[midPoint] Construct DN based on role
Pavol Mederly
mederly at evolveum.com
Thu Jul 2 13:18:31 CEST 2015
Hello Anton,
> I was already using attribute assignment to employeeType from my HR
> feed to assign roles
> and didn't want to introduce values that will not be populated from
> the feed.
I see. Of course, you can use any other attribute (even in extension) to
do the same.
> I elected a solution based on Pavol's first example below; it seems I
> was on the right direction,
> but was missing 2 crucial parts; e.g. getting the target ref and the
> relativityMode. What does
> "<relativityMode>absolute</relativityMode>" do?
MidPoint uses scripts as value transformers. So, given a list of input
values (for multivalued items; assignment is among them, as it can - and
typically does - have more values), it takes values one by one and
transforms each of them. This is the default execution mode, called
"relative". But in our case, this would yield multiple DNs if there
would be more than one relevant assignment. So I chose to use the other
execution mode, called "absolute", where the script gets all the values
of multivalued item at once.
The whole picture is a bit more complex, but for this situation I think
this is what is relevant.
Here is a description:
https://wiki.evolveum.com/display/midPoint/Mapping+Relativity.
Unfortunately, it is missing crucial parts on relative vs. absolute
evaluation. Until it is fixed, you can get some overview from the source
code here
<https://github.com/Evolveum/midpoint/blob/master/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AbstractValueTransformationExpressionEvaluator.java>.
See evaluateAbsoluteExpression vs. evaluateRelativeExpression.
> The main addition I made to the example was to do a check for
> assignment != null; doesn't
> like getting values if there was no assignment.
Yes, you're right.
Best regards,
Pavol
On 2. 7. 2015 12:28, midpoint at mybtinternet.com wrote:
> Thx Pavol and Jason for your helpful examples!
>
> I was already using attribute assignment to employeeType from my HR
> feed to assign roles
> and didn't want to introduce values that will not be populated from
> the feed.
>
> I elected a solution based on Pavol's first example below; it seems I
> was on the right direction,
> but was missing 2 crucial parts; e.g. getting the target ref and the
> relativityMode. What does
> "<relativityMode>absolute</relativityMode>" do?
>
> The main addition I made to the example was to do a check for
> assignment != null; doesn't
> like getting values if there was no assignment.
>
> Regards,
> Anton
>
>
> ----Original message----
> From : mederly at evolveum.com
> Date : 26/06/2015 - 18:41 (BST)
> To : midpoint at lists.evolveum.com
> Subject : Re: [midPoint] Construct DN based on role
>
> Hello Anton,
>
> one of options is to get a list of all the user assignments, and
> act on it. In a similar way that I wrote Roman today morning, i.e.
>
> <outbound>
> <strength>strong</strength>
> <source>
> <c:path>assignment</c:path>
> </source>
> <source> ....... any other sources, e.g. name, ... </source>
> <expression>
> <script>
> <relativityMode>absolute</relativityMode>
> <code>
> isStaff = false
> isAdmin = false
> ...
> log.info('assignment = {}', assignment)
> // assignment is a PrismContainer
> for (assignmentValue in assignment.getValues()) {
> log.info('checking {}', assignmentValue)
> targetRef =
> assignmentValue.asContainerable().getTargetRef()
> if (targetRef?.getOid()?.equals("....staff role
> OID.....")) {
> isStaff = true
> }else if (targetRef?.getOid()?.equals("....admin
> role OID.....")) {
> isAdmin = true
> }
> ...
> }
>
> ... and now construct the DN based on isStaff,
> isAdmin etc.
>
> </code>
> </script>
> </expression>
> </outbound>
>
> I haven't actually tried it; but it could work.
>
> Another, and perhaps more elegant, way is to induce some user
> properties in the roles. E.g. admin role could put value of
> "Admin" to "employeeType" property. It would look like this:
>
> <role>
> <name>admin</name>
> <displayName>admin</displayName>
> <inducement>
> <focusMappings>
> <mapping>
> <expression>
> <value>Admin</value>
> </expression>
> <target>
> <path>employeeType</path>
> </target>
> </mapping>
> </focusMappings>
> </inducement>
> </role>
>
> And then you can use employeeType as just another source when
> constructing the user DN. Beware of situations when there would be
> more than one employeeType value (e.g. user would be both admin
> and let's say manager). Naive implementation of the mapping would
> yield to two DN's for the user.
>
> Maybe someone with more experiences in midPoint deployment (Ivan?)
> would improve these options a bit.
>
> Best regards,
> Pavol
>
> On 26. 6. 2015 19:08, midpoint at mybtinternet.com wrote:
>> Hi,
>>
>> I have a role defined with an inducement for an Active
>> Directory account and am able to successfully
>> provision a basic account. However, I need the target container
>> to be variable based on the user's
>> role; e.g. staff goes to ou=staff,<directory-suffix> and admin
>> users to ou=admin,<directory-suffix>.
>>
>> I was hoping to use ad_container in the role's inducement of
>> the Active Directory account. The
>> attempted provisioning fails with "Cannot represent container
>> value without a parent as containerable".
>>
>> Also tried to find, unsuccessfully, references on how to
>> programatically get the the user's role/s or
>> assignments and then construct the DN based on values.
>>
>> Any suggestions?
>>
>> Thx,
>> Anton
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150702/14797bc5/attachment.htm>
More information about the midPoint
mailing list