[midPoint] Assigning role to user when receiving a resource
Ivan Noris
ivan.noris at evolveum.com
Fri Dec 2 12:47:19 CET 2016
Great!
Ivan
On 12/01/2016 08:07 PM, Nicolas Rossi wrote:
> You are right Ivan, I should see the association from the projection
> not the user's assignments. We can go on with the first example which
> is already working !
>
> Thanks for your help !
>
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com <http://www.identicum.com>
>
> On Wed, Nov 30, 2016 at 4:49 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Hi Nicholas,
>
> Show all assignments is computing just assignments, both direct
> and indirect. It will show you all assigned:
>
> a) roles (assigned directly or indirectly)
>
> b) organizations
>
> c) projections from inducements - name of resource, kind and intent
>
> It will not show associations there.
>
> If you want to see the "groups" of any account managed by
> midPoint, open that user in midPoint, then Projections, expand the
> account and see section "associations".
>
> I have just checked my user with assigned organization, which as
> assigned metarole and I can see the indirectly referenced resource
> account which is provided by the metarole order=2 inducement.
>
> Regards,
>
> Ivan
>
>
> On 11/29/2016 11:30 PM, Nicolas Rossi wrote:
>> Hi Ivan. With the alternative #1 I can see the entitlement
>> provisioned on the resource but I cannot see it under the
>> midpoint GUI on the user panel -> assignments -> cog icon -> show
>> all assignment. Regards
>>
>> El El mar, 29 de nov. de 2016 a las 18:26, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> escribió:
>>
>> Hi Nicolas,
>>
>> I have tried to find some time at the evenings, to look for a
>> problem.
>>
>> The first alternative - ScriptedSQL-Grupo1.xml looks pretty
>> much same as my roles in one of my projects. If I understand
>> correctly, you've stated that "It works fine (entitlement is
>> provisioned) but we cannot see this assignment on the GUI."
>> What do you mean by "seeing" it? You should see that user has
>> this association (Grupo 1) in Projections/the scriptedsql
>> account/associations part. And of course in Assignments you
>> should see the "ScriptedSQL-Grupo 1" role assigned.
>>
>> If you cannot see the "associations" part in GUI with "Grupo
>> 1" value, can you ensure that the value is really there
>> manually in the target system and read that user again using
>> midPoint? But as you stated that this alternative "works
>> (entitlement is provisioned)", I'm confused.
>>
>> What surprised me is the name of the association attribute
>> "<ref>ri:GroupObjectClass</ref>" used in inducements. Do you
>> have the same name configured in the resource object in:
>>
>> <association>
>>
>> <ref>ri:GroupObjectClass</ref>
>>
>> ...
>>
>> </association> ? If yes, it's just the name which confuses me.
>>
>> The alternative ScriptedSQL-Grupo 3 using
>> ScriptedSQL-MetaRole looks also OK to me. I'm trying to find
>> similar example, but so far I don't remember any usage of
>> association using associationFromLink with another
>> association in my projects.
>>
>> Also ScriptedSQL-Metarole-3.xml looks fine.
>> Are you testing the setup on new users and assigning roles,
>> or you already have the (former) roles assigned and after
>> that you change the role definitions? (In the latter case I
>> assume you did also recompute of that user to apply the
>> changed role definitions.)
>>
>> Anyway, the assignment of ScriptedSQL-Grupo 1 (no metarole)
>> should work and be displayed in Assignments (as role) and in
>> Projections as association (Grupo 1).
>>
>> I hope some of my coleagues will also have a good hint, for
>> now I'm out of ideas but I will try to find some new.
>>
>> Best regards,
>> Ivan
>>
>>
>> On 11/29/2016 01:06 PM, Nicolas Rossi wrote:
>>> HI Ivan, have you seen something wrong with these
>>> configurations ?
>>>
>>> Best regards
>>>
>>>
>>>
>>>
>>>
>>> Ing Nicolás Rossi
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050
>>> www.identicum.com <http://www.identicum.com>
>>>
>>> On Fri, Nov 25, 2016 at 12:56 PM, Nicolas Rossi
>>> <nrossi at identicum.com <mailto:nrossi at identicum.com>> wrote:
>>>
>>> Hi Ivan, here are the XMLs:
>>>
>>> * ScriptedSQL-Grupo1.xml: A role with an association
>>> to an entitlement
>>> * ScriptedSQL-Grupo3.xml: A role with an assignment to
>>> a MetaRole
>>> * ScriptedSQL-MetaRole-1.xml: First alternative with
>>> another assignment
>>> * ScriptedSQL-MetaRole-2.xml: Second alternative with
>>> an inducement to Group 3
>>> * ScriptedSQL-MetaRole-3.xml: Second alternative with
>>> an inducement to Group 1
>>>
>>> Thanks in advance !
