[midPoint] Inducement Inheritance not Working

Martin Marchese mmarchese at identicum.com
Mon Jan 16 22:14:02 CET 2017 

Hi Martin, sorry for the delay on sharing the code.

Here is how it is working now (notice that we are using unbounded order,
since that is how we needed in our model, it may need to be changed
depending on you modelling):

*Org:*
*-----*
<org>
...
   <name>MEGC</name>
.....
  <inducement id="2">
      <targetRef oid="00000000-0000-1de4-0004-000000000010"
type="RoleType"></targetRef>
      <orderConstraint>
        <orderMax>unbounded</orderMax>
      </orderConstraint>
      <focusType>UserType</focusType>
      <condition>
         <source>
            <path>$focusAssignment/extension/metaRelation</path>
         </source>
         <expression>
            <script>
               <code>metaRelation == 'STUDENT'</code>
            </script>
         </expression>
      </condition>
   </inducement>
....
</org>

*Student Role:*
*------------------*

<role>
...
   <name>STUDENT</name>
   <inducement id="2">
     <orderConstraint>
       <orderMax>unbounded</orderMax>
     </orderConstraint>
      <construction>
         <resourceRef oid="00000000-0000-1de4-0002-000000000002"
type="c:ResourceType"></resourceRef>
         <kind>account</kind>
      </construction>
   </inducement>
...
</role>


Regards

*Ing. Martín Marchese*
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
mmarchese at identicum.com
www.identicum.com

On Tue, Jan 3, 2017 at 3:25 PM, Martin Lízner - AMI Praha a.s. <
martin.lizner at ami.cz> wrote:

> Im glad that helped, would you mind sharing the code fragments? M.
>
> Martin Lízner
> solution architect
>
> gsm: [+420] 737 745 571
> e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
>
> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
> 2017-01-03 18:59 GMT+01:00 Martin Marchese <mmarchese at identicum.com>:
>
>> Thanks Martin,
>>
>> We did that change to our Org-Role model and it worked.
>>
>> *Ing. Martín Marchese*
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>> mmarchese at identicum.com
>> www.identicum.com
>>
>> On Sat, Dec 31, 2016 at 6:22 AM, Martin Lízner - AMI Praha a.s. <
>> martin.lizner at ami.cz> wrote:
>>
>>> Hi, this is indeed very nice and advanced business logic.
>>>
>>> I would suggest you try dropping the meta role completely and use
>>> organization to induce the logic. If you need higher level of
>>> abstraction, you can imagine orgs (e.g. root) as meta roles and put logic
>>> there.
>>>
>>> Something like (but Im not sure how will focusAssignment behave):
>>>
>>> *Org XML:*
>>>
>>> <org>
>>>    <name>MEGC</name>
>>> ...
>>>    <inducement id="4">
>>>       <targetRef oid="00000000-0000-1de4-0004-000000000011"
>>> type="c:RoleType"></targetRef>
>>>       <focusType>UserType</focusType>
>>>       <condition>
>>>          <source>
>>>             <c:path>$focusAssignment/extension/metaRelation</c:path>
>>>          </source>
>>>          <expression>
>>>             <script>
>>>                <code>metaRelation == 'TEACHER'</code>
>>>             </script>
>>>          </expression>
>>>       </condition>
>>>    </inducement>
>>> ...
>>> </org>
>>>
>>> Regards, M.
>>>
>>> Martin Lízner
>>> solution architect
>>>
>>> gsm: [+420] 737 745 571 <+420%20737%20745%20571>
>>> e-mail: martin.lizner at ami.cz <jmeno.prijmeni at ami.cz>
>>>
>>>
>>> AMI Praha a.s.
>>> Pláničkova 11
>>> 162 00 Praha 6
>>> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
>>> web: www.ami.cz
>>>
>>>
>>>
>>> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>>>
>>> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
>>> společnost AMI Praha a.s.
>>> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>> výhradně písemnou formu.
>>>
>>>
>>> 2016-12-29 19:25 GMT+01:00 Martin Marchese <mmarchese at identicum.com>:
>>>
>>>> Hi All,
>>>>
>>>> We have a role model designed as it follows:
>>>>
>>>> Users are assigned to an Org (the AssignmentType is extended with
>>>> metaRelation attribute). This Org, has a Meta Role assigned.
>>>>
>>>> Based on the value of the metaRelation attribute (STUDENT or TEACHER)
>>>> the Meta Role induces a Role (order 2 inducement) to the user.
>>>>
>>>> These induced roles have their own inducements, to resources (OpenLDAP,
>>>> google apps, office 365, etc).
>>>>
>>>> Once a user is assigned to an Org, it receives the inderect assignment
>>>> based on the metaRelation attribute value. However, it's not receiving the
>>>> resource inducements, hence, the accounts are not being created in the
>>>> resources.
>>>>
>>>> Any idea if this is normal behavior or if we are missing something?
>>>>
>>>> Below are examples of how our objects look like.
>>>>
>>>> *Org XML:*
>>>>
>>>> <org>
>>>>    <name>MEGC</name>
>>>> ...
>>>>    <assignment id="1">
>>>>       <targetRef oid="00000000-0000-1de4-0004-000000000099"
>>>> type="c:RoleType"></targetRef>
>>>>    </assignment>
>>>> ...
>>>> </org>
>>>>
>>>> *Meta Role XML:*
>>>>
>>>> <role>
>>>>    <name>META_ROLE</name>
>>>>    ...
>>>>    <inducement id="4">
>>>>       <targetRef oid="00000000-0000-1de4-0004-000000000011"
>>>> type="c:RoleType"></targetRef>
>>>>       <order>2</order>
>>>>       <focusType>UserType</focusType>
>>>>       <condition>
>>>>          <source>
>>>>             <c:path>$focusAssignment/extension/metaRelation</c:path>
>>>>          </source>
>>>>          <expression>
>>>>             <script>
>>>>                <code>metaRelation == 'TEACHER'</code>
>>>>             </script>
>>>>          </expression>
>>>>       </condition>
>>>>    </inducement>
>>>> ...
>>>> </role>
>>>>
>>>> *Induced Role:*
>>>>
>>>> <role>
>>>>    <name>TEACHER</name>
>>>> ...
>>>>    <inducement id="1">
>>>>       <construction>
>>>>          <resourceRef oid="00000000-0000-1de4-0002-000000000002"
>>>> type="c:ResourceType"></resourceRef>
>>>>          <kind>account</kind>
>>>>       </construction>
>>>>    </inducement>
>>>> ...
>>>> </role>
>>>>
>>>> Thanks in Advance
>>>>
>>>> *Ing. Martín Marchese*
>>>> Identicum S.A.
>>>> Jorge Newbery 3226
>>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>>> mmarchese at identicum.com
>>>> www.identicum.com
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170116/d46be18d/attachment.htm>

More information about the midPoint mailing list