[midPoint] How to check that user is assigned to selected resource?

Pavol Mederly mederly at evolveum.com
Fri Jun 26 19:26:14 CEST 2015 

Hello Roman,

it's a bit more complicated. We distinguish between *assigned* resource 
object and *linked* resource object.

Linked resource objects describe the state "as is". Assigned ones 
describe the state "as should be".
See also https://wiki.evolveum.com/display/midPoint/Assigning+vs+Linking.

Assigned resource object is stored in the <assignment> item, and shown 
in GUI under "Assignments" (along with assigned roles and orgs).
Linked resource object is stored in <linkRef> item, and show in GUI 
under "Accounts".

 From your question I thought you are asking about assigned accounts.
If you would like to refer to linked accounts, you can use something 
like this:

    <mapping>
       <strength>strong</strength>
       <source>
          <c:path>linkRef</c:path>
       </source>
       <expression>
          <value>Here we are</value>
       </expression>
       <target>
          <c:path>description</c:path>
       </target>
       <condition>
          <script>
<relativityMode>absolute</relativityMode>
             <code>
                 import 
com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType
                 import com.evolveum.midpoint.schema.SelectorOptions
                 import com.evolveum.midpoint.schema.GetOperationOptions

                 log.info('linkRef = {}', linkRef)          // this is a 
PrismContainer
                 for (singleLinkRef in linkRef.getValues()) {
                     log.info('checking {}', singleLinkRef)
                     oid = singleLinkRef.oid
                     options = 
SelectorOptions.createCollection(GetOperationOptions.createNoFetch())
                     try {
                         shadow = midpoint.getObject(ShadowType.class, 
oid, options)
                     } catch (Exception e) {
                         log.error('got exception: {}', e)
                         shadow = null
                     }
                     resourceOid = shadow?.resourceRef?.oid
                     log.info('resource oid = {}', resourceOid)
                     if (resourceOid?.equals("*.....given resource 
oid.......*")) {
                         return true
                     }
                 }
                false
                </code>
          </script>
       </condition>
    </mapping>

Or, you can take inspiration from MidpointFunctionsImp. countAccounts 
method.

Hope this helps,
Pavol


> Hi Pavol,
> thanks for Your answer.
> I tried many tests about resources assignments, but no success.
> Assigments to resources are saved as ShadowType in user object in link 
> refs, but they have no resources oid's.
> How to get resource oid's?
>
> Thanks!
> Regards
> Roman Pudil
>
> Roman Pudil
> solution architect
>
> gsm: [+420] 775 663 666
> e-mail: roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>
> 			
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel./fax: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz>
>
> 			
>
> AMI Praha a.s.
>
>
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
> výhradně písemnou formu.
>
> Dne 26.6.2015 v 11:06 Pavol Mederly napsal(a):
>> Roman,
>>
>> very quickly, because I have to go just now:
>>
>> I would check directly the assignments, like this:
>>
>> (This is a quickly hacked mapping that assigns "Directly under root" 
>> value for all Orgs that have assignment with a given targetRef. For 
>> resources, you have to work with getConstruction().getResourceRef().)
>>
>>    <mapping>
>>       <strength>strong</strength>
>>       <source>
>>          <c:path>assignment</c:path>
>>       </source>
>>       <expression>
>>          <value>Directly under root</value>
>>       </expression>
>>       <target>
>>          <c:path>description</c:path>
>>       </target>
>>       <condition>
>>          <script>
>> <relativityMode>absolute</relativityMode>
>>             <code>
>>                    log.info('assignment = {}', assignment)          
>> // assignment is a PrismContainer
>>                    for (assignmentValue in assignment.getValues()) {
>>                         log.info('checking {}', assignmentValue)
>>                         targetRef = 
>> assignmentValue.asContainerable().getTargetRef()
>>                         if 
>> (targetRef?.getOid()?.equals("98f0f92d-d4d3-465e-840e-69ef12724013")) 
>> {      // OID is the root OU
>>                             log.info('Yes')
>>                             return true
>>                         }
>>                         log.info('No')
>>                    }
>>                    false
>>                </code>
>>          </script>
>>       </condition>
>>    </mapping>
>>
>> Hope this helps,
>> Pavol
>>
>>> Hi all,
>>> how to check in mapping (in template object) that user is assigned 
>>> to selected resource?
>>> What is the right condition?
>>>
>>> Thanks!
>>> Roman Pudil
>>> -- 
>>>
>>> Roman Pudil
>>> solution architect
>>>
>>> gsm: [+420] 775 663 666
>>> e-mail: roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>>>
>>> 			
>>>
>>> AMI Praha a.s.
>>> Pláničkova 11
>>> 162 00 Praha 6
>>> tel./fax: [+420] 274 783 239
>>> web: www.ami.cz <http://www.ami.cz>
>>>
>>> 			
>>>
>>> AMI Praha a.s.
>>>
>>>
>>> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>>
>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá 
>>> za společnost AMI Praha a.s.
>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
>>> výhradně písemnou formu.
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/856f4752/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2900 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/856f4752/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 21628 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/856f4752/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2900 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/856f4752/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 21628 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150626/856f4752/attachment-0001.png>

More information about the midPoint mailing list