>>>
>>> Best regards
>>>
>>>
>>>
>>> Ing Nicolás Rossi
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050
>>> www.identicum.com <http://www.identicum.com>
>>>
>>> On Thu, Nov 24, 2016 at 6:20 PM, Ivan Noris
>>> <ivan.noris at evolveum.com
>>> <mailto:ivan.noris at evolveum.com>> wrote:
>>>
>>> Hi Nicolas,
>>>
>>> can you paste the (three) attempts how the MetaRole
>>> looks, anonymized if necessary? Maybe I will have an
>>> idea by looking at it.
>>>
>>> Regards,
>>>
>>> Ivan
>>>
>>>
>>> On 11/24/2016 09:52 PM, Nicolas Rossi wrote:
>>>> Hi guys. We are still working on this issue. We
>>>> have tried 3 alternatives to achieve it. All of
>>>> them working on the resource MetaRole:
>>>>
>>>> 1) Add a new association on the existing inducement
>>>> constructor directly to the entitlement on the
>>>> resource. It works fine (entitlement is
>>>> provisioned) but we cannot see this assignment on
>>>> the GUI.
>>>>
>>>> 2) Add an inducement to an existing role which has
>>>> an assignment to the resource MetaRole. I can see
>>>> the assignment on the GUI but the entitlement is
>>>> not provisioned to the resource.
>>>>
>>>> 3) Add an inducement to an existing role which has
>>>> an inducement with association to the entitlement
>>>> on the resource. I can see the assignment on the
>>>> GUI but the entitlement is not provisioned to the
>>>> resource.
>>>>
>>>> Is there any other possible configuration ?
>>>>
>>>> Best regards,
>>>>
>>>>
>>>>
>>>> Ing Nicolás Rossi
>>>> Identicum S.A.
>>>> Jorge Newbery 3226
>>>> Tel: +54 (11) 4552-3050
>>>> www.identicum.com <http://www.identicum.com>
>>>>
>>>> On Mon, Nov 21, 2016 at 5:56 PM, Ana Pereyra
>>>> <apereyra at identicum.com
>>>> <mailto:apereyra at identicum.com>> wrote:
>>>>
>>>> Hi everyone,
>>>>
>>>> We are having the following issue:
>>>>
>>>> We need to assign the role B to users after
>>>> being created in resource A, automatically.
>>>>
>>>> We are using a scripted sql driver, and a meta
>>>> role for creating users and groups in the
>>>> database; and role B is a group in resource A.
>>>>
>>>> We have been trying to assign indirectly role B
>>>> to users using the meta role, with no luck. Any
>>>> ideas on how to approach this?
>>>>
>>>> Thanks in advance.
>>>> Regards
>>>>
>>>> --
>>>> *Ana Pereyra*
>>>> Identicum S.A.
>>>> /Jorge Newbery 3226, Argentina
>>>> Tel: +54 (11) //4552.3050/
>>>> /apereyra at identicum.com
>>>> <mailto:apereyra at identicum.com>/
>>>> www.identicum.com <http://www.identicum.com/>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>
>>> --
>>> Ivan Noris
>>> Senior Identity Engineer
>>> evolveum.com <http://evolveum.com>
>>>
>>> _______________________________________________
>>> midPoint mailing list midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>> --
>> Ivan Noris
>> Senior Identity Engineer
>> evolveum.com <http://evolveum.com>
>>
>> _______________________________________________ midPoint
>> mailing list midPoint at lists.evolveum.com
>> <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
> --
> Ivan Noris
> Senior Identity Engineer
> evolveum.com <http://evolveum.com>
>
> _______________________________________________ midPoint mailing
> list midPoint at lists.evolveum.com
> <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
> <http://lists.evolveum.com/mailman/listinfo/midpoint>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Senior Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161202/1c9c201a/attachment.htm>
More information about the midPoint
mailing list