[midPoint] Condition for inducment in Metarole

Pavol Mederly mederly at evolveum.com
Thu Jun 30 20:04:30 CEST 2016 

Saule,

one correction:

focus*?*.assignment.find { it.targetRef?.oid == 
'd13681fb-88df-472a-a7fe-d869a1ea4c37' } != null

...in order to work also when adding users. In such cases 'focus' 
variable is null for 'original state' evaluation.

Pavol


On 30.06.2016 17:44, Pavol Mederly wrote:
>
> Hello Saule,
>
> sorry for the late answer.
>
> Yes, it is possible to add a condition for an inducement. This works 
> for me:
>
>    <inducement id="2">
>       <construction>
>          <resourceRef oid="b94c683d-517c-4c3e-a307-7c2bbe14453e" 
> type="c:ResourceType"><!-- LDAP --></resourceRef>
>          <kind>account</kind>
>          <intent>default</intent>
>          <association>
>             <c:ref>ri:group</c:ref>
>             <outbound>
>                <expression>
>                   <associationFromLink>
>                      <projectionDiscriminator>
> <kind>entitlement</kind>
> <intent>group</intent>
>                      </projectionDiscriminator>
>                   </associationFromLink>
>                </expression>
>             </outbound>
>          </association>
>       </construction>
>       <order>2</order>
>       <condition>
>          <expression>
>             <script>
>                <code>
>                   focus.assignment.find { it.targetRef?.oid == 
> 'd13681fb-88df-472a-a7fe-d869a1ea4c37' } != null
>               </code>
>             </script>
>          </expression>
>       </condition>
>    </inducement>
>
> Note that *d13681fb-88df-472a-a7fe-d869a1ea4c37* is an OID of *AD user 
> role*.
>
> When having this condition, it seems to work:
>
>  1. if adding a user into an org, the account is not automatically
>     created on a resource
>  2. after assigning AD user role to the user, an account is created,
>     and becomes a member of the AD group
>  3. after unassigning AD user role from the user, account is deleted
>
> Hope this helps,
>
> Pavol
>
>
>
> On 16.06.2016 12:26, Мамаева Сауле Сериковна wrote:
>>
>> Hello,
>>
>> I have meta role for groups, that is assigned to organization when 
>> creating organization by org template. This role creates groups with 
>> members associated with this created midpoint organization in Active 
>> Directory(AD). But I want to create only groups in AD by this role 
>> and members of this groups should appear in AD only after assigning 
>> another role (AD user role) to users. I have another role  -  AD user 
>> role, that is assigned to the user manually and by approval of 
>> administrator and this role creates account of user in AD.
>>
>> How and where can I add  such condition? Is it  possible to add 
>> condition for inducement?
>>
>> This is xml of meta role for groups:
>>
>> <role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>>
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>>
>> xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>>
>> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"
>>
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>>
>> oid="11111111-2222-3333-4444-200000000055"
>>
>> version="8">
>>
>> <name>Metarole for groups</name>
>>
>> <metadata>
>>
>> <createTimestamp>2016-06-06T12:47:04.200+06:00</createTimestamp>
>>
>> <creatorRef oid="00000000-0000-0000-0000-000000000002" 
>> type="c:UserType"><!-- administrator --></creatorRef>
>>
>> <createChannel>http://midpoint.evolveum.com/xml/ns/public/model/channels-3#objectImport</createChannel>
>>
>> </metadata>
>>
>> <inducement id="1">
>>
>> <construction>
>>
>> <resourceRef oid="ef2bc95b-76e0-11e2-86d6-1111111111" 
>> type="c:ResourceType"><!-- Ldap_AD_Saule --></resourceRef>
>>
>> <kind>entitlement</kind>
>>
>> <intent>group</intent>
>>
>> </construction>
>>
>> </inducement>
>>
>> <inducement id="2">
>>
>> <construction>
>>
>> <resourceRef oid="ef2bc95b-76e0-11e2-86d6-1111111111" 
>> type="c:ResourceType"><!-- Ldap_AD_ Saule --></resourceRef>
>>
>> <kind>account</kind>
>>
>> <intent>default</intent>
>>
>> <association>
>>
>> <c:ref>ri:group</c:ref>
>>
>> <outbound>
>>
>> <expression>
>>
>> <associationFromLink>
>>
>> <projectionDiscriminator>
>>
>> <kind>entitlement</kind>
>>
>> <intent>group</intent>
>>
>> </projectionDiscriminator>
>>
>> </associationFromLink>
>>
>> </expression>
>>
>> </outbound>
>>
>> </association>
>>
>> </construction>
>>
>> <order>2</order>
>>
>> </inducement>
>>
>> </role>
>>
>> Best regards,
>>
>> Saule
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160630/2943e3f3/attachment.htm>

More information about the midPoint mailing list