[midPoint] Adding org assignment via User Template
Brad Fardig
brad.fardig at cogitogroup.com.au
Tue Aug 23 08:25:52 CEST 2016
Hi Pavol,
I went with the filter that Roman pointed to in the end, and we have some mechanisms in place to make sure the org name is unique.
I will give the inOid method a try in my test system when time permits to see how it works
Thank you and thanks again Roman
Regards,
Brad
From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Pavol Mederly
Sent: Tuesday, 23 August 2016 3:41 PM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Adding org assignment via User Template
Hello Brad,
the form of <assignmentTargetSearch> you are using, i.e.
<assignmentTargetSearch>
<targetType>c:OrgType</targetType>
<oid>..........</oid>
</assignmentTargetSearch>
doesn't allow variables in the <oid> element. Only a constant value is allowed there.
However, it is possible to use the second form of <assignmentTargetSearch> that uses a filter - as you used before, and as Roman pointed to:
<assignmentTargetSearch>
<targetType>c:OrgType</targetType>
<filter>
...
</filter>
</assignmentTargetSearch>
You just have to select a correct filter. The commonly used one (<equals>) cannot match an OID, because technically OID is not a property of an object. But there is another filter that can be used: <inOid>. So it would look like this:
<assignmentTargetSearch>
<targetType>OrgType</targetType>
<filter>
<inOid>
<expression>
<script>
<code>organizationalUnit</code>
</script>
</expression>
</inOid>
</filter>
</assignmentTargetSearch>
Just a note: I've actually not seen this in a real deployment. I would suggest to use the other option you indicated: set org name to an OID, and use displayName to contain a human readable value. The reason is that in the current version of midPoint the name must be unique, even across the tenants.
Best regards,
Pavol Mederly
Software developer
evolveum.com
On 22.08.2016 14:47, Brad Fardig wrote:
Hi Roman,
Thanks again.
I had something like that earlier this afternoon and now I get no assignment at all. Your response has however made me realise what the error is (just not how to fix it)
Given the following org:
<org xmlns= <http://midpoint.evolveum.com/xml/ns/public/common/common-3> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:icfs= <http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3> "http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
xmlns:t= <http://prism.evolveum.com/xml/ns/public/types-3> "http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:c= <http://midpoint.evolveum.com/xml/ns/public/common/common-3> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q= <http://prism.evolveum.com/xml/ns/public/query-3> "http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:ri= <http://midpoint.evolveum.com/xml/ns/public/resource/instance-3> "http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
oid="d9ca2974-af5f-4ae7-acc4-dd9edc28e692"
version="2">
<name>users</name>
<description>Some Users</description>
<parentOrgRef oid="4564b008-e829-420c-bbf7-f2026af3434f" type="c:OrgType"><!—Some Org --></parentOrgRef>
<metadata>
<createTimestamp>2016-08-19T10:40:43.425+10:00</createTimestamp>
<creatorRef oid="00000000-0000-0000-0000-000000000002" type="c:UserType"><!-- administrator --></creatorRef>
<createChannel> <http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user> http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</createChannel>
<modifyTimestamp>2016-08-19T10:40:43.511+10:00</modifyTimestamp>
<modifierRef xmlns:tns= <http://midpoint.evolveum.com/xml/ns/public/common/common-3> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
oid="00000000-0000-0000-0000-000000000002"
type="tns:UserType"><!-- administrator --></modifierRef>
<modifyChannel> <http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user> http://midpoint.evolveum.com/xml/ns/public/gui/channels-3#user</modifyChannel>
</metadata>
<assignment id="1">
<targetRef oid="4564b008-e829-420c-bbf7-f2026af3434f" type="c:OrgType"><!—Some Org --></targetRef>
</assignment>
<activation>
<administrativeStatus>enabled</administrativeStatus>
<effectiveStatus>enabled</effectiveStatus>
<enableTimestamp>2016-08-19T10:40:43.478+10:00</enableTimestamp>
</activation>
<iteration>0</iteration>
<iterationToken/>
<roleMembershipRef oid="4564b008-e829-420c-bbf7-f2026af3434f" type="c:OrgType"><!—Some Org --></roleMembershipRef>
<displayName>Users</displayName>
<orgType>functional</orgType>
<tenant>false</tenant>
</org>
I’m trying to access the OID value: oid="d9ca2974-af5f-4ae7-acc4-dd9edc28e692"
I could use the name value but it is not guaranteed to be unique within an organisation nor across tenants.
Is there any way to access the OID value or should I set the name field to be the OID and set the displayName to the human readable version? I’d prefer to be able to access the OID field as the other fields are defined as mutable.
