[midPoint] Inducement Inheritance not Working

Martin Lízner - AMI Praha a.s. martin.lizner at ami.cz
Tue Jan 3 19:25:09 CET 2017 

Im glad that helped, would you mind sharing the code fragments? M.

Martin Lízner
solution architect

gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz



[image: AMI Praha a.s.] <http://www.skyidentity.com/>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2017-01-03 18:59 GMT+01:00 Martin Marchese <mmarchese at identicum.com>:

> Thanks Martin,
>
> We did that change to our Org-Role model and it worked.
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
> mmarchese at identicum.com
> www.identicum.com
>
> On Sat, Dec 31, 2016 at 6:22 AM, Martin Lízner - AMI Praha a.s. <
> martin.lizner at ami.cz> wrote:
>
>> Hi, this is indeed very nice and advanced business logic.
>>
>> I would suggest you try dropping the meta role completely and use
>> organization to induce the logic. If you need higher level of
>> abstraction, you can imagine orgs (e.g. root) as meta roles and put logic
>> there.
>>
>> Something like (but Im not sure how will focusAssignment behave):
>>
>> *Org XML:*
>>
>> <org>
>>    <name>MEGC</name>
>> ...
>>    <inducement id="4">
>>       <targetRef oid="00000000-0000-1de4-0004-000000000011"
>> type="c:RoleType"></targetRef>
>>       <focusType>UserType</focusType>
>>       <condition>
>>          <source>
>>             <c:path>$focusAssignment/extension/metaRelation</c:path>
>>          </source>
>>          <expression>
>>             <script>
>>                <code>metaRelation == 'TEACHER'</code>
>>             </script>
>>          </expression>
>>       </condition>
>>    </inducement>
>> ...
>> </org>
>>
>> Regards, M.
>>
>> Martin Lízner
>> solution architect
>>
>> gsm: [+420] 737 745 571 <+420%20737%20745%20571>
>> e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
>>
>>
>> AMI Praha a.s.
>> Pláničkova 11
>> 162 00 Praha 6
>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>> web: www.ami.cz
>>
>>
>>
>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>>
>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>> společnost AMI Praha a.s.
>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
>> písemnou formu.
>>
>>
>> 2016-12-29 19:25 GMT+01:00 Martin Marchese <mmarchese at identicum.com>:
>>
>>> Hi All,
>>>
>>> We have a role model designed as it follows:
>>>
>>> Users are assigned to an Org (the AssignmentType is extended with
>>> metaRelation attribute). This Org, has a Meta Role assigned.
>>>
>>> Based on the value of the metaRelation attribute (STUDENT or TEACHER)
>>> the Meta Role induces a Role (order 2 inducement) to the user.
>>>
>>> These induced roles have their own inducements, to resources (OpenLDAP,
>>> google apps, office 365, etc).
>>>
>>> Once a user is assigned to an Org, it receives the inderect assignment
>>> based on the metaRelation attribute value. However, it's not receiving the
>>> resource inducements, hence, the accounts are not being created in the
>>> resources.
>>>
>>> Any idea if this is normal behavior or if we are missing something?
>>>
>>> Below are examples of how our objects look like.
>>>
>>> *Org XML:*
>>>
>>> <org>
>>>    <name>MEGC</name>
>>> ...
>>>    <assignment id="1">
>>>       <targetRef oid="00000000-0000-1de4-0004-000000000099"
>>> type="c:RoleType"></targetRef>
>>>    </assignment>
>>> ...
>>> </org>
>>>
>>> *Meta Role XML:*
>>>
>>> <role>
>>>    <name>META_ROLE</name>
>>>    ...
>>>    <inducement id="4">
>>>       <targetRef oid="00000000-0000-1de4-0004-000000000011"
>>> type="c:RoleType"></targetRef>
>>>       <order>2</order>
>>>       <focusType>UserType</focusType>
>>>       <condition>
>>>          <source>
>>>             <c:path>$focusAssignment/extension/metaRelation</c:path>
>>>          </source>
>>>          <expression>
>>>             <script>
>>>                <code>metaRelation == 'TEACHER'</code>
>>>             </script>
>>>          </expression>
>>>       </condition>
>>>    </inducement>
>>> ...
>>> </role>
>>>
>>> *Induced Role:*
>>>
>>> <role>
>>>    <name>TEACHER</name>
>>> ...
>>>    <inducement id="1">
>>>       <construction>
>>>          <resourceRef oid="00000000-0000-1de4-0002-000000000002"
>>> type="c:ResourceType"></resourceRef>
>>>          <kind>account</kind>
>>>       </construction>
>>>    </inducement>
>>> ...
>>> </role>
>>>
>>> Thanks in Advance
>>>
>>> *Ing. Martín Marchese*
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>> mmarchese at identicum.com
>>> www.identicum.com
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170103/1912aee9/attachment.htm>

More information about the midPoint mailing list