[midPoint] Role assignment from db table
Justin Stanczak
rizenine at gmail.com
Tue Apr 9 16:48:26 CEST 2019
Here's what I just tried this morning. I can get the account to link but
the role does not get added.
<schema>
<cachingMetadata>
<retrievalTimestamp>2019-04-09T09:36:54.692-04:00</retrievalTimestamp>
<serialNumber>5f04ae80be872350-b2c11dd7e1f3fd2d</serialNumber>
</cachingMetadata>
<definition>
<xsd:schema xmlns:a="
http://prism.evolveum.com/xml/ns/public/annotation-3" xmlns:ra="
http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"
xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
targetNamespace="
http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
<xsd:import namespace="
http://prism.evolveum.com/xml/ns/public/annotation-3"/>
<xsd:import namespace="
http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
"/>
<xsd:import namespace="
http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"/>
<xsd:complexType name="AccountObjectClass">
<xsd:annotation>
<xsd:appinfo>
<ra:resourceObject/>
<ra:identifier>icfs:uid</ra:identifier>
<ra:secondaryIdentifier>icfs:name</ra:secondaryIdentifier>
<ra:displayNameAttribute>icfs:name</ra:displayNameAttribute>
<ra:namingAttribute>icfs:name</ra:namingAttribute>
<ra:nativeObjectClass>__ACCOUNT__</ra:nativeObjectClass>
<ra:kind>account</ra:kind>
<ra:default>true</ra:default>
</xsd:appinfo>
</xsd:annotation>
<xsd:sequence>
<xsd:element name="ROLE" type="xsd:string">
<xsd:annotation>
<xsd:appinfo>
<a:displayOrder>120</a:displayOrder>
<ra:frameworkAttributeName>ROLE</ra:frameworkAttributeName>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element ref="icfs:name">
<xsd:annotation>
<xsd:appinfo>
<a:displayName>ConnId
Name</a:displayName>
<a:displayOrder>110</a:displayOrder>
<ra:frameworkAttributeName>__NAME__</ra:frameworkAttributeName>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element name="BANNERID" type="xsd:decimal">
<xsd:annotation>
<xsd:appinfo>
<a:displayOrder>130</a:displayOrder>
<ra:frameworkAttributeName>BANNERID</ra:frameworkAttributeName>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
<xsd:element minOccurs="0" ref="icfs:uid">
<xsd:annotation>
<xsd:appinfo>
<a:displayName>ConnId
UID</a:displayName>
<a:displayOrder>100</a:displayOrder>
<a:access>read</a:access>
</xsd:appinfo>
</xsd:annotation>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:schema>
</definition>
</schema>
<schemaHandling>
<objectType id="169">
<kind>account</kind>
<default>true</default>
<objectClass>ri:AccountObjectClass</objectClass>
<association id="371">
<c:ref>ri:group</c:ref>
<tolerant>false</tolerant>
<exclusiveStrong>false</exclusiveStrong>
<inbound id="372">
<authoritative>false</authoritative>
<exclusive>false</exclusive>
<strength>strong</strength>
<expression>
<value>
<targetRef
oid="c50396ff-14a7-423e-a513-ff28c8bc91ee" type="c:RoleType"/>
</value>
</expression>
<target>
<c:path>assignment</c:path>
</target>
</inbound>
<kind>entitlement</kind>
<intent>group</intent>
<direction>objectToSubject</direction>
<associationAttribute>ri:ROLE</associationAttribute>
<valueAttribute>icfs:name</valueAttribute>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity>
</association>
</objectType>
<objectType id="369">
<kind>entitlement</kind>
<intent>group</intent>
<default>false</default>
<objectClass>ri:AccountObjectClass</objectClass>
</objectType>
</schemaHandling>
<synchronization>
<objectSynchronization>
<kind>account</kind>
<enabled>true</enabled>
<correlation>
<q:equal>
<q:path>c:name</q:path>
<expression xmlns="">
<path>$account/attributes/icfs:name</path>
</expression>
</q:equal>
</correlation>
<reconcile>false</reconcile>
<reaction>
<situation>unlinked</situation>
<synchronize>true</synchronize>
<reconcile>false</reconcile>
<action>
<handlerUri>
http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
</objectSynchronization>
<objectSynchronization>
<kind>entitlement</kind>
<intent>group</intent>
<enabled>true</enabled>
<correlation>
<q:equal>
<q:path>c:name</q:path>
<expression xmlns="">
<path>$account/attributes/ri:ROLE</path>
</expression>
</q:equal>
</correlation>
<reconcile>false</reconcile>
<reaction>
<situation>unlinked</situation>
<reconcile>false</reconcile>
<action>
<handlerUri>
http://midpoint.evolveum.com/xml/ns/public/model/action-3#link</handlerUri>
</action>
</reaction>
</objectSynchronization>
</synchronization>
On Tue, Apr 9, 2019 at 9:49 AM Jason Everling <jeverling at bshp.edu> wrote:
> The sample is using a condition to check for the role type attribute that
> is set to 'auto' and then it is matching name that equals 'auto' + the name
> of the entitlement . You can try it for dev purposes without the condition
> and then adjust the script to return entitlement?.getName(); You can also
> post your definition for association here,
>
>
> On Mon, Apr 8, 2019 at 3:08 PM Justin Stanczak <rizenine at gmail.com> wrote:
>
>> I do have a default role assigned in the user template. I tried the
>> associations from (
>> https://wiki.evolveum.com/display/midPoint/Inbound+Mapping) the docs but
>> I can't get it to work. Not sure what I'm doing wrong. Some of the docs
>> seem to be incomplete. I'm inducing resources and assigning roles. I'm a
>> bit unsure about the intent and entitlement part of associations. Thanks.
>>
>>
>> <objectTemplate .....
>> * <mapping id="2">*
>> * <name>end user role</name>*
>> * <strength>strong</strength>*
>> * <expression>*
>> * <assignmentTargetSearch
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
>> <http://www.w3.org/2001/XMLSchema-instance>"
>> xsi:type="c:AssignmentTargetSearchExpressionEvaluatorType">*
>> * <targetType>c:RoleType</targetType>*
>> * <oid>9a355bd4-07b3-44e5-8708-caa43e94c2b6</oid>*
>> * </assignmentTargetSearch>*
>> * </expression>*
>> * <target>*
>> * <c:path>assignment</c:path>*
>> * </target>*
>> * </mapping>*
>> .....objectTemplate >
>>
>>
>>
>> On Mon, Apr 8, 2019 at 3:47 PM Jason Everling <jeverling at bshp.edu> wrote:
>>
>>> looks like it is trying to replace the end user role but that is
>>> assigned from a strong condition in your default user template. You can
>>> create inbound assignment mappings from association.
>>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190409/ff0368d8/attachment.htm>
More information about the midPoint
mailing list