Regards,
Brad
From: Roman Pudil - AMI Praha a.s. [ <mailto:roman.pudil at ami.cz> mailto:roman.pudil at ami.cz]
Sent: Monday, 22 August 2016 9:56 PM
To: Brad Fardig <mailto:brad.fardig at cogitogroup.com.au> <brad.fardig at cogitogroup.com.au>; midPoint General Discussion <mailto:midpoint at lists.evolveum.com> <midpoint at lists.evolveum.com>
Subject: Re[2]: [midPoint] Adding org assignment via User Template
Hi Brad,
your solution is wrong.
You have to linked org. unit OID with group ID synced from AD (or their names for ex.).
Test it:
1. change organizationalUnit attribute of the user to the org. unit name (which exists in midPoint)
2. change search filter in mapping to:
<expression>
<assignmentTargetSearch>
<targetType>c:OrgType</targetType>
<filter>
<q:equal>
<q:path>c:name</q:path>
<expression>
<script>
<code>
return organizationalUnit;
</code>
</script>
</expression>
</q:equal>
</assignmentTargetSearch>
</expression>
The better solution is to reconcile AD groups to midPoint.
Regards
Roman Pudil
solution architect
gsm: [+420] 775 663 666
e-mail: <mailto:roman.pudil at ami.cz> roman.pudil at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel./fax: [+420] 274 783 239
web: <http://www.ami.cz> www.ami.cz
<http://www.ami.cz/images/podpis/ami_logo.gif>
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.
------ Původní zpráva ------
Od: "Brad Fardig" < <mailto:brad.fardig at cogitogroup.com.au> brad.fardig at cogitogroup.com.au>
Komu: "Roman Pudil - AMI Praha a.s." < <mailto:roman.pudil at ami.cz> roman.pudil at ami.cz>; "midPoint General Discussion" < <mailto:midpoint at lists.evolveum.com> midpoint at lists.evolveum.com>
Odesláno: 22.8.2016 13:24:19
Předmět: RE: [midPoint] Adding org assignment via User Template
Hi Roman,
Sorry forgot to say thank you for the quick response.
A check of the idm.log shows that there is an error, which for the example I provided earlier is:
2016-08-22 20:44:22,704 [] [Thread-24] ERROR (com.evolveum.midpoint.model.impl.lens.AssignmentEvaluator): Object of type 'OrgType' with oid 'organizationalUnit' was not found. in assignment target reference in delta for user:62959f3e-c23d-46a5-9015-60017baf5043( <mailto:test.user4 at demo.local> test.user4 at demo.local)
Regards,
Brad
From: midPoint [mailto: <mailto:midpoint-bounces at lists.evolveum.com> midpoint-bounces at lists.evolveum.com] On Behalf Of Roman Pudil - AMI Praha a.s.
Sent: Monday, 22 August 2016 8:58 PM
To: midPoint General Discussion < <mailto:midpoint at lists.evolveum.com> midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Adding org assignment via User Template
Hi Brad,
include your mapping, org definition and response error message.
Thanks!
Regards
Roman Pudil
solution architect
gsm: [+420] 775 663 666
e-mail: <mailto:roman.pudil at ami.cz> roman.pudil at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel./fax: [+420] 274 783 239
web: <http://www.ami.cz> www.ami.cz
<http://www.ami.cz/images/podpis/ami_logo.gif>
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.
------ Původní zpráva ------
Od: "Brad Fardig" < <mailto:brad.fardig at cogitogroup.com.au> brad.fardig at cogitogroup.com.au>
Komu: " <mailto:midpoint at lists.evolveum.com> midpoint at lists.evolveum.com" < <mailto:midpoint at lists.evolveum.com> midpoint at lists.evolveum.com>
Odesláno: 22.8.2016 12:54:47
Předmět: [midPoint] Adding org assignment via User Template
Hi,
I have a user template where I am trying to assign an org based on an oid that is set as part of the user import.
The assignment mapping looks like:
<mapping>
<name>map organization</name>
<strength>strong</strength>
<source>
<path>$user/organizationalUnit</path>
</source>
<expression>
<assignmentTargetSearch>
<targetType>c:OrgType</targetType>
<oid>Need to put organizationalUnit OID here</oid>
</assignmentTargetSearch>
</expression>
<target>
<c:path>assignment</c:path>
</target>
</mapping>
Issue is I can’t get the OID value populated in the <oid> tag of the assignmentTargetSearch
Any help greatly appreciated
Regards,
Brad
This email, and any attachment, is confidential and also privileged. If you have received it in error, please notify me immediately and delete it from your system along with any attachments. You should not copy or use it for any purpose, nor disclose its contents to any other person.
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint
This email, and any attachment, is confidential and also privileged. If you have received it in error, please notify me immediately and delete it from your system along with any attachments. You should not copy or use it for any purpose, nor disclose its contents to any other person.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160823/0e3a0210/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5015 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160823/0e3a0210/attachment.bin>
More information about the midPoint
mailing list