[midPoint] Role assignment from db table
Justin Stanczak
rizenine at gmail.com
Tue Apr 9 17:13:13 CEST 2019
In this test version, I'm trying to assign the same role just for testing.
I wanted to see if I could just get a user assigned to this static role.
* <inbound id="372">*
* <authoritative>false</authoritative>*
* <exclusive>false</exclusive>*
* <strength>strong</strength>*
* <expression>*
* <value>*
* <targetRef
oid="c50396ff-14a7-423e-a513-ff28c8bc91ee" type="c:RoleType"/>*
* </value>*
* </expression>*
* <target>*
* <c:path>assignment</c:path>*
* </target>*
* </inbound>*
On Tue, Apr 9, 2019 at 11:06 AM Jason Everling <jeverling at bshp.edu> wrote:
> what is this? are you trying to just assign the same role to everyone? You
> can assign a role to everyone using your user template like the end user
> role
>
> <expression>
> <value>
> <targetRef
> oid="c50396ff-14a7-423e-a513-ff28c8bc91ee" type="c:RoleType"/>
> </value>
> </expression>
>
>
> JASON
>
>
> On Tue, Apr 9, 2019 at 9:49 AM Justin Stanczak <rizenine at gmail.com> wrote:
>
>> Here's what I just tried this morning. I can get the account to link but
>> the role does not get added.
>>
>> <schema>
>> <cachingMetadata>
>>
>> <retrievalTimestamp>2019-04-09T09:36:54.692-04:00</retrievalTimestamp>
>> <serialNumber>5f04ae80be872350-b2c11dd7e1f3fd2d</serialNumber>
>> </cachingMetadata>
>> <definition>
>> <xsd:schema xmlns:a="
>> http://prism.evolveum.com/xml/ns/public/annotation-3" xmlns:ra="
>> http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"
>> xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>> elementFormDefault="qualified" targetNamespace="
>> http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">
>> <xsd:import namespace="
>> http://prism.evolveum.com/xml/ns/public/annotation-3"/>
>> <xsd:import namespace="
>> http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>> "/>
>> <xsd:import namespace="
>> http://midpoint.evolveum.com/xml/ns/public/resource/annotation-3"/>
>> <xsd:complexType name="AccountObjectClass">
>> <xsd:annotation>
>> <xsd:appinfo>
>> <ra:resourceObject/>
>> <ra:identifier>icfs:uid</ra:identifier>
>>
>> <ra:secondaryIdentifier>icfs:name</ra:secondaryIdentifier>
>>
>> <ra:displayNameAttribute>icfs:name</ra:displayNameAttribute>
>>
>> <ra:namingAttribute>icfs:name</ra:namingAttribute>
>>
>> <ra:nativeObjectClass>__ACCOUNT__</ra:nativeObjectClass>
>> <ra:kind>account</ra:kind>
>> <ra:default>true</ra:default>
>> </xsd:appinfo>
>> </xsd:annotation>
>> <xsd:sequence>
>> <xsd:element name="ROLE" type="xsd:string">
>> <xsd:annotation>
>> <xsd:appinfo>
>> <a:displayOrder>120</a:displayOrder>
>>
>> <ra:frameworkAttributeName>ROLE</ra:frameworkAttributeName>
>> </xsd:appinfo>
>> </xsd:annotation>
>> </xsd:element>
>> <xsd:element ref="icfs:name">
>> <xsd:annotation>
>> <xsd:appinfo>
>> <a:displayName>ConnId
>> Name</a:displayName>
>> <a:displayOrder>110</a:displayOrder>
>>
>> <ra:frameworkAttributeName>__NAME__</ra:frameworkAttributeName>
>> </xsd:appinfo>
>> </xsd:annotation>
>> </xsd:element>
>> <xsd:element name="BANNERID" type="xsd:decimal">
>> <xsd:annotation>
>> <xsd:appinfo>
>> <a:displayOrder>130</a:displayOrder>
>>
>> <ra:frameworkAttributeName>BANNERID</ra:frameworkAttributeName>
>> </xsd:appinfo>
>> </xsd:annotation>
>> </xsd:element>
>> <xsd:element minOccurs="0" ref="icfs:uid">
>> <xsd:annotation>
>> <xsd:appinfo>
>> <a:displayName>ConnId
>> UID</a:displayName>
>> <a:displayOrder>100</a:displayOrder>
>> <a:access>read</a:access>
>> </xsd:appinfo>
>> </xsd:annotation>
>> </xsd:element>
>> </xsd:sequence>
>> </xsd:complexType>
>> </xsd:schema>
>> </definition>
>> </schema>
>> <schemaHandling>
>> <objectType id="169">
>> <kind>account</kind>
>> <default>true</default>
>> <objectClass>ri:AccountObjectClass</objectClass>
>> <association id="371">
>> <c:ref>ri:group</c:ref>
>> <tolerant>false</tolerant>
>> <exclusiveStrong>false</exclusiveStrong>
>> <inbound id="372">
>> <authoritative>false</authoritative>
