[midPoint] Role assignment from db table

Jason Everling jeverling at bshp.edu
Wed Apr 10 20:36:23 CEST 2019


1. Its the database connector
2. switch connector
3. same issue

Switching your resource as it is is not to difficult to scriptedsql, you
just need to edit the resource xml file and then provide the groovy
scripts, i attached one of our database view scripts, the multivalue role
field is memberOf which in the view is seperated by a semicolon ; and is
constructed using STUFF in sql. I removed many of the column names and
trimmed down the sql script but you can get the idea of how easy it is to
move the scriptedsql. The update script is the same except you use standard
UPDATE/DELETE sql statements.


On Wed, Apr 10, 2019 at 1:05 PM Justin Stanczak <rizenine at gmail.com> wrote:

> So from what you've told me, I tried something. This code with a condition
> on the target like so:
>
> *<target>*
> *<c:path>assignment</c:path>*
> *<set>*
> *    <condition>*
> *        <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <http://www.w3.org/2001/XMLSchema-instance>"
> xsi:type="c:ScriptExpressionEvaluatorType">*
> *            <code>*
> *               log.info <http://log.info>("####### assignment: " +
> assignment)*
> *               return false*
> *    </code>*
> *        </script>*
> *    </condition>*
> *</set>*
> *</target>*
>
> Adds the role and keeps all the old assignments. Clearly, this is simple
> and like you all have said not the midpoint way as I do have multiple rows
> per user and role. This resource is only inbound at this time.
>
> I'm definitely for doing this the correct way. With that in mind I have a
> few more questions:
>
>    1. Is using the database connector an issue or presenting the data
>    correctly the issue?
>    2. The table structure suggested, should I use associations instead of
>    attributes?
>    3. Would changing to entitlements help? I would still have the
>    one-to-many issue, right?
>
> My ultimate goal is to have roles added and removed from midpoint
> according to the table updates. This would trigger resource changes via
> inducements on said roles.
>
> Thanks.
>
>
>
> On Wed, Apr 10, 2019 at 1:13 PM Jason Everling <jeverling at bshp.edu> wrote:
>
>> Alcides is correct, its why I asked earlier on if they were going to have
>> multiple roles, which is one of the limitations of the database table
>> connector. If you plan to have outbound updates then you would need to
>> switch to a scriptedsql connector because it can use a database view as the
>> source data that you will need to manipulate to create a multivalue field
>> for your roles, probably using STUFF in sql, and then when updates
>> occur/needed it can write to any database, table and column on your server.
>>
>> On to your sample, because you don't have a condition it is telling
>> midpoint that the persons 'assignment' value should only should be this
>> value, in an object template it will append values if you have it set that
>> way. You would need to use a condition as in evolveums sample, the easiest
>> way is to identify your roles using the roletype/subtype field.
>>
>>
>>
>> On Wed, Apr 10, 2019 at 11:30 AM Alcides Carlos de Moraes Neto <
>> alcides.neto at gmail.com> wrote:
>>
>>> If I'm understanding correctly, you want to create a resource with
>>> multiple projections, and each projection would result in a roleAssignment.
>>>
>>> Unfortunately that's not how resources in midPoint work. You can have
>>> multiple projections of the same objectType but only with multiple intents.
>>> https://wiki.evolveum.com/display/midPoint/Focus+and+Projections
>>> If you try to import multiple projections to the same focus object, only
>>> one will be linked, the other will stay unlinked (i guess? maybe unmatched?)
>>>
>>> You should struct your table/view like this:
>>>
>>> USER  ROLES  LASTUPDATE
>>> test    student,employee    datetime
>>> test2  student                     datetime
>>>
>>> There should be only one line per user. Then you would need to write a
>>> script to interpret the ROLES column, splitting it and searching for the
>>> roles.
>>>
>> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190410/ea5e3509/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syncScript.groovy
Type: application/octet-stream
Size: 2214 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190410/ea5e3509/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: searchScript.groovy
Type: application/octet-stream
Size: 958 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190410/ea5e3509/attachment-0001.obj>


More information about the midPoint mailing list