[midPoint] Construct DN based on role
midpoint at mybtinternet.com
midpoint at mybtinternet.com
Thu Jul 2 12:28:32 CEST 2015
Thx Pavol and Jason for your helpful examples!
I was already using attribute assignment to employeeType from my HR feed to assign roles
and didn't want to introduce values that will not be populated from the feed.
I elected a solution based on Pavol's first example below; it seems I was on the right direction,
but was missing 2 crucial parts; e.g. getting the target ref and the relativityMode. What does
"<relativityMode>absolute</relativityMode>" do?
The main addition I made to the example was to do a check for assignment != null; doesn't
like getting values if there was no assignment.
Regards,
Anton
----Original message----
>From : mederly at evolveum.com
Date : 26/06/2015 - 18:41 (BST)
To : midpoint at lists.evolveum.com
Subject : Re: [midPoint] Construct DN based on role
Hello Anton,
one of options is to get a list of all the user assignments, and
act on it. In a similar way that I wrote Roman today morning, i.e.
<outbound>
<strength>strong</strength>
<source>
<c:path>assignment</c:path>
</source>
<source> ....... any other sources, e.g. name, ...
</source>
<expression>
<script>
<relativityMode>absolute</relativityMode>
<code>
isStaff = false
isAdmin = false
...
log.info('assignment = {}',
assignment) // assignment is a PrismContainer
for (assignmentValue in
assignment.getValues()) {
log.info('checking {}',
assignmentValue)
targetRef =
assignmentValue.asContainerable().getTargetRef()
if (targetRef?.getOid()?.equals("....staff role OID.....")) {
isStaff = true
} else
if (targetRef?.getOid()?.equals("....admin
role OID.....")) {
isAdmin = true
}
...
}
... and now construct the DN based on
isStaff, isAdmin etc.
</code>
</script>
</expression>
</outbound>
I haven't actually tried it; but it could work.
Another, and perhaps more elegant, way is to induce some user
properties in the roles. E.g. admin role could put value of
"Admin" to "employeeType" property. It would look like this:
<role>
<name>admin</name>
<displayName>admin</displayName>
<inducement>
<focusMappings>
<mapping>
<expression>
<value>Admin</value>
</expression>
<target>
<path>employeeType</path>
</target>
</mapping>
</focusMappings>
</inducement>
</role>
And then you can use employeeType as just another source when
constructing the user DN. Beware of situations when there would be
more than one employeeType value (e.g. user would be both admin
and let's say manager). Naive implementation of the mapping would
yield to two DN's for the user.
Maybe someone with more experiences in midPoint deployment (Ivan?)
would improve these options a bit.
Best regards,
Pavol
On 26. 6. 2015 19:08, midpoint at mybtinternet.com wrote:
Hi,
I have a role defined with an inducement for an Active Directory
account and am able to successfully
provision a basic account. However, I need the target container
to be variable based on the user's
role; e.g. staff goes to ou=staff,<directory-suffix> and
admin users to ou=admin,<directory-suffix>.
I was hoping to use ad_container in the role's inducement of the
Active Directory account. The
attempted provisioning fails with "Cannot represent container
value without a parent as containerable".
Also tried to find, unsuccessfully, references on how to
programatically get the the user's role/s or
assignments and then construct the DN based on values.
Any suggestions?
Thx,
Anton
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150702/5601a5f1/attachment.htm>
More information about the midPoint
mailing list