[midPoint] UserTemplate - Role Assignment based on Org Assignment Property

Martin Marchese mmarchese at identicum.com
Fri Nov 18 23:20:18 CET 2016


Thanks Ivan that worked like charm! And it's a very nice solution!

However, just to let you know, it worked only on MidPoint 3.5 snapshot, we
tested that in 3.4.1 with no luck.

Regards

*Ing. Martín Marchese*
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
mmarchese at identicum.com
www.identicum.com

On Fri, Nov 18, 2016 at 4:19 PM, Ivan Noris <ivan.noris at evolveum.com> wrote:

> Hi,
>
> there might be a way how to do this in object template, but it could be
> complicated.
>
> I would probably try metarole instead:
>
> 1. all organizations should have a metarole assigned (not induced)
>
> 2. roles STUDENT and TEACHER will be defined by you to do whatever needed
> for users
>
> 3. the metarole would have two order=2 inducements for users which have
> the organization assigned. One of the inducement would induce the STUDENT
> role if the assignment parameter metaRelation for "this" organization is
> STUDENT. The other would assign the TEACHER role if the assignment
> parameter for "this" organization is TEACHER. The inducements would be
> indirect, i.e. you would not see the STUDENT/TEACHER role assigned in
> user's Assignments tab *(this may or may not be a problem for you)*.
>
> Technically it would mean that one person with 20 organizations assigned
> as TEACHER would end with 20 assignments of the same role TEACHER, but I
> believe that midPoint will "normalize" this and only one role TEACHER would
> be assigned in real.
>
> The metarole should look similar to this (untested):
>
> <role ...>
>
>   <name>Teacher/Student Org Metarole</name>
>
>     <inducement>
>       <targetRef oid="00000000-dc00-dc00-0004-000000000078"
> type="c:RoleType"><!-- STUDENT --></targetRef>
>
>         <condition>
>             <source>
>                 <path>$focusAssignment/xyz:metaRelation</path><!-- xyz is
> your namespace -->
>             </source>
>             <expression>
>                 <script>
>                     <code>metaRelation == 'STUDENT'</code>
>                 </script>
>             </expression>
>         </condition>
>
>        <focusType>c:UserType</focusType><!-- to apply only to users even
> if organization is assigned to another organization -->
>
>         <order>2</order><!-- to apply to users which have the organization
> assigned -->
>
>    </inducement>
>
>     <inducement>
>       <targetRef oid="00000000-dc00-dc00-0004-000000000111"
> type="c:RoleType"><!-- TEACHER --></targetRef>
>
>         <condition>
>             <source>
>                 <path>$focusAssignment/xyz:metaRelation</path><!-- xyz
> your namespace -->
>             </source>
>             <expression>
>                 <script>
>                     <code>metaRelation == 'TEACHER'</code>
>                 </script>
>             </expression>
>         </condition>
>
>        <focusType>c:UserType</focusType>
>
>         <order>2</order>
>
>    </inducement>
> </role>
>
> I hope I'm correct. I have done similar stuff, but not this specific one.
>
> Regards,
>
> Ivan
> On 11/18/2016 06:44 PM, Martin Marchese wrote:
>
> Hi Ivan thanks for your answer,
>
> Yes that's correct, they should be assigned without any parameters based
> on the org assignment types.
>
> Regards
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com
> www.identicum.com
>
> On Fri, Nov 18, 2016 at 12:34 PM, Ivan Noris <ivan.noris at evolveum.com>
> wrote:
>
>> Hi Martin,
>>
>> the STUDENT and TEACHER roles are "static" in means of assignment
>> parameters? They are (should be) just assigned without any parameters
>> whenever used has any org with STUDENT-type assignment or any role with
>> TEACHER-type assignment?
>>
>>
>> Ivan
>>
>>
>> On 11/16/2016 08:37 PM, Martin Marchese wrote:
>>
>> Hi All,
>>
>> We had our AssignmentType extended with a "metaRelation" extension
>> property.
>>
>> Users are assigned to an OrgType
>>
>> Our OrgType represent schools and within this "metaRelation" property, we
>> store wether the assigned user is a STUDENT or a TEACHER.
>>
>> Besides, we have 2 Roles (STUDENT and TEACHER roles).
>>
>> We would like to use our user template to assign the corresponding role
>> to the user based on shich "metaRelation" it has within the Org.
>>
>> Users could be STUDENT and/or TEACHER on more than one Org, so while the
>> user has at least one of this assignments, it needs to have the
>> corresponding role assigned.
>>
>> We are thinking if there's a way to query the user Org assignments within
>> the template and use it as source for the target role assignment.
>>
>> Is this the best/correct way to do it? Do you recommend any other way?
>>
>> Thanks in Advance
>> Regards,
>>
>> *Ing. Martín Marchese*
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050
>> mmarchese at identicum.com
>> www.identicum.com
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ivan Noris
>> Senior Identity Engineerevolveum.com
>>
>> _______________________________________________ midPoint mailing list
>> midPoint at lists.evolveum.com http://lists.evolveum.com/mail
>> man/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161118/3a20674e/attachment.htm>


More information about the midPoint mailing list