[midPoint] How to make Entitlement association strong / enforced ?
Alcides Carlos de Moraes Neto
alcides.neto at gmail.com
Thu Jan 25 14:16:52 CET 2018
Thanks Ivan, that was it. I didn't notice I could set strenght in the
association mapping.
I have a weak construction with a strong mapping, that's a bit crazy, but
it works. :)
My metarole is thus:
<inducement id="1">
<description>Group construction</description>
<construction>
<resourceRef oid="3341f1ce-f96f-43fe-8bc9-7a9ec051b71b"
relation="org:default"
type="c:ResourceType"><!-- AD --></resourceRef>
<kind>entitlement</kind>
<intent>org-group</intent>
</construction>
</inducement>
<inducement id="2">
<description>Add users to group</description>
<construction>
<strength>weak</strength>
<resourceRef oid="3341f1ce-f96f-43fe-8bc9-7a9ec051b71b"
relation="org:default"
type="c:ResourceType"><!-- AD --></resourceRef>
<kind>account</kind>
<intent>default</intent>
<association>
<c:ref>ri:group</c:ref>
<tolerant>false</tolerant>
<outbound>
* <strength>strong</strength>*
<expression>
<associationFromLink xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
<projectionDiscriminator>
<kind>entitlement</kind>
<intent>org-group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
<condition>
<expression>
<script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:ScriptExpressionEvaluatorType">
<code>focus.getClass() ==
com.evolveum.midpoint.xml.ns._public.common.common_3.UserType.class
&& (focus.getEmployeeType().contains("TYPE1") ||
focus.getEmployeeType().contains("TYPE2"))</code>
</script>
</expression>
</condition>
</inducement>
2018-01-25 6:29 GMT-02:00 Ivan Noris <ivan.noris at evolveum.com>:
> Hi,
>
> can you share the role (in your case probably the metarole)? I think you
> might be missing strong in the outbound mapping for association for order=2
> mapping.
>
> Ivan
>
> On 24.01.2018 23:08, Alcides Carlos de Moraes Neto wrote:
>
> Hello list,
>
> I have a OrgType -> AD Group projection, with construction and entitlement
> association all done in a single Meta Role. This works, the groups are
> created and the Org Members are added to the group.
>
> However, if the AD user account already is a member of any other group,
> its not added to the Org AD Group. And if I remove a user account from the
> AD group from within Windows Server, Midpoint does not create the
> association again. It's behaving like a weak mapping.
> How do I make Midpoint enforce the group membership? The association
> definition has tolerant attribute set to FALSE . I've tried setting
> assignmentPolicyEnforcement to FULL for the resource, it does not work
> either.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> --
> Ivan Noris
> Senior Identity Engineerevolveum.com
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20180125/e3e1ebeb/attachment.htm>
More information about the midPoint
mailing list