[midPoint] Role assignment from db table

Justin Stanczak rizenine at gmail.com
Wed Apr 10 20:05:06 CEST 2019


So from what you've told me, I tried something. This code with a condition
on the target like so:

*<target>*
*<c:path>assignment</c:path>*
*<set>*
*    <condition>*
*        <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
<http://www.w3.org/2001/XMLSchema-instance>"
xsi:type="c:ScriptExpressionEvaluatorType">*
*            <code>*
*               log.info <http://log.info>("####### assignment: " +
assignment)*
*               return false*
*    </code>*
*        </script>*
*    </condition>*
*</set>*
*</target>*

Adds the role and keeps all the old assignments. Clearly, this is simple
and like you all have said not the midpoint way as I do have multiple rows
per user and role. This resource is only inbound at this time.

I'm definitely for doing this the correct way. With that in mind I have a
few more questions:

   1. Is using the database connector an issue or presenting the data
   correctly the issue?
   2. The table structure suggested, should I use associations instead of
   attributes?
   3. Would changing to entitlements help? I would still have the
   one-to-many issue, right?

My ultimate goal is to have roles added and removed from midpoint according
to the table updates. This would trigger resource changes via inducements
on said roles.

Thanks.



On Wed, Apr 10, 2019 at 1:13 PM Jason Everling <jeverling at bshp.edu> wrote:

> Alcides is correct, its why I asked earlier on if they were going to have
> multiple roles, which is one of the limitations of the database table
> connector. If you plan to have outbound updates then you would need to
> switch to a scriptedsql connector because it can use a database view as the
> source data that you will need to manipulate to create a multivalue field
> for your roles, probably using STUFF in sql, and then when updates
> occur/needed it can write to any database, table and column on your server.
>
> On to your sample, because you don't have a condition it is telling
> midpoint that the persons 'assignment' value should only should be this
> value, in an object template it will append values if you have it set that
> way. You would need to use a condition as in evolveums sample, the easiest
> way is to identify your roles using the roletype/subtype field.
>
>
>
> On Wed, Apr 10, 2019 at 11:30 AM Alcides Carlos de Moraes Neto <
> alcides.neto at gmail.com> wrote:
>
>> If I'm understanding correctly, you want to create a resource with
>> multiple projections, and each projection would result in a roleAssignment.
>>
>> Unfortunately that's not how resources in midPoint work. You can have
>> multiple projections of the same objectType but only with multiple intents.
>> https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>> If you try to import multiple projections to the same focus object, only
>> one will be linked, the other will stay unlinked (i guess? maybe unmatched?)
>>
>> You should struct your table/view like this:
>>
>> USER  ROLES  LASTUPDATE
>> test    student,employee    datetime
>> test2  student                     datetime
>>
>> There should be only one line per user. Then you would need to write a
>> script to interpret the ROLES column, splitting it and searching for the
>> roles.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190410/9fa20b6a/attachment.htm>


More information about the midPoint mailing list