[midPoint] Adding org assignment via User Template

Pavol Mederly mederly at evolveum.com
Tue Aug 23 07:40:54 CEST 2016


Hello Brad,

the form of <assignmentTargetSearch> you are using, i.e.

<assignmentTargetSearch>
   <targetType>c:OrgType</targetType>
<oid>..........</oid>
</assignmentTargetSearch>

doesn't allow variables in the <oid> element. Only a constant value is 
allowed there.

However, it is possible to use the second form of 
<assignmentTargetSearch> that uses a filter - as you used before, and as 
Roman pointed to:

<assignmentTargetSearch>
   <targetType>c:OrgType</targetType>
   <filter>
    ...
   </filter>
</assignmentTargetSearch>

You just have to select a correct filter. The commonly used one 
(<equals>) cannot match an OID, because technically OID is not a 
property of an object. But there is another filter that can be used: 
<inOid>. So it would look like this:

<assignmentTargetSearch>
   <targetType>OrgType</targetType>
   <filter>
     <inOid>
       <expression>
         <script>
           <code>organizationalUnit</code>
         </script>
       </expression>
     </inOid>
   </filter>
</assignmentTargetSearch>

Just a note: I've actually not seen this in a real deployment. I would 
suggest to use the other option you indicated: set org name to an OID, 
and use displayName to contain a human readable value. The reason is 
that in the current version of midPoint the name must be unique, even 
across the tenants.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 22.08.2016 14:47, Brad Fardig wrote:
>
> Hi Roman,
>
> Thanks again.
>
> I had something like that earlier this afternoon and now I get no 
> assignment at all.  Your response has however made me realise what the 
> error is (just not how to fix it)
>
> Given the following org:
>
> <org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>
> oid="d9ca2974-af5f-4ae7-acc4-dd9edc28e692"
>
> version="2">
>
> <name>users</name>
>
> <description>Some Users</description>
>
> <parentOrgRef oid="4564b008-e829-420c-bbf7-f2026af3434f" 
> type="c:OrgType"><!—Some Org --></parentOrgRef>
>
> <metadata>
>
> <createTimestamp>2016-08-19T10:40:43.425+10:00</createTimestamp>
>
> <creatorRef oid="00000000-0000-0000-0000-000000000002" 
> type="c:UserType"><!-- administrator --></creatorRef>
>
> <createChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</createChannel>
>
> <modifyTimestamp>2016-08-19T10:40:43.511+10:00</modifyTimestamp>
>
> <modifierRef 
> xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>
> oid="00000000-0000-0000-0000-000000000002"
>
> type="tns:UserType"><!-- administrator --></modifierRef>
>
> <modifyChannel>http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</modifyChannel>
>
> </metadata>
>
> <assignment id="1">
>
> <targetRef oid="4564b008-e829-420c-bbf7-f2026af3434f" 
> type="c:OrgType"><!—Some Org --></targetRef>
>
> </assignment>
>
> <activation>
>
> <administrativeStatus>enabled</administrativeStatus>
>
> <effectiveStatus>enabled</effectiveStatus>
>
> <enableTimestamp>2016-08-19T10:40:43.478+10:00</enableTimestamp>
>
> </activation>
>
> <iteration>0</iteration>
>
> <iterationToken/>
>
> <roleMembershipRef oid="4564b008-e829-420c-bbf7-f2026af3434f" 
> type="c:OrgType"><!—Some Org --></roleMembershipRef>
>
> <displayName>Users</displayName>
>
> <orgType>functional</orgType>
>
> <tenant>false</tenant>
>
> </org>
>
> I’m trying to access the OID value: 
> oid="d9ca2974-af5f-4ae7-acc4-dd9edc28e692"
>
> I could use the name value but it is not guaranteed to be unique 
> within an organisation nor across tenants.
>
> Is there any way to access the OID value or should I set the name 
> field to be the OID and set the displayName to the human readable 
> version?  I’d prefer to be able to access the OID field as the other 
> fields are defined as mutable.
>
> Regards,
>
> Brad
>
> *From:*Roman Pudil - AMI Praha a.s. [mailto:roman.pudil at ami.cz]
> *Sent:* Monday, 22 August 2016 9:56 PM
> *To:* Brad Fardig <brad.fardig at cogitogroup.com.au>; midPoint General 
> Discussion <midpoint at lists.evolveum.com>
> *Subject:* Re[2]: [midPoint] Adding org assignment via User Template
>
> Hi Brad,
>
> your solution is wrong.
>
> You have to linked org. unit OID with group ID synced from AD (or 
> their names for ex.).
>
> Test it:
>
>  1. change organizationalUnit attribute of the user to the org. unit
>     name (which exists in midPoint)
>  2. change search filter in mapping to:
>
> <expression>
>         <assignmentTargetSearch>
>         <targetType>c:OrgType</targetType>
> <filter>
> <q:equal>
> *<q:path>c:name</q:path>
> *<expression>
