[midPoint] Assigning role to user when receiving a resource

Thu Dec 1 20:07:01 CET 2016

You are right Ivan, I should see the association from the projection not
the user's assignments. We can go on with the first example which is
already working !

Thanks for your help !

Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Wed, Nov 30, 2016 at 4:49 AM, Ivan Noris <ivan.noris at evolveum.com> wrote:

> Hi Nicholas,
>
> Show all assignments is computing just assignments, both direct and
> indirect. It will show you all assigned:
>
> a) roles (assigned directly or indirectly)
>
> b) organizations
>
> c) projections from inducements - name of resource, kind and intent
>
> It will not show associations there.
>
> If you want to see the "groups" of any account managed by midPoint, open
> that user in midPoint, then Projections, expand the account and see section
> "associations".
>
> I have just checked my user with assigned organization, which as assigned
> metarole and I can see the indirectly referenced resource account which is
> provided by the metarole order=2 inducement.
>
> Regards,
>
> Ivan
>
> On 11/29/2016 11:30 PM, Nicolas Rossi wrote:
>
> Hi Ivan. With the alternative #1 I can see the entitlement provisioned on
> the resource but I cannot see it under the midpoint GUI on the user panel
> -> assignments -> cog icon -> show all assignment. Regards
>
> El El mar, 29 de nov. de 2016 a las 18:26, Ivan Noris <
> ivan.noris at evolveum.com> escribió:
>
>> Hi Nicolas,
>>
>> I have tried to find some time at the evenings, to look for a problem.
>>
>> The first alternative - ScriptedSQL-Grupo1.xml looks pretty much same as
>> my roles in one of my projects. If I understand correctly, you've stated
>> that "It works fine (entitlement is provisioned) but we cannot see this
>> assignment on the GUI." What do you mean by "seeing" it? You should see
>> that user has this association (Grupo 1) in Projections/the scriptedsql
>> account/associations part. And of course in Assignments you should see the
>> "ScriptedSQL-Grupo 1" role assigned.
>>
>> If you cannot see the "associations" part in GUI with "Grupo 1" value,
>> can you ensure that the value is really there manually in the target system
>> and read that user again using midPoint? But as you stated that this
>> alternative "works (entitlement is provisioned)", I'm confused.
>>
>> What surprised me is the name of the association attribute
>> "<ref>ri:GroupObjectClass</ref>" used in inducements. Do you have the
>> same name configured in the resource object in:
>>
>> <association>
>>
>>   <ref>ri:GroupObjectClass</ref>
>>
>> ...
>>
>> </association> ? If yes, it's just the name which confuses me.
>>
>> The alternative ScriptedSQL-Grupo 3 using ScriptedSQL-MetaRole looks also
>> OK to me. I'm trying to find similar example, but so far I don't remember
>> any usage of association using associationFromLink with another association
>> in my projects.
>> Also ScriptedSQL-Metarole-3.xml looks fine.
>> Are you testing the setup on new users and assigning roles, or you
>> already have the (former) roles assigned and after that you change the role
>> definitions? (In the latter case I assume you did also recompute of that
>> user to apply the changed role definitions.)
>>
>> Anyway, the assignment of ScriptedSQL-Grupo 1 (no metarole) should work
>> and be displayed in Assignments (as role) and in Projections as association
>> (Grupo 1).
>>
>> I hope some of my coleagues will also have a good hint, for now I'm out
>> of ideas but I will try to find some new.
>>
>> Best regards,
>> Ivan
>>
>>
>> On 11/29/2016 01:06 PM, Nicolas Rossi wrote:
>>
>> HI Ivan, have you seen something wrong with these configurations ?
>>
>> Best regards
>>
>>
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>> On Fri, Nov 25, 2016 at 12:56 PM, Nicolas Rossi <nrossi at identicum.com>
>> wrote:
>>
>> Hi Ivan, here are the XMLs:
>>
>>    - ScriptedSQL-Grupo1.xml: A role with an association to an entitlement
>>    - ScriptedSQL-Grupo3.xml: A role with an assignment to a MetaRole
>>    - ScriptedSQL-MetaRole-1.xml: First alternative with another
>>    assignment
>>    - ScriptedSQL-MetaRole-2.xml: Second alternative with an inducement
>>    to Group 3
>>    - ScriptedSQL-MetaRole-3.xml: Second alternative with an inducement
>>    to Group 1
>>
>> Thanks in advance !
>>
>> Best regards
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>> On Thu, Nov 24, 2016 at 6:20 PM, Ivan Noris <ivan.noris at evolveum.com>
>> wrote:
>>
>> Hi Nicolas,
>>
>> can you paste the (three) attempts how the MetaRole looks, anonymized if
>> necessary? Maybe I will have an idea by looking at it.
>>
>> Regards,
>>
>> Ivan
>>
>> On 11/24/2016 09:52 PM, Nicolas Rossi wrote:
>>
>> Hi guys. We are still working on this issue. We have tried 3 alternatives
>> to achieve it. All of them working on the resource MetaRole:
>>
>> 1) Add a new association on the existing inducement constructor directly
>> to the entitlement on the resource. It works fine (entitlement is
>> provisioned) but we cannot see this assignment on the GUI.
>>
>> 2) Add an inducement to an existing role which has an assignment to the
>> resource MetaRole. I can see the assignment on the GUI but the entitlement
>> is not provisioned to the resource.
>>
>> 3) Add an inducement to an existing role which has an inducement with
>> association to the entitlement on the resource. I can see the assignment
>> on the GUI but the entitlement is not provisioned to the resource.
>>
>> Is there any other possible configuration ?
>>
>> Best regards,
>> 
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> www.identicum.com
>>
>> On Mon, Nov 21, 2016 at 5:56 PM, Ana Pereyra <apereyra at identicum.com>
>> wrote:
>>
>> Hi everyone,
>>
>> We are having the following issue:
>>
>> We need to assign the role B to users after being created in resource A,
>> automatically.
>>
>> We are using a scripted sql driver, and a meta role for creating users
>> and groups in the database; and role B is a group in resource A.
>>
>> We have been trying to assign indirectly role B to users using the meta
>> role, with no luck. Any ideas on how to approach this?
>>
>> Thanks in advance.
>> Regards
>>
>> --
>> *Ana Pereyra*
>>  Identicum S.A.
>>
>> *Jorge Newbery 3226, Argentina Tel: +54 (11) **4552.3050*
>> *apereyra at identicum.com <apereyra at identicum.com>*
>> www.identicum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>> _______________________________________________ midPoint mailing list
>> midPoint at lists.evolveum.com http://lists.evolveum.com/
>> mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161201/e9810609/attachment.htm>