[midPoint] Role assignment from db table
Jason Everling
jeverling at bshp.edu
Tue Apr 9 17:04:29 CEST 2019
what is this? are you trying to just assign the same role to everyone? You
can assign a role to everyone using your user template like the end user
role
<expression>
<value>
<targetRef
oid="c50396ff-14a7-423e-a513-ff28c8bc91ee" type="c:RoleType"/>
</value>
</expression>
JASON
On Tue, Apr 9, 2019 at 9:49 AM Justin Stanczak <rizenine at gmail.com> wrote:
> Here's what I just tried this morning. I can get the account to link but
> the role does not get added.
>
> <schema>
> <cachingMetadata>
>
> <retrievalTimestamp>2019-04-09T09:36:54.692-04:00</retrievalTimestamp>
> <serialNumber>5f04ae80be872350-b2c11dd7e1f3fd2d</serialNumber>
> </cachingMetadata>
> <definition>
> <xsd:schema xmlns:a="
> http://prism.evolveum.com/xml/ns/public/annotation-3" xmlns:ra="
> http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"
> xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> elementFormDefault="qualified" targetNamespace="
> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
> <xsd:import namespace="
> http://prism.evolveum.com/xml/ns/public/annotation-3"/>
> <xsd:import namespace="
> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
> "/>
> <xsd:import namespace="
> http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"/>
> <xsd:complexType name="AccountObjectClass">
> <xsd:annotation>
> <xsd:appinfo>
> <ra:resourceObject/>
> <ra:identifier>icfs:uid</ra:identifier>
>
> <ra:secondaryIdentifier>icfs:name</ra:secondaryIdentifier>
>
> <ra:displayNameAttribute>icfs:name</ra:displayNameAttribute>
>
> <ra:namingAttribute>icfs:name</ra:namingAttribute>
>
> <ra:nativeObjectClass>__ACCOUNT__</ra:nativeObjectClass>
> <ra:kind>account</ra:kind>
> <ra:default>true</ra:default>
> </xsd:appinfo>
> </xsd:annotation>
> <xsd:sequence>
> <xsd:element name="ROLE" type="xsd:string">
> <xsd:annotation>
> <xsd:appinfo>
> <a:displayOrder>120</a:displayOrder>
>
> <ra:frameworkAttributeName>ROLE</ra:frameworkAttributeName>
> </xsd:appinfo>
> </xsd:annotation>
> </xsd:element>
> <xsd:element ref="icfs:name">
> <xsd:annotation>
> <xsd:appinfo>
> <a:displayName>ConnId
> Name</a:displayName>
> <a:displayOrder>110</a:displayOrder>
>
> <ra:frameworkAttributeName>__NAME__</ra:frameworkAttributeName>
> </xsd:appinfo>
> </xsd:annotation>
> </xsd:element>
> <xsd:element name="BANNERID" type="xsd:decimal">
> <xsd:annotation>
> <xsd:appinfo>
> <a:displayOrder>130</a:displayOrder>
>
> <ra:frameworkAttributeName>BANNERID</ra:frameworkAttributeName>
> </xsd:appinfo>
> </xsd:annotation>
> </xsd:element>
> <xsd:element minOccurs="0" ref="icfs:uid">
> <xsd:annotation>
> <xsd:appinfo>
> <a:displayName>ConnId
> UID</a:displayName>
> <a:displayOrder>100</a:displayOrder>
> <a:access>read</a:access>
> </xsd:appinfo>
> </xsd:annotation>
> </xsd:element>
> </xsd:sequence>
> </xsd:complexType>
> </xsd:schema>
> </definition>
> </schema>
> <schemaHandling>
> <objectType id="169">
> <kind>account</kind>
> <default>true</default>
> <objectClass>ri:AccountObjectClass</objectClass>
> <association id="371">
> <c:ref>ri:group</c:ref>
> <tolerant>false</tolerant>
> <exclusiveStrong>false</exclusiveStrong>
> <inbound id="372">
> <authoritative>false</authoritative>
> <exclusive>false</exclusive>
> <strength>strong</strength>
> <expression>
> <value>
> <targetRef
> oid="c50396ff-14a7-423e-a513-ff28c8bc91ee" type="c:RoleType"/>
> </value>
> </expression>
> <target>
> <c:path>assignment</c:path>
> </target>
> </inbound>
> <kind>entitlement</kind>
