Pavol
>>>>>
>>>>> Quick Background:
>>>>> My role had two inducements:
>>>>> id=1: Role
>>>>> id=2 Resource
>>>>> I wanted to replace the resource inducement.
>>>>>
>>>>> As per my understanding i was trying to replace the
>>>>> inducement with id=2. and that does not means to
>>>>> delete the other inducement (like id=1).
>>>>>
>>>>> If the replace does not work how can i individually
>>>>> add/delete attributes/values ?
>>>>>
>>>>> Thanks
>>>>> Dharmendra
>>>>>
>>>>>
>>>>> On Thu, Feb 12, 2015 at 1:22 PM, Pavol Mederly
>>>>> <mederly at evolveum.com <mailto:mederly at evolveum.com>>
>>>>> wrote:
>>>>>
>>>>> Hello Dharmendra,
>>>>>
>>>>> looking at your WS request: it is of REPLACE type,
>>>>> see:
>>>>>
>>>>> <objectDelta ... >
>>>>> ...
>>>>> <t:itemDelta>
>>>>> <t:modificationType>*replace*</t:modificationType>
>>>>> <t:path>c:*inducement*</t:path>
>>>>> <t:value id="2">
>>>>> ...
>>>>> </t:value>
>>>>> </t:itemDelta>
>>>>> ...
>>>>>
>>>>> So, basically you tell midPoint that you want to
>>>>> REPLACE the values of *inducement***item with the
>>>>> ones you have provided.
>>>>> And you've provided one value with id=2 and
>>>>> content of account construction on resource
>>>>> d0811790-1d80-11e4-86b2-3c970e467874.
>>>>> So after the operation, the original inducement
>>>>> with id=1 should be gone.
>>>>>
>>>>> Is this what you wanted to do? Perhaps no.
>>>>>
>>>>> If you want to replace only one value in
>>>>> multi-valued item, you have to
>>>>> 1) delete old value
>>>>> 2) add new value
>>>>>
>>>>> And, I'm not quite sure about your first mail
>>>>> (Manish Baid, received 01:14). Aren't the contents
>>>>> of files "original.xml" and
>>>>> "after_addRoleInducement.xml" swapped? Because
>>>>> original.xml corresponds to the state with only
>>>>> one inducement, while the file
>>>>> "after_addRoleInducement.xml" contains two
>>>>> inducements. Just opposite as I would expect,
>>>>> given the messages you wrote.
>>>>>
>>>>> Best regards,
>>>>> Pavol
>>>>>
>>>>>
>>>>>
>>>>> On 12. 2. 2015 8:39, Dharmendra Parakh wrote:
>>>>>> Hi Ivan
>>>>>>
>>>>>> Thanks for your reply. jira you have pointed is
>>>>>> might be related to UI only and what i observed
>>>>>> is if i use model web service to modify one
>>>>>> inducement it is deleting other inducements.
>>>>>>
>>>>>> We are using the master branch so latest midpoint
>>>>>> version.
>>>>>>
>>>>>> Regards
>>>>>> Dharmendra
>>>>>>
>>>>>> On Thu, Feb 12, 2015 at 1:01 PM, Ivan Noris
>>>>>> <ivan.noris at evolveum.com
>>>>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I believe this is the issue:
>>>>>> https://jira.evolveum.com/browse/MID-2113 and
>>>>>> it should be fixed, but please see the
>>>>>> comment in JIRA.
>>>>>>
>>>>>> Also, what version of midPoint are you using?
>>>>>>
>>>>>> Thanks,
>>>>>> regards
>>>>>> Ivan
>>>>>>
>>>>>>
>>>>>> On 02/12/2015 08:08 AM, Dharmendra Parakh wrote:
>>>>>>> Hi Radovan
>>>>>>>
>>>>>>> Additional Information:
>>>>>>>
>>>>>>> We have a requirement to update the role
>>>>>>> inducement from web service client, where we
>>>>>>> have to add/delete some resource attributes.
>>>>>>>
>>>>>>> In our scenario we have a role with multiple
>>>>>>> inducements (let say one role and one
>>>>>>> resource inducement). Now i want to add some
>>>>>>> additional attribute-values in resource
>>>>>>> inducement. To do this we calculate the
>>>>>>> correct inducement (AssignmentType) object
>>>>>>> with all current attributes and try to
>>>>>>> replace this inducement.
>>>>>>> Earlier this was working for us but now when
>>>>>>> we do this other inducement information is
>>>>>>> lost (induced role is no longer available in
>>>>>>> role).
>>>>>>>
>>>>>>> I am attaching the request xml with the mail...
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards
>>>>>>> Dharmendra
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Feb 12, 2015 at 12:03 PM, Manish
>>>>>>> Baid <baid_manish at yahoo.com
>>>>>>> <mailto:baid_manish at yahoo.com>> wrote:
>>>>>>>
>>>>>>> Hi Radovan,
>>>>>>> We are showing a demo to our clients,
>>>>>>> looks like with recent 3.1 release,
>>>>>>> inducement update is behaving differently.
>>>>>>>
>>>>>>> If you can work with Dharmendra to work
>>>>>>> through this (he is in India timezone,
>>>>>>> will be available in your mornings), it
>>>>>>> would be of great help.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> ----- Forwarded Message -----
>>>>>>> *From:* Manish Baid
>>>>>>> <baid_manish at yahoo.com
>>>>>>> <mailto:baid_manish at yahoo.com>>
>>>>>>> *To:* midPoint General Discussion
>>>>>>> <midpoint at lists.evolveum.com
>>>>>>> <mailto:midpoint at lists.evolveum.com>>
>>>>>>> *Cc:* Dharmendra Parakh
>>>>>>> <dharmendra at confluxsys.com
>>>>>>> <mailto:dharmendra at confluxsys.com>>;
>>>>>>> Indrajit Chauhan
>>>>>>> <indrajit at confluxsys.com
>>>>>>> <mailto:indrajit at confluxsys.com>>
>>>>>>> *Sent:* Wednesday, February 11, 2015 4:14 PM
>>>>>>> *Subject:* URGENT ... Role inducements
>>>>>>> lost on role updates
>>>>>>>
>>>>>>> Hi,
>>>>>>> With 3.1 release code (and also after
>>>>>>> MID-2194), when inducement/s is/are
>>>>>>> updated in a role, other related
>>>>>>> indcuments are removed.
>>>>>>>
>>>>>>> Here is an example:
>>>>>>>
>>>>>>> * Role had an indcument: "LDAP Account"
>>>>>>> with 3 group memberships
>>>>>>> * Role is modified to add a role
>>>>>>> inducement (role hierarchy)
>>>>>>>
>>>>>>> Observation: 3 group memberships that
>>>>>>> were part of "Ldap Account" inducments
>>>>>>> are removed.
>>>>>>>
>>>>>>> Please see object XMLs of before and after.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> midPoint mailing list
>>>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>> --
>>>>>> Ing. Ivan Noris
>>>>>> Senior Identity Management Engineer
>>>>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>>>>> _____________________________________________
>>>>>> "Semper Id(e)M Vix."
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> <mailto:midPoint at lists.evolveum.com>
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150212/7f72bd37/attachment.htm>
More information about the midPoint
mailing list