[midPoint] Assigning meta-role assignments to an organisation based on role organisation

Robert Bradley robert.bradley at it.ox.ac.uk
Tue May 14 18:58:08 CEST 2019


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 13/05/2019 17:24, Robert Bradley wrote:
| Loosely based on the examples in the documentation, I have the
| following set of roles:
|
| User --[assignment]--> Pirate Captain --[inducement]--> Pirate
|
| What I would like to do is be able to add an organisation to the
| assignment, and then have this set on the related inducement as
| well. ~ However, I'm struggling to see how to assign this within
| the inducement.  I've tried both attempting to look up an orgRef
| via filters and playing around with focusMappings (which end up
| modifying the User object rather than the induced assignment).
|
| Has anyone else done anything similar already and is willing to
| share how to achieve this?
|

To expand upon my previous email a bit using a more realistic example...

I have the following roles and orgs setup on my test server (midPoint
3.9):

- -----

<org oid="cc13826f-4841-4008-a7e9-c6eb97eb91b0" >
<name>My Test Org</name>
</org>

<org oid="cc13826f-4841-4008-a7e9-c6eb97eb91b1" >
<name>My Test Org 2</name>
</org>

<role oid="a7c1cfb5-fac6-4abd-a34f-ef4b12032e0b" version="72">
~    <name>Postgraduate</name>
~    <inducement>
~        <targetRef oid="495a890e-906c-4daa-9ba2-e72c669c0a14"
relation="org:default" type="c:RoleType">
~        </targetRef>
~        <orgRef oid="cc13826f-4841-4008-a7e9-c6eb97eb91b0"
relation="org:default" type="c:OrgType">
~        </orgRef>
~    </inducement>
</role>

<role oid="495a890e-906c-4daa-9ba2-e72c669c0a14" version="31">
~    <name>Student</name>
</role>

- -----

If I create a test user looking like:

<user oid="7d809ee2-33cb-49fb-80a9-3325dbff9d07" version="97">
<name>Test User</name>
<assignment>
~  <targetRef oid="a7c1cfb5-fac6-4abd-a34f-ef4b12032e0b"
relation="org:default" type="c:RoleType" />
~  <orgRef oid="cc13826f-4841-4008-a7e9-c6eb97eb91b0"
relation="org:default" type="c:OrgType" />
</assignment>
</user>

I get a direct role of "Postgraduate" with the organisation "My Test
Org" associated with it, as well as an indirect role of "Student" with
organisation "My Test Org".  This works as expected, but means that
the indirect role will always have "My Test Org" associated with it.

Long term, I'd like to be able to set the Org attached to the Student
assignment from the Postgraduate assignment in a similar way to the
OrgType inducement in
midpoint/samples/stories/unix-ldap-advanced/roles/role-metarole-role.xml
.
~ However, for the moment I shall stick to hard-coding an OID in the
inducement's orgRef filter, i.e.:

<role oid="a7c1cfb5-fac6-4abd-a34f-ef4b12032e0b" version="72">
~    <name>Postgraduate</name>
~    <inducement>
~        <targetRef oid="495a890e-906c-4daa-9ba2-e72c669c0a14"
relation="org:default" type="c:RoleType">
~        </targetRef>
~        <orgRef relation="org:default" type="c:OrgType">
<filter>
<q:inOid>
<!-- Replace this with an expression retrieving
focusAssignment.orgRef?.getOid()? later -->
<value>cc13826f-4841-4008-a7e9-c6eb97eb91b0</value>
</q:inOid>
</filter>
~        </orgRef>
~    </inducement>
</role>

When I do this, the resulting assignment has an