> <intent>group</intent>
> <direction>objectToSubject</direction>
> <associationAttribute>ri:ROLE</associationAttribute>
> <valueAttribute>icfs:name</valueAttribute>
>
> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
> </association>
> </objectType>
> <objectType id="369">
> <kind>entitlement</kind>
> <intent>group</intent>
> <default>false</default>
> <objectClass>ri:AccountObjectClass</objectClass>
> </objectType>
> </schemaHandling>
> <synchronization>
> <objectSynchronization>
> <kind>account</kind>
> <enabled>true</enabled>
> <correlation>
> <q:equal>
> <q:path>c:name</q:path>
> <expression xmlns="">
> <path>$account/attributes/icfs:name</path>
> </expression>
> </q:equal>
> </correlation>
> <reconcile>false</reconcile>
> <reaction>
> <situation>unlinked</situation>
> <synchronize>true</synchronize>
> <reconcile>false</reconcile>
> <action>
> <handlerUri>
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#link
> </handlerUri>
> </action>
> </reaction>
> </objectSynchronization>
> <objectSynchronization>
> <kind>entitlement</kind>
> <intent>group</intent>
> <enabled>true</enabled>
> <correlation>
> <q:equal>
> <q:path>c:name</q:path>
> <expression xmlns="">
> <path>$account/attributes/ri:ROLE</path>
> </expression>
> </q:equal>
> </correlation>
> <reconcile>false</reconcile>
> <reaction>
> <situation>unlinked</situation>
> <reconcile>false</reconcile>
> <action>
> <handlerUri>
> http://midpoint.evolveum.com/xml/ns/public/model/action-3#link
> </handlerUri>
> </action>
> </reaction>
> </objectSynchronization>
> </synchronization>
>
> On Tue, Apr 9, 2019 at 9:49 AM Jason Everling <jeverling at bshp.edu> wrote:
>
>> The sample is using a condition to check for the role type attribute that
>> is set to 'auto' and then it is matching name that equals 'auto' + the name
>> of the entitlement . You can try it for dev purposes without the condition
>> and then adjust the script to return entitlement?.getName(); You can
>> also post your definition for association here,
>>
>>
>> On Mon, Apr 8, 2019 at 3:08 PM Justin Stanczak <rizenine at gmail.com>
>> wrote:
>>
>>> I do have a default role assigned in the user template. I tried the
>>> associations from (
>>> https://wiki.evolveum.com/display/midPoint/Inbound+Mapping) the docs
>>> but I can't get it to work. Not sure what I'm doing wrong. Some of the docs
>>> seem to be incomplete. I'm inducing resources and assigning roles. I'm a
>>> bit unsure about the intent and entitlement part of associations. Thanks.
>>>
>>>
>>> <objectTemplate .....
>>> * <mapping id="2">*
>>> * <name>end user role</name>*
>>> * <strength>strong</strength>*
>>> * <expression>*
>>> * <assignmentTargetSearch
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
>>> <http://www.w3.org/2001/XMLSchema-instance>"
>>> xsi:type="c:AssignmentTargetSearchExpressionEvaluatorType">*
>>> * <targetType>c:RoleType</targetType>*
>>> * <oid>9a355bd4-07b3-44e5-8708-caa43e94c2b6</oid>*
>>> * </assignmentTargetSearch>*
>>> * </expression>*
>>> * <target>*
>>> * <c:path>assignment</c:path>*
>>> * </target>*
>>> * </mapping>*
>>> .....objectTemplate >
>>>
>>>
>>>
>>> On Mon, Apr 8, 2019 at 3:47 PM Jason Everling <jeverling at bshp.edu>
>>> wrote:
>>>
>>>> looks like it is trying to replace the end user role but that is
>>>> assigned from a strong condition in your default user template. You can
>>>> create inbound assignment mappings from association.
>>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190409/91b8e045/attachment.htm>
More information about the midPoint
mailing list