[midPoint] Role assignment from db table

Justin Stanczak rizenine at gmail.com
Tue Apr 9 17:13:13 CEST 2019


In this test version, I'm trying to assign the same role just for testing.
I wanted to see if I could just get a user assigned to this static role.


             *   <inbound id="372">*
*                    <authoritative>false</authoritative>*
*                    <exclusive>false</exclusive>*
*                    <strength>strong</strength>*
*                    <expression>*
*                        <value>*
*                            <targetRef
oid="c50396ff-14a7-423e-a513-ff28c8bc91ee" type="c:RoleType"/>*
*                        </value>*
*                    </expression>*
*                    <target>*
*                        <c:path>assignment</c:path>*
*                    </target>*
*                </inbound>*




On Tue, Apr 9, 2019 at 11:06 AM Jason Everling <jeverling at bshp.edu> wrote:

> what is this? are you trying to just assign the same role to everyone? You
> can assign a role to everyone using your user template like the end user
> role
>
>                     <expression>
>                         <value>
>                             <targetRef
> oid="c50396ff-14a7-423e-a513-ff28c8bc91ee" type="c:RoleType"/>
>                         </value>
>                     </expression>
>
>
> JASON
>
>
> On Tue, Apr 9, 2019 at 9:49 AM Justin Stanczak <rizenine at gmail.com> wrote:
>
>> Here's what I just tried this morning. I can get the account to link but
>> the role does not get added.
>>
>> <schema>
>>         <cachingMetadata>
>>
>> <retrievalTimestamp>2019-04-09T09:36:54.692-04:00</retrievalTimestamp>
>>             <serialNumber>5f04ae80be872350-b2c11dd7e1f3fd2d</serialNumber>
>>         </cachingMetadata>
>>         <definition>
>>             <xsd:schema xmlns:a="
>> http://prism.evolveum.com/xml/ns/public/annotation-3" xmlns:ra="
>> http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"
>> xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>> elementFormDefault="qualified" targetNamespace="
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
>>                 <xsd:import namespace="
>> http://prism.evolveum.com/xml/ns/public/annotation-3"/>
>>                 <xsd:import namespace="
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>> "/>
>>                 <xsd:import namespace="
>> http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"/>
>>                 <xsd:complexType name="AccountObjectClass">
>>                     <xsd:annotation>
>>                         <xsd:appinfo>
>>                             <ra:resourceObject/>
>>                             <ra:identifier>icfs:uid</ra:identifier>
>>
>> <ra:secondaryIdentifier>icfs:name</ra:secondaryIdentifier>
>>
>> <ra:displayNameAttribute>icfs:name</ra:displayNameAttribute>
>>
>> <ra:namingAttribute>icfs:name</ra:namingAttribute>
>>
>> <ra:nativeObjectClass>__ACCOUNT__</ra:nativeObjectClass>
>>                             <ra:kind>account</ra:kind>
>>                             <ra:default>true</ra:default>
>>                         </xsd:appinfo>
>>                     </xsd:annotation>
>>                     <xsd:sequence>
>>                         <xsd:element name="ROLE" type="xsd:string">
>>                             <xsd:annotation>
>>                                 <xsd:appinfo>
>>                                     <a:displayOrder>120</a:displayOrder>
>>
>> <ra:frameworkAttributeName>ROLE</ra:frameworkAttributeName>
>>                                 </xsd:appinfo>
>>                             </xsd:annotation>
>>                         </xsd:element>
>>                         <xsd:element ref="icfs:name">
>>                             <xsd:annotation>
>>                                 <xsd:appinfo>
>>                                     <a:displayName>ConnId
>> Name</a:displayName>
>>                                     <a:displayOrder>110</a:displayOrder>
>>
>> <ra:frameworkAttributeName>__NAME__</ra:frameworkAttributeName>
>>                                 </xsd:appinfo>
>>                             </xsd:annotation>
>>                         </xsd:element>
>>                         <xsd:element name="BANNERID" type="xsd:decimal">
>>                             <xsd:annotation>
>>                                 <xsd:appinfo>
>>                                     <a:displayOrder>130</a:displayOrder>
>>
>> <ra:frameworkAttributeName>BANNERID</ra:frameworkAttributeName>
>>                                 </xsd:appinfo>
>>                             </xsd:annotation>
>>                         </xsd:element>
>>                         <xsd:element minOccurs="0" ref="icfs:uid">
>>                             <xsd:annotation>
>>                                 <xsd:appinfo>
>>                                     <a:displayName>ConnId
>> UID</a:displayName>
>>                                     <a:displayOrder>100</a:displayOrder>
>>                                     <a:access>read</a:access>
>>                                 </xsd:appinfo>
>>                             </xsd:annotation>
>>                         </xsd:element>
>>                     </xsd:sequence>
>>                 </xsd:complexType>
>>             </xsd:schema>
>>         </definition>
>>     </schema>
>>     <schemaHandling>
>>         <objectType id="169">
>>             <kind>account</kind>
>>             <default>true</default>
