[midPoint] Problem with associationFromLink metarole (v3.8)
Wojciech Staszewski
wojciech.staszewski at diagnostyka.pl
Mon Feb 11 13:15:11 CET 2019
Hi All!
I have a strange problem with metarole (association from link) that gives a group membership to users on some specified resource.
The metarole is assigned to a parent role "Group: HELPDESK", this role has active linkRef (projection) to a resource group shadow.
Association is non-tolerant.
If I assign this role to a midPoint user, the user is correctly assigned to desired group (HELPDESK) on the target system.
If I unassign this role, the group membership on the resource is removed.
If I add the account to some other group directly on the target system - this membership is removed by midPoint (non-tolerant assoc.).
Till now everything is perfectly OK.
But If I remove the user from "HELPDESK" group directly on the target system, midPoint ignores that and does not recreate the membership, though the user has "Group: HELPDESK" assigned.
I tried "reconciliation" of the user and "recompute" role members, nothing. No changes.
The only way to recreate group membership is to unassign "Group: HELPDESK" in midPoint and assign it again.
For testing purposes I made a role that assign group "HELPDESK" using simple "shadowRef" and this is working OK.
The metarole construction:
<inducement id="1">
<construction>
<strength>weak</strength>
<resourceRef relation="org:default" type="c:ResourceType">
<filter>
<q:inOid>
<expression>
<script>
<code>
return basic.getPropertyValue(immediateRole, "extension/resourceRef");
</code>
</script>
</expression>
</q:inOid>
</filter>
<resolutionTime>run</resolutionTime>
</resourceRef>
<kind>entitlement</kind>
<intent>groups</intent>
</construction>
</inducement>
<inducement id="2">
<construction>
<resourceRef relation="org:default" type="c:ResourceType">
<filter>
<q:inOid>
<expression>
<script>
<code>
return basic.getPropertyValue(immediateRole, "extension/resourceRef");
</code>
</script>
</expression>
</q:inOid>
</filter>
<resolutionTime>run</resolutionTime>
</resourceRef>
<kind>account</kind>
<association id="7">
<c:ref>ri:groups</c:ref>
<outbound>
<expression>
<associationFromLink xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
<projectionDiscriminator xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>groups</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
</inducement>
Parent role has an extension attribute "resourceRef" with resource OID.
First inducement is weak as this role must work with another role that gives strong account assignment.
Any ideas?
Thanks!
--
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.
Pomyśl o środowisku zanim wydrukujesz ten e-mail.
More information about the midPoint
mailing list