> <script>
> <code>
> *return organizationalUnit;*
> </code>
> </script>
> </expression>
> </q:equal>
>            </assignmentTargetSearch>
>         </expression>
>
> The better solution is to reconcile AD groups to midPoint.
>
> Regards
>
> *Roman Pudil*
> solution architect
>
> gsm: [+420] 775 663 666
> e-mail:roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>
> 	
>
> 	
>
> 	
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel./fax: [+420] 274 783 239
> web:www.ami.cz <http://www.ami.cz>
>
> 	
>
> 	
>
> 	
>
>
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za 
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít 
> výhradně písemnou formu.
>
> ------ Původní zpráva ------
>
> Od: "Brad Fardig" <brad.fardig at cogitogroup.com.au 
> <mailto:brad.fardig at cogitogroup.com.au>>
>
> Komu: "Roman Pudil - AMI Praha a.s." <roman.pudil at ami.cz 
> <mailto:roman.pudil at ami.cz>>; "midPoint General Discussion" 
> <midpoint at lists.evolveum.com <mailto:midpoint at lists.evolveum.com>>
>
> Odesláno: 22.8.2016 13:24:19
>
> Předmět: RE: [midPoint] Adding org assignment via User Template
>
>     Hi Roman,
>
>     Sorry forgot to say thank you for the quick response.
>
>     A check of the idm.log  shows that there is an error, which for
>     the example I provided earlier is:
>
>     2016-08-22 20:44:22,704 [] [Thread-24] ERROR
>     (com.evolveum.midpoint.model.impl.lens.AssignmentEvaluator):
>     Object of type 'OrgType' with oid 'organizationalUnit' was not
>     found. in assignment target reference in delta for
>     user:62959f3e-c23d-46a5-9015-60017baf5043(test.user4 at demo.local
>     <mailto:test.user4 at demo.local>)
>
>     Regards,
>
>     Brad
>
>     *From:*midPoint [mailto:midpoint-bounces at lists.evolveum.com
>     <mailto:midpoint-bounces at lists.evolveum.com>] *On Behalf Of *Roman
>     Pudil - AMI Praha a.s.
>     *Sent:* Monday, 22 August 2016 8:58 PM
>     *To:* midPoint General Discussion <midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>>
>     *Subject:* Re: [midPoint] Adding org assignment via User Template
>
>     Hi Brad,
>
>     include your mapping, org definition and response error message.
>
>     Thanks!
>
>
>     Regards
>
>     *Roman Pudil*
>     solution architect
>
>     gsm: [+420] 775 663 666
>     e-mail:roman.pudil at ami.cz <mailto:roman.pudil at ami.cz>
>
>     	
>
>     	
>
>     	
>
>     AMI Praha a.s.
>     Pláničkova 11
>     162 00 Praha 6
>     tel./fax: [+420] 274 783 239
>     web:www.ami.cz <http://www.ami.cz>
>
>     	
>
>     	
>
>     	
>
>
>     <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
>
>     Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá
>     za společnost AMI Praha a.s.
>     jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>     výhradně písemnou formu.
>
>     ------ Původní zpráva ------
>
>     Od: "Brad Fardig" <brad.fardig at cogitogroup.com.au
>     <mailto:brad.fardig at cogitogroup.com.au>>
>
>     Komu: "midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>" <midpoint at lists.evolveum.com
>     <mailto:midpoint at lists.evolveum.com>>
>
>     Odesláno: 22.8.2016 12:54:47
>
>     Předmět: [midPoint] Adding org assignment via User Template
>
>         Hi,
>
>         I have a user template where I am trying to assign an org
>         based on an oid that is set as part of the user import.
>
>         The assignment mapping looks like:
>
>         <mapping>
>
>         <name>map organization</name>
>
>         <strength>strong</strength>
>
>         <source>
>
>         <path>$user/organizationalUnit</path>
>
>         </source>
>
>         <expression>
>
>         <assignmentTargetSearch>
>
>         <targetType>c:OrgType</targetType>
>
>         <oid>Need to put organizationalUnit OID here</oid>
>
>         </assignmentTargetSearch>
>
>         </expression>
>
>         <target>
>
>         <c:path>assignment</c:path>
>
>         </target>
>
>         </mapping>
>
>         Issue is I can’t get the OID value populated in the <oid> tag
>         of the assignmentTargetSearch
>
>         Any help greatly appreciated
>
>         Regards,
>
>         Brad
>
>
>
>     /This email, and any attachment, is confidential and also
>     privileged. If you have received it in error, please notify me
>     immediately and delete it from your system along with any
>     attachments. You should not copy or use it for any purpose, nor
>     disclose its contents to any other person. /
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160823/0a372e82/attachment.htm>


More information about the midPoint mailing list