[midPoint] Importing entitlements to roles for multiple account intents

Alcides Carlos de Moraes Neto alcides.neto at gmail.com
Fri Dec 29 19:36:02 CET 2017 

If you assign a Role that gives Entitlement X to User Y with weak strength,
only the existing account(s) for User Y will receive the entitlement.
Having multiple weak inducements will work I think.

I have a similar setup, but it's the other way around - multiple intents
for entitlements induced from Org, only one for account intent associated
to User.
I have multiple inducements in a Meta-role that I assign to Orgs.

You can also using Condition expression to further filter them.

2017-12-29 13:40 GMT-02:00 Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl>:

> Hi!
>
> I thought about adding multiple first order inducements for each account
> intent with weak strength to the "associationFromLink" metarole,
> but what if the accounts (of one user in multiple intents) must have
> different privileges (entilements)?
> When I assign a role that gives entitlement X, it will be applied to every
> user account on this resource, i think.
>
> Another way I tried is to assign the "associationFromLink" metarole to the
> role that provisions account creation,
> and the role with linkRef pointing to the entitlement shadow as separate
> user assignment, but it don't work.
> I think (but I don't know exactly) that "associationFromLink" is limited
> to one assignment chain so the linkRef and associationFromLink
> must be in the same chain. But maybe I'm wrong...?
>
> I'm stuck here and see no good solution for now.
>
> Best regards!
> WS
>
> W dniu 29.12.2017 o 15:08, Alcides Carlos de Moraes Neto pisze:
>
> Hi WS,
>
> In your role template, have you tried adding multiple inducements with an
> association for each entitlement? I don't see why that wouldn't work.
>
> 2017-12-28 13:54 GMT-02:00 Wojciech Staszewski <wojciech.staszewski@
> diagnostyka.pl>:
>
>> Hello!
>>
>> I'm looking for correct way how to correctly import resource entitlements
>> into midPoint roles.
>>
>> For now I'm doing this as follows:
>> 1) create schema handling for entitlement.
>> 2) create synchronization.
>> 3) At the "unmatched->addFocus" synchronization step I connect a role
>> template. The template assigns metaroles to the imported roles for:
>>   a) association from link (as the imported roles are just linkRef only),
>>   b) approval schema,
>>   c) and assigns correct OrgUnit in the role catalog, based on resource,
>> role type and other "things".
>>
>> That works just perfect, but for one account intent only. The account
>> intent is statically specified in "association from link" metarole in the
>> first order inducement.
>> If is not, the metarole works for "default" account intent.
>> But I have 8 account intents in this resource, and every account must be
>> associated with the entitlements regardless of the intent.
>>
>> I tried to make more than one "unmatched->addFocus" synchronization
>> reaction with different role templates
>> with hope for importing 8 roles from one entitlement for different
>> account intents but midPoint warns me: "Duplicated reactions [...]".
>> I cannot just add multiple "actions" to one reaction because I can apply
>> only one template to one reaction.
>>
>> And I don't know how to do it.
>> Any ideas?
>> Beer is on me for the help!
>>
>> Happy NY!
>> WS
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Wojciech Staszewski
> Administrator Systemów Sieciowych
> tel. kom: 663 680 236www.diagnostyka.pl
> Diagnostyka Sp. z o. o.
> ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
> Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
> NIP: 675-12-65-009; REGON: 356366975
> Kapitał zakładowy: 33 756 500 zł.
>
> Pomyśl o środowisku zanim wydrukujesz ten e-mail.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20171229/3d8d1c9f/attachment.htm>

More information about the midPoint mailing list