>>             <objectClass>ri:AccountObjectClass</objectClass>
>>             <association id="371">
>>                 <c:ref>ri:group</c:ref>
>>                 <tolerant>false</tolerant>
>>                 <exclusiveStrong>false</exclusiveStrong>
>>                 <inbound id="372">
>>                     <authoritative>false</authoritative>
>>                     <exclusive>false</exclusive>
>>                     <strength>strong</strength>
>>                     <expression>
>>                         <value>
>>                             <targetRef
>> oid="c50396ff-14a7-423e-a513-ff28c8bc91ee" type="c:RoleType"/>
>>                         </value>
>>                     </expression>
>>                     <target>
>>                         <c:path>assignment</c:path>
>>                     </target>
>>                 </inbound>
>>                 <kind>entitlement</kind>
>>                 <intent>group</intent>
>>                 <direction>objectToSubject</direction>
>>                 <associationAttribute>ri:ROLE</associationAttribute>
>>                 <valueAttribute>icfs:name</valueAttribute>
>>
>> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>>             </association>
>>         </objectType>
>>         <objectType id="369">
>>             <kind>entitlement</kind>
>>             <intent>group</intent>
>>             <default>false</default>
>>             <objectClass>ri:AccountObjectClass</objectClass>
>>         </objectType>
>>     </schemaHandling>
>>     <synchronization>
>>         <objectSynchronization>
>>             <kind>account</kind>
>>             <enabled>true</enabled>
>>             <correlation>
>>                 <q:equal>
>>                     <q:path>c:name</q:path>
>>                     <expression xmlns="">
>>                         <path>$account/attributes/icfs:name</path>
>>                     </expression>
>>                 </q:equal>
>>             </correlation>
>>             <reconcile>false</reconcile>
>>             <reaction>
>>                 <situation>unlinked</situation>
>>                 <synchronize>true</synchronize>
>>                 <reconcile>false</reconcile>
>>                 <action>
>>                     <handlerUri>
>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#link
>> </handlerUri>
>>                 </action>
>>             </reaction>
>>         </objectSynchronization>
>>         <objectSynchronization>
>>             <kind>entitlement</kind>
>>             <intent>group</intent>
>>             <enabled>true</enabled>
>>             <correlation>
>>                 <q:equal>
>>                     <q:path>c:name</q:path>
>>                     <expression xmlns="">
>>                         <path>$account/attributes/ri:ROLE</path>
>>                     </expression>
>>                 </q:equal>
>>             </correlation>
>>             <reconcile>false</reconcile>
>>             <reaction>
>>                 <situation>unlinked</situation>
>>                 <reconcile>false</reconcile>
>>                 <action>
>>                     <handlerUri>
>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#link
>> </handlerUri>
>>                 </action>
>>             </reaction>
>>         </objectSynchronization>
>>     </synchronization>
>>
>> On Tue, Apr 9, 2019 at 9:49 AM Jason Everling <jeverling at bshp.edu> wrote:
>>
>>> The sample is using a condition to check for the role type attribute
>>> that is set to 'auto' and then it is matching name that equals 'auto' + the
>>> name of the entitlement . You can try it for dev purposes without the
>>> condition and then adjust the script to return entitlement?.getName(); You
>>> can also post your definition for association here,
>>>
>>>
>>> On Mon, Apr 8, 2019 at 3:08 PM Justin Stanczak <rizenine at gmail.com>
>>> wrote:
>>>
>>>> I do have a default role assigned in the user template. I tried the
>>>> associations from (
>>>> https://wiki.evolveum.com/display/midPoint/Inbound+Mapping) the docs
>>>> but I can't get it to work. Not sure what I'm doing wrong. Some of the docs
>>>> seem to be incomplete. I'm inducing resources and assigning roles. I'm a
>>>> bit unsure about the intent and entitlement part of associations. Thanks.
>>>>
>>>>
>>>> <objectTemplate .....
>>>> *    <mapping id="2">*
>>>> *        <name>end user role</name>*
>>>> *        <strength>strong</strength>*
>>>> *        <expression>*
>>>> *            <assignmentTargetSearch
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
>>>> <http://www.w3.org/2001/XMLSchema-instance>"
>>>> xsi:type="c:AssignmentTargetSearchExpressionEvaluatorType">*
>>>> *                <targetType>c:RoleType</targetType>*
>>>> *                <oid>9a355bd4-07b3-44e5-8708-caa43e94c2b6</oid>*
>>>> *            </assignmentTargetSearch>*
>>>> *        </expression>*
>>>> *        <target>*
>>>> *            <c:path>assignment</c:path>*
>>>> *        </target>*
>>>> *    </mapping>*
>>>> .....objectTemplate >
>>>>
>>>>
>>>>
>>>> On Mon, Apr 8, 2019 at 3:47 PM Jason Everling <jeverling at bshp.edu>
>>>> wrote:
>>>>
>>>>> looks like it is trying to replace the end user role but that is
>>>>> assigned from a strong condition in your default user template. You can
>>>>> create inbound assignment mappings from association.
>>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190409/5ddd1cf7/attachment.htm>


More information about the midPoint mailing list