[midPoint] Condition for inducment in Metarole

Thu Jun 30 17:44:45 CEST 2016

Hello Saule,

sorry for the late answer.

Yes, it is possible to add a condition for an inducement. This works for me:

    <inducement id="2">
       <construction>
          <resourceRef oid="b94c683d-517c-4c3e-a307-7c2bbe14453e" 
type="c:ResourceType"><!-- LDAP --></resourceRef>
          <kind>account</kind>
          <intent>default</intent>
          <association>
             <c:ref>ri:group</c:ref>
             <outbound>
                <expression>
                   <associationFromLink>
                      <projectionDiscriminator>
<kind>entitlement</kind>
<intent>group</intent>
                      </projectionDiscriminator>
                   </associationFromLink>
                </expression>
             </outbound>
          </association>
       </construction>
       <order>2</order>
       <condition>
          <expression>
             <script>
                <code>
                   focus.assignment.find { it.targetRef?.oid == 
'd13681fb-88df-472a-a7fe-d869a1ea4c37' } != null
               </code>
             </script>
          </expression>
       </condition>
    </inducement>

Note that *d13681fb-88df-472a-a7fe-d869a1ea4c37* is an OID of *AD user 
role*.

When having this condition, it seems to work:

 1. if adding a user into an org, the account is not automatically
    created on a resource
 2. after assigning AD user role to the user, an account is created, and
    becomes a member of the AD group
 3. after unassigning AD user role from the user, account is deleted

Hope this helps,

Pavol

On 16.06.2016 12:26, Мамаева Сауле Сериковна wrote:
>
> Hello,
>
> I have meta role for groups, that is assigned to organization when 
> creating organization by org template. This role creates groups with 
> members associated with this created midpoint organization in Active 
> Directory(AD). But I want to create only groups in AD by this role and 
> members of this groups should appear in AD only after assigning 
> another role (AD user role) to users. I have another role  -  AD user 
> role, that is assigned to the user manually and by approval of 
> administrator and this role creates account of user in AD.
>
> How and where can I add  such condition? Is it  possible to add 
> condition for inducement?
>
> This is xml of meta role for groups:
>
> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>
> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>
> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>
> oid="11111111-2222-3333-4444-200000000055"
>
> version="8">
>
> <name>Metarole for groups</name>
>
> <metadata>
>
> <createTimestamp>2016-06-06T12:47:04.200+06:00</createTimestamp>
>
> <creatorRef oid="00000000-0000-0000-0000-000000000002" 
> type="c:UserType"><!-- administrator --></creatorRef>
>
> <createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
>
> </metadata>
>
> <inducement id="1">
>
> <construction>
>
> <resourceRef oid="ef2bc95b-76e0-11e2-86d6-1111111111" 
> type="c:ResourceType"><!-- Ldap_AD_Saule --></resourceRef>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </construction>
>
> </inducement>
>
> <inducement id="2">
>
> <construction>
>
> <resourceRef oid="ef2bc95b-76e0-11e2-86d6-1111111111" 
> type="c:ResourceType"><!-- Ldap_AD_ Saule --></resourceRef>
>
> <kind>account</kind>
>
> <intent>default</intent>
>
> <association>
>
> <c:ref>ri:group</c:ref>
>
> <outbound>
>
> <expression>
>
> <associationFromLink>
>
> <projectionDiscriminator>
>
> <kind>entitlement</kind>
>
> <intent>group</intent>
>
> </projectionDiscriminator>
>
> </associationFromLink>
>
> </expression>
>
> </outbound>
>
> </association>
>
> </construction>
>
> <order>2</order>
>
> </inducement>
>
> </role>
>
> Best regards,
>
> Saule
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160630/3bd03986/attachment.htm>