[midPoint] Create Group in AD

Pavol Mederly mederly at evolveum.com
Mon Oct 10 17:35:40 CEST 2016 

Hello Daniel,

to be honest, I haven't understood your previous mail fully. But I can 
say a few words to this one.

Yes, it is possible to create a condition saying that the group should 
be created only if there's at least one potential member. One of 
possible implementations is like this:

<role ...>
     <name>Metarole</name>
     <inducement>
         <construction>
             <resourceRef oid="ef2bc95b-76e0-48e2-86d6-3d4f02d3e1a2" />
             <kind>entitlement</kind>
             <intent>ldapGroup</intent>
         </construction>
         <condition>
             <expression>
                 <script>
                     <code>
                         import com.evolveum.midpoint.prism.query.builder.*
                         import 
com.evolveum.midpoint.xml.ns._public.common.common_3.*
                         import javax.xml.namespace.*

                         // let's construct a query to find all the 
members (see note below)
                         query = QueryBuilder.queryFor(UserType.class, 
midpoint.prismContext)
                             
.item(UserType.F_ROLE_MEMBERSHIP_REF).ref(immediateRole.oid)
                             .build()

                         members = midpoint.countObjects(UserType.class, 
query, null)
                         log.info('members = {}', members)
                         members != 0
                     </code>
                 </script>
             </expression>
         </condition>
     </inducement>

So, basically we ask if there are any members, and set the condition to 
TRUE only if there are some.

However, there is a problem: Let's illustrate it having a user U (no 
assignments) and role R (that has assigned this metarole). The problem 
is that the construction condition is evaluated only when role R is 
created or recomputed - not at the moment of assigning role R to the 
user U. So, in order to achieve the desired result (create LDAP group 
when the first user is assigned the role), the following sequence of 
events should occur:

 1. Role R is assigned to user U. At this moment, group "R" on resource
    does not exist, so the user has no account created yet.
 2. Recomputation of R is carried out (manually or because of a
    scheduled task). At this moment, group "R" on the resource is
    created, having no members so far.
 3. Recomputation of U is carried out. Only at this moment the user
    account is created and added to the group "R" on the resource.

Maybe someone could have a better idea how to implement this ...

Pavol Mederly
Software developer
evolveum.com

On 07.10.2016 14:06, Daniel.Sommer at itconcepts.net wrote:
> Helloy Guys,
>
> i wrote before, but maybe this was to complicated. Now i will reduce 
> it to one concrete question:
>
>
> With meta role i can create a group in ad on assigning the metarole to 
> any other role (say R), and afterwards creating an account in ad and 
> adding it to the group
> by assigning R to a user. This works fine!
>
> But now i just want to create the group not at the time i assign the 
> meta role to R, but only when i assign R to the user
> (This would be equal to the condition that the group is only created 
> if there is at least one account member of it).
>
> Is this possible, and how?
>
>
> Best regards,
>
> Daniel
>
> Daniel Sommer
> Office: +49 228 908733 0 | Fax: +49 228 908733 1| Mobil: +49 176 162086 79
>
> ITConcepts Professional GmbH -  In den Dauen 6 - DE 53117 Bonn
>
> Website www.itconcepts.net <http://www.itconcepts.net>
>
> <http://www.itconcepts.net/> 
> <http://www.itconcepts.net/index.php/about-cognitum>
> Besuchen Sie uns auch auf 
> <http://www.xing.com/companies/itconceptsprofessionalgmbh/updates> 
> <http://www.linkedin.com/company/itconcepts>
>
> Events mit ITConcepts
> 10.-12. Oktober: SailPoint Navigate in Berlin. Mehr Infos hier 
> <http://www.itconcepts.de/index.php/veranstaltungen/details/86-sailpoint-navigate>.
> 13. Oktober: Ping IDENTIFY in Frankfurt. Mehr Infos hier 
> <http://www.itconcepts.de/index.php/veranstaltungen/details/89-ping-identify>.
> 17. Oktober: Internationaler Automobil Kongress in Wolfsburg. Mehr 
> Infos hier 
> <http://www.itconcepts.de/index.php/veranstaltungen/details/88-internationaler-automobil-kongress>.
> 18.- 20. Oktober: it-sa, IT Security Messe in Nürnberg, Mehr Infos 
> hier 
> <http://www.itconcepts.de/index.php/veranstaltungen/details/84-it-sa-2016>.
> 18.- 20. Oktober: IZB in Wolfsburg, Mehr Infos hier 
> <http://www.itconcepts.de/index.php/veranstaltungen/details/87-izb-internationale-zuliefererboerse>.
> 16.- 17. November: BMC Exchange in Mainz .Mehr Infos hier 
> <http://www.itconcepts.de/index.php/veranstaltungen/details/53-bmc-exchange-2016>.
>
> Trainings von ITConcepts
> 17. -21. Oktober: Öffentliches Training Dell One Identity Manager 6.x 
> - Basisschulung (Kursinhalt 
> <http://tp://www.itconcepts.de/index.php/iam/dell-one-identity-manager-basisschulung>)
>
> ITConcepts Professional GmbH Gf.: Sven Moog, Sitz Bonn, AG Bonn HRB 
> 12947 - Ust-Id Nr: DE211482933
> ITConcepts Automotive GmbH Gf.: Sven Moog, Sitz Wolfsburg, AG 
> Braunschweig HRB 204188 - Ust-Id Nr: DE223888748
> ITConcepts Operations GmbH Gf.: Sven Moog, Sitz Bonn, AG Bonn HRB 
> 15454 - St.-Nr: 205/5726/0602
>
> Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte 
> Informationen. Wenn Sie nicht der richtige Adressat sind
> oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte 
> sofort den Absender und vernichten Sie diese Mail.
> Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail 
> sind nicht gestattet.
>
> This e-mail may contain confidential and/or privileged information. If 
> you are not the intended recipient
> (or have received this e-mail in error) please notify the sender 
> immediately and destroy this e-mail.
> Any unauthorised copying, disclosure or distribution of the material 
> in this e-mail is strictly forbidden.
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161010/65a38784/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2977 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161010/65a38784/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 501 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161010/65a38784/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1009 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161010/65a38784/attachment-0002.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 1026 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161010/65a38784/attachment-0003.gif>

More information about the midPoint mailing list