>> <exclusive>false</exclusive>
>> <strength>strong</strength>
>> <expression>
>> <value>
>> <targetRef
>> oid="c50396ff-14a7-423e-a513-ff28c8bc91ee" type="c:RoleType"/>
>> </value>
>> </expression>
>> <target>
>> <c:path>assignment</c:path>
>> </target>
>> </inbound>
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> <direction>objectToSubject</direction>
>> <associationAttribute>ri:ROLE</associationAttribute>
>> <valueAttribute>icfs:name</valueAttribute>
>>
>> <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
>> </association>
>> </objectType>
>> <objectType id="369">
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> <default>false</default>
>> <objectClass>ri:AccountObjectClass</objectClass>
>> </objectType>
>> </schemaHandling>
>> <synchronization>
>> <objectSynchronization>
>> <kind>account</kind>
>> <enabled>true</enabled>
>> <correlation>
>> <q:equal>
>> <q:path>c:name</q:path>
>> <expression xmlns="">
>> <path>$account/attributes/icfs:name</path>
>> </expression>
>> </q:equal>
>> </correlation>
>> <reconcile>false</reconcile>
>> <reaction>
>> <situation>unlinked</situation>
>> <synchronize>true</synchronize>
>> <reconcile>false</reconcile>
>> <action>
>> <handlerUri>
>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#link
>> </handlerUri>
>> </action>
>> </reaction>
>> </objectSynchronization>
>> <objectSynchronization>
>> <kind>entitlement</kind>
>> <intent>group</intent>
>> <enabled>true</enabled>
>> <correlation>
>> <q:equal>
>> <q:path>c:name</q:path>
>> <expression xmlns="">
>> <path>$account/attributes/ri:ROLE</path>
>> </expression>
>> </q:equal>
>> </correlation>
>> <reconcile>false</reconcile>
>> <reaction>
>> <situation>unlinked</situation>
>> <reconcile>false</reconcile>
>> <action>
>> <handlerUri>
>> http://midpoint.evolveum.com/xml/ns/public/model/action-3#link
>> </handlerUri>
>> </action>
>> </reaction>
>> </objectSynchronization>
>> </synchronization>
>>
>> On Tue, Apr 9, 2019 at 9:49 AM Jason Everling <jeverling at bshp.edu> wrote:
>>
>>> The sample is using a condition to check for the role type attribute
>>> that is set to 'auto' and then it is matching name that equals 'auto' + the
>>> name of the entitlement . You can try it for dev purposes without the
>>> condition and then adjust the script to return entitlement?.getName(); You
>>> can also post your definition for association here,
>>>
>>>
>>> On Mon, Apr 8, 2019 at 3:08 PM Justin Stanczak <rizenine at gmail.com>
>>> wrote:
>>>
>>>> I do have a default role assigned in the user template. I tried the
>>>> associations from (
>>>> https://wiki.evolveum.com/display/midPoint/Inbound+Mapping) the docs
>>>> but I can't get it to work. Not sure what I'm doing wrong. Some of the docs
>>>> seem to be incomplete. I'm inducing resources and assigning roles. I'm a
>>>> bit unsure about the intent and entitlement part of associations. Thanks.
>>>>
>>>>
>>>> <objectTemplate .....
>>>> * <mapping id="2">*
>>>> * <name>end user role</name>*
>>>> * <strength>strong</strength>*
>>>> * <expression>*
>>>> * <assignmentTargetSearch
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
>>>> <http://www.w3.org/2001/XMLSchema-instance>"
>>>> xsi:type="c:AssignmentTargetSearchExpressionEvaluatorType">*
>>>> * <targetType>c:RoleType</targetType>*
>>>> * <oid>9a355bd4-07b3-44e5-8708-caa43e94c2b6</oid>*
>>>> * </assignmentTargetSearch>*
>>>> * </expression>*
>>>> * <target>*
>>>> * <c:path>assignment</c:path>*
>>>> * </target>*
>>>> * </mapping>*
>>>> .....objectTemplate >
>>>>
>>>>
>>>>
>>>> On Mon, Apr 8, 2019 at 3:47 PM Jason Everling <jeverling at bshp.edu>
>>>> wrote:
>>>>
>>>>> looks like it is trying to replace the end user role but that is
>>>>> assigned from a strong condition in your default user template. You can
>>>>> create inbound assignment mappings from association.
>>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190409/5ddd1cf7/attachment.htm>
More information about the midPoint
mailing list