[midPoint] How to create User-User association?
Ivan Noris
ivan.noris at evolveum.com
Mon Nov 2 13:48:47 CET 2015
Hi Roman,
I have done this for another (not AD) directory using midpoint's
organizational structure, fetching the manager and his/her account
attribute(s), i.e. not using entitlements.
It was something like this:
<attribute>
<ref>ri:manager</ref>
<tolerant>false</tolerant>
<outbound>
<strength>strong</strength>
<expression>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType
import static com.evolveum.midpoint.schema.constants.SchemaConstants.*
// get managers
tmpManagers = midpoint.getManagersByOrgType(user, 'functional')
managerUser = null
if (!tmpManagers?.isEmpty()) managerUser = tmpManagers.iterator().next()
<!-- XXX We take FIRST manager -->
if (managerUser) {
// get shadow for the resource we're interested (by oid)
managerShadow = midpoint.getLinkedShadow(managerUser,
'b26554d2-41fc-11e5-a652-3c970e44b9e2', ShadowKindType.ACCOUNT, 'default')
if (managerShadow) {
managerDn = basic.getAttributeValue(managerShadow,
'http://midpoint.evolveum.com/xml/ns/public/resource/instance-3', 'dn')
return managerDn
}
}
return null
</code>
</script>
</expression>
<condition>
. . .
</outbound>
</attribute>
Does this help a little?
Be adwised as there is no source in the mapping, if manager of the user
changes in midPoint, you need to recompute.
Regards,
Ivan
On 11/02/2015 01:04 PM, Roman Pudil - AMI Praha a.s. wrote:
> Hi all,
> how to create user-user manager association (like user-entitlements)
> in midPoint resource?
>
> I have Active Directory resource and in user object filled "manager"
> attribute (DN of another user) in AD.
> What is the right way to create user-manager association?
>
> It seems, that user-entitlements association example modified to
> user-manager association does not work.
>
> Here is part of my code - "account" schema handling on Active
> Directory resource:
>
> <association>
> <c:ref>ri:mgr</c:ref>
> <displayName>Manager</displayName>
> <kind>account</kind>
> <intent>uzivatel-ad</intent>
> <direction>subjectToObject</direction>
> <associationAttribute>ri:manager</associationAttribute>
> <valueAttribute>icfs:name</valueAttribute>
> </association>
>
> Thanks!
> Regards
> Roman
>
>
> Roman Pudil
> solution architect
>
> gsm: [+420] 775 663 666
> e-mail: roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel./fax: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz>
>
>
>
>
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper Id(e)M Vix."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20151102/15c9110a/attachment.htm>
More information about the midPoint
mailing list