[midPoint] intent filter/expression?
Radovan Semancik
radovan.semancik at evolveum.com
Wed Dec 6 10:05:28 CET 2017
Hi,
Yes, kind/intent is fixed. And, strictly speaking it has to remain fixed
because resource+kind+intent triple determines object type, which
determines the schema (and some policies). That is how midPoint is
implemented now.
But, despite that, there are places where we do not need to be that
strict. Theoretically intent could be determined dynamically at some
places in the future. But there may be limitations (e.g. resource wizard
will not work properly). And this is going to make the code a bit more
complex than it is now. Therefore we will do that only if there is
funding for development of this feature and funding for maintenance as
well (i.e. platform subscription is needed).
We are also thinking about alternative feature. We would like to add
"index" as a new element to existing resource+kind+intent triple. The
idea is that resource+kind+intent would completely define the schema and
policies. And then "index" could be dynamically managed and it would
define an "instance", "site", "domain", "realm" and so on. That way we
can get both "formal correctness" and dynamics. But this feature is not
yet implemented and not even planned for any midPoint versions in a near
future. Platfrom subscription is needed for this as well.
--
Radovan Semancik
Software Architect
evolveum.com
On 12/06/2017 12:08 AM, Pavol Mederly wrote:
> Hello Wojciech,
>
> I am afraid that this is not possible. Intent (and the kind as well)
> seem to be quite fixed to String (and ShadowKindType) in the code.
>
> Best regards,
>
> Pavol Mederly
> Software developer
> evolveum.com
>
> On 05.12.2017 12:00, Wojciech Staszewski wrote:
>> Hello!
>>
>> Is there an ability to set the "intent" in a metarole using filter or
>> expression? Or it must be defined statically?
>>
>> I'm building an "universal" metarole that is assigning an entitlement
>> (group membership).
>> It must work with any instance of specified type of resource and any
>> account intent. I'm trying to prevent the role explosion syndrome. :)
>>
>> Everything is working fine, except that the metarole works only for
>> accounts with intent marked as "default" (or defined explicitly).
>> Would be great to resolve "intent" using filter/expression,
>> analogously to "resourceRef".
>>
>> Below is the metarole:
>>
>> <role>
>> <name>UNIVERSAL ENTITLEMENT METAROLE: GROUP AAAAA</name>
>> <inducement id="1">
>> <construction>
>> <strength>weak</strength>
>> <resourceRef>
>> <filter>
>> <q:inOid>
>> <expression>
>> <script>
>> <code>
>> return
>> basic.getPropertyValue(immediateRole, "extension/resourceRef");
>> </code>
>> </script>
>> </expression>
>> </q:inOid>
>> </filter>
>> <resolutionTime>run</resolutionTime>
>> </resourceRef>
>> <kind>account</kind>
>> <intent> *THIS IS THE PLACE I HAVE TO RESOLVE INTENT FROM PARENT
>> ROLE "extension/intentRef"* </intent>
>> <association>
>> <c:ref>ri:groups</c:ref>
>> <outbound>
>> <strength>strong</strength>
>> <expression>
>> <associationTargetSearch
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="c:SearchObjectExpressionEvaluatorType">
>> <filter>
>> <q:equal>
>> <q:path>attributes/icfs:name</q:path>
>> <q:value>GROUP AAAAA</q:value>
>> </q:equal>
>> </filter>
>> </associationTargetSearch>
>> </expression>
>> </outbound>
>> </association>
>> </construction>
>> <order>2</order>
>> </inducement>
>> </role>
>>
>> I tried to make filters / expressions but got nothing but errors...
>>
>> Thanks for any help.
>> WS
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list