[midPoint] Org assignment deletes user's role assignment?

Mikko Pekkarinen mikko.pekkarinen at datactica.fi
Mon Jan 9 21:24:02 CET 2017 

Hello,

finally an embarrassingly simple workaround occurred to me: store just the org's name into user in inbound mapping, and create the assignment in the user template. This works as expected.

I wonder why the first approach did not.


Mikko

________________________________________
Lähettäjä: midPoint <midpoint-bounces at lists.evolveum.com> käyttäjän  puolestaMikko Pekkarinen <mikko.pekkarinen at datactica.fi>
Lähetetty: 3. tammikuuta 2017 18:35
Vastaanottaja: midpoint at lists.evolveum.com
Aihe: [midPoint] Org assignment deletes user's role assignment?

Hello,

I'm synchronizing users and orgs from a resource to midpoint. In schema handling I create a user->org assignment. In the global user template I assign a role to users.

Problem: the role is not assigned. MidPoint (3.5) seems to process the assignment, though:
 - the role induces an LDAP account, and that gets created.
 - the users have "roleMembershipRef" set for the role, when viewing the XML in "repository objects"

The Audit log details of a user show that the role is assigned correctly when the user gets added through reconciliation.
But on the same second comes another modification, which sets the parentOrgRef and deletes the role assignment.

Why is the role assignment deleted? What do I have to configure to prevent that?

For reference, here are snippets from the current configuration:

Schema handling:
    <inbound>
       <name>Org GUID</name>
       <authoritative>true</authoritative><!-- or false, the result is the same -->
       <exclusive>false</exclusive>
       <strength>normal</strength>
       <expression>
          <assignmentTargetSearch>
             <targetType>c:OrgType</targetType>
             <filter>
                <q:equal>
                   <q:path>c:name</q:path>
                   <expression>
                      <path>$input</path>
                   </expression>
                </q:equal>
             </filter>
          </assignmentTargetSearch>
       </expression>
       <target>
          <c:path>assignment</c:path>
       </target>
    </inbound>

Global user template:

    <mapping>
      <name>Assign End User role</name>
      <strength>strong</strength>
      <expression>
         <assignmentTargetSearch>
            <targetType>c:RoleType</targetType>
            <filter>
               <q:equal>
                  <q:path>c:name</q:path>
                  <expression>
                     <value>Kayttaja</value>
                  </expression>
               </q:equal>
            </filter>
         </assignmentTargetSearch>
      </expression>
      <target>
         <c:path>assignment</c:path>
      </target>
    </mapping>

Thanks,

Mikko
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
http://lists.evolveum.com/mailman/listinfo/midpoint

More information about the midPoint mailing list