[midPoint] Org assignment deletes user's role assignment?
Mikko Pekkarinen
mikko.pekkarinen at datactica.fi
Tue Jan 3 17:35:52 CET 2017
Hello,
I'm synchronizing users and orgs from a resource to midpoint. In schema handling I create a user->org assignment. In the global user template I assign a role to users.
Problem: the role is not assigned. MidPoint (3.5) seems to process the assignment, though:
- the role induces an LDAP account, and that gets created.
- the users have "roleMembershipRef" set for the role, when viewing the XML in "repository objects"
The Audit log details of a user show that the role is assigned correctly when the user gets added through reconciliation.
But on the same second comes another modification, which sets the parentOrgRef and deletes the role assignment.
Why is the role assignment deleted? What do I have to configure to prevent that?
For reference, here are snippets from the current configuration:
Schema handling:
<inbound>
<name>Org GUID</name>
<authoritative>true</authoritative><!-- or false, the result is the same -->
<exclusive>false</exclusive>
<strength>normal</strength>
<expression>
<assignmentTargetSearch>
<targetType>c:OrgType</targetType>
<filter>
<q:equal>
<q:path>c:name</q:path>
<expression>
<path>$input</path>
</expression>
</q:equal>
</filter>
</assignmentTargetSearch>
</expression>
<target>
<c:path>assignment</c:path>
</target>
</inbound>
Global user template:
<mapping>
<name>Assign End User role</name>
<strength>strong</strength>
<expression>
<assignmentTargetSearch>
<targetType>c:RoleType</targetType>
<filter>
<q:equal>
<q:path>c:name</q:path>
<expression>
<value>Kayttaja</value>
</expression>
</q:equal>
</filter>
</assignmentTargetSearch>
</expression>
<target>
<c:path>assignment</c:path>
</target>
</mapping>
Thanks,
Mikko
More information about the midPoint
mailing list