[midPoint] Inducement Inheritance not Working

Martin Marchese mmarchese at identicum.com
Tue Jan 3 18:59:24 CET 2017 

Thanks Martin,

We did that change to our Org-Role model and it worked.

*Ing. Martín Marchese*
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
mmarchese at identicum.com
www.identicum.com

On Sat, Dec 31, 2016 at 6:22 AM, Martin Lízner - AMI Praha a.s. <
martin.lizner at ami.cz> wrote:

> Hi, this is indeed very nice and advanced business logic.
>
> I would suggest you try dropping the meta role completely and use
> organization to induce the logic. If you need higher level of
> abstraction, you can imagine orgs (e.g. root) as meta roles and put logic
> there.
>
> Something like (but Im not sure how will focusAssignment behave):
>
> *Org XML:*
>
> <org>
>    <name>MEGC</name>
> ...
>    <inducement id="4">
>       <targetRef oid="00000000-0000-1de4-0004-000000000011"
> type="c:RoleType"></targetRef>
>       <focusType>UserType</focusType>
>       <condition>
>          <source>
>             <c:path>$focusAssignment/extension/metaRelation</c:path>
>          </source>
>          <expression>
>             <script>
>                <code>metaRelation == 'TEACHER'</code>
>             </script>
>          </expression>
>       </condition>
>    </inducement>
> ...
> </org>
>
> Regards, M.
>
> Martin Lízner
> solution architect
>
> gsm: [+420] 737 745 571 <+420%20737%20745%20571>
> e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
> web: www.ami.cz
>
>
>
> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
> 2016-12-29 19:25 GMT+01:00 Martin Marchese <mmarchese at identicum.com>:
>
>> Hi All,
>>
>> We have a role model designed as it follows:
>>
>> Users are assigned to an Org (the AssignmentType is extended with
>> metaRelation attribute). This Org, has a Meta Role assigned.
>>
>> Based on the value of the metaRelation attribute (STUDENT or TEACHER) the
>> Meta Role induces a Role (order 2 inducement) to the user.
>>
>> These induced roles have their own inducements, to resources (OpenLDAP,
>> google apps, office 365, etc).
>>
>> Once a user is assigned to an Org, it receives the inderect assignment
>> based on the metaRelation attribute value. However, it's not receiving the
>> resource inducements, hence, the accounts are not being created in the
>> resources.
>>
>> Any idea if this is normal behavior or if we are missing something?
>>
>> Below are examples of how our objects look like.
>>
>> *Org XML:*
>>
>> <org>
>>    <name>MEGC</name>
>> ...
>>    <assignment id="1">
>>       <targetRef oid="00000000-0000-1de4-0004-000000000099"
>> type="c:RoleType"></targetRef>
>>    </assignment>
>> ...
>> </org>
>>
>> *Meta Role XML:*
>>
>> <role>
>>    <name>META_ROLE</name>
>>    ...
>>    <inducement id="4">
>>       <targetRef oid="00000000-0000-1de4-0004-000000000011"
>> type="c:RoleType"></targetRef>
>>       <order>2</order>
>>       <focusType>UserType</focusType>
>>       <condition>
>>          <source>
>>             <c:path>$focusAssignment/extension/metaRelation</c:path>
>>          </source>
>>          <expression>
>>             <script>
>>                <code>metaRelation == 'TEACHER'</code>
>>             </script>
>>          </expression>
>>       </condition>
>>    </inducement>
>> ...
>> </role>
>>
>> *Induced Role:*
>>
>> <role>
>>    <name>TEACHER</name>
>> ...
>>    <inducement id="1">
>>       <construction>
>>          <resourceRef oid="00000000-0000-1de4-0002-000000000002"
>> type="c:ResourceType"></resourceRef>
>>          <kind>account</kind>
>>       </construction>
>>    </inducement>
>> ...
>> </role>
>>
>> Thanks in Advance
>>
>> *Ing. Martín Marchese*
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>> mmarchese at identicum.com
>> www.identicum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170103/d0a8fc43/attachment.htm>

More information about the midPoint mailing list