[midPoint] Condition for inducment in Metarole

Мамаева Сауле Сериковна s.mamayeva at ktg.kz
Fri Jul 1 07:46:21 CEST 2016


Hello, Pavol!
Thanks for the code. It also works for me.



Best regards,
Saule

From: midPoint [mailto:midpoint-bounces at lists.evolveum.com] On Behalf Of Pavol Mederly
Sent: Friday, July 01, 2016 12:05 AM
To: midpoint at lists.evolveum.com
Subject: Re: [midPoint] Condition for inducment in Metarole


Saule,

one correction:

focus?.assignment.find { it.targetRef?.oid == 'd13681fb-88df-472a-a7fe-d869a1ea4c37' } != null

...in order to work also when adding users. In such cases 'focus' variable is null for 'original state' evaluation.

Pavol

On 30.06.2016 17:44, Pavol Mederly wrote:

Hello Saule,

sorry for the late answer.

Yes, it is possible to add a condition for an inducement. This works for me:

   <inducement id="2">
      <construction>
         <resourceRef oid="b94c683d-517c-4c3e-a307-7c2bbe14453e" type="c:ResourceType"><!-- LDAP --></resourceRef>
         <kind>account</kind>
         <intent>default</intent>
         <association>
            <c:ref>ri:group</c:ref>
            <outbound>
               <expression>
                  <associationFromLink>
                     <projectionDiscriminator>
                        <kind>entitlement</kind>
                        <intent>group</intent>
                     </projectionDiscriminator>
                  </associationFromLink>
               </expression>
            </outbound>
         </association>
      </construction>
      <order>2</order>
      <condition>
         <expression>
            <script>
               <code>
                  focus.assignment.find { it.targetRef?.oid == 'd13681fb-88df-472a-a7fe-d869a1ea4c37' } != null
              </code>
            </script>
         </expression>
      </condition>
   </inducement>
Note that d13681fb-88df-472a-a7fe-d869a1ea4c37 is an OID of AD user role.

When having this condition, it seems to work:

  1.  if adding a user into an org, the account is not automatically created on a resource
  2.  after assigning AD user role to the user, an account is created, and becomes a member of the AD group
  3.  after unassigning AD user role from the user, account is deleted

Hope this helps,

Pavol

On 16.06.2016 12:26, Мамаева Сауле Сериковна wrote:
Hello,
I have meta role for groups, that is assigned to organization when creating organization by org template. This role creates groups with members associated with this created midpoint organization in Active Directory(AD). But I want to create only groups in AD by this role and members of this groups should appear in AD only after assigning another role (AD user role) to users. I have another role  -  AD user role, that is assigned to the user manually and by approval of administrator and this role creates account of user in AD.
How and where can I add  such condition? Is it  possible to add condition for inducement?
This is xml of meta role for groups:

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"<http://midpoint.evolveum.com/xml/ns/public/common/common-3>
      xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"<http://prism.evolveum.com/xml/ns/public/query-3>
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"<http://midpoint.evolveum.com/xml/ns/public/common/common-3>
      xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"<http://prism.evolveum.com/xml/ns/public/types-3>
      xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"<http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3>
      xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"<http://midpoint.evolveum.com/xml/ns/public/resource/instance-3>
      oid="11111111-2222-3333-4444-200000000055"
      version="8">
   <name>Metarole for groups</name>
   <metadata>
      <createTimestamp>2016-06-06T12:47:04.200+06:00</createTimestamp>
      <creatorRef oid="00000000-0000-0000-0000-000000000002" type="c:UserType"><!-- administrator --></creatorRef>
      <createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
   </metadata>
   <inducement id="1">
      <construction>
         <resourceRef oid="ef2bc95b-76e0-11e2-86d6-1111111111" type="c:ResourceType"><!-- Ldap_AD_Saule --></resourceRef>
         <kind>entitlement</kind>
         <intent>group</intent>
      </construction>
   </inducement>
   <inducement id="2">
      <construction>
         <resourceRef oid="ef2bc95b-76e0-11e2-86d6-1111111111" type="c:ResourceType"><!-- Ldap_AD_ Saule --></resourceRef>
         <kind>account</kind>
         <intent>default</intent>
         <association>
            <c:ref>ri:group</c:ref>
            <outbound>
               <expression>
                  <associationFromLink>
                     <projectionDiscriminator>
                        <kind>entitlement</kind>
                        <intent>group</intent>
                     </projectionDiscriminator>
                  </associationFromLink>
               </expression>
            </outbound>
         </association>
      </construction>
      <order>2</order>
   </inducement>
</role>

Best regards,
Saule





_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint





_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160701/d88b242d/attachment.htm>


More information about the midPoint mailing list