[midPoint] Inducement Inheritance not Working
Martin Lízner - AMI Praha a.s.
martin.lizner at ami.cz
Sat Dec 31 10:22:36 CET 2016
Hi, this is indeed very nice and advanced business logic.
I would suggest you try dropping the meta role completely and use
organization to induce the logic. If you need higher level of abstraction,
you can imagine orgs (e.g. root) as meta roles and put logic there.
Something like (but Im not sure how will focusAssignment behave):
*Org XML:*
<org>
<name>MEGC</name>
...
<inducement id="4">
<targetRef oid="00000000-0000-1de4-0004-000000000011"
type="c:RoleType"></targetRef>
<focusType>UserType</focusType>
<condition>
<source>
<c:path>$focusAssignment/extension/metaRelation</c:path>
</source>
<expression>
<script>
<code>metaRelation == 'TEACHER'</code>
</script>
</expression>
</condition>
</inducement>
...
</org>
Regards, M.
Martin Lízner
solution architect
gsm: [+420] 737 745 571 <+420%20737%20745%20571>
e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239 <+420%20274%20783%20239>
web: www.ami.cz
[image: AMI Praha a.s.] <http://www.skyidentity.com/>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
2016-12-29 19:25 GMT+01:00 Martin Marchese <mmarchese at identicum.com>:
> Hi All,
>
> We have a role model designed as it follows:
>
> Users are assigned to an Org (the AssignmentType is extended with
> metaRelation attribute). This Org, has a Meta Role assigned.
>
> Based on the value of the metaRelation attribute (STUDENT or TEACHER) the
> Meta Role induces a Role (order 2 inducement) to the user.
>
> These induced roles have their own inducements, to resources (OpenLDAP,
> google apps, office 365, etc).
>
> Once a user is assigned to an Org, it receives the inderect assignment
> based on the metaRelation attribute value. However, it's not receiving the
> resource inducements, hence, the accounts are not being created in the
> resources.
>
> Any idea if this is normal behavior or if we are missing something?
>
> Below are examples of how our objects look like.
>
> *Org XML:*
>
> <org>
> <name>MEGC</name>
> ...
> <assignment id="1">
> <targetRef oid="00000000-0000-1de4-0004-000000000099"
> type="c:RoleType"></targetRef>
> </assignment>
> ...
> </org>
>
> *Meta Role XML:*
>
> <role>
> <name>META_ROLE</name>
> ...
> <inducement id="4">
> <targetRef oid="00000000-0000-1de4-0004-000000000011"
> type="c:RoleType"></targetRef>
> <order>2</order>
> <focusType>UserType</focusType>
> <condition>
> <source>
> <c:path>$focusAssignment/extension/metaRelation</c:path>
> </source>
> <expression>
> <script>
> <code>metaRelation == 'TEACHER'</code>
> </script>
> </expression>
> </condition>
> </inducement>
> ...
> </role>
>
> *Induced Role:*
>
> <role>
> <name>TEACHER</name>
> ...
> <inducement id="1">
> <construction>
> <resourceRef oid="00000000-0000-1de4-0002-000000000002"
> type="c:ResourceType"></resourceRef>
> <kind>account</kind>
> </construction>
> </inducement>
> ...
> </role>
>
> Thanks in Advance
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
> mmarchese at identicum.com
> www.identicum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161231/caf862a5/attachment.htm>
More information about the midPoint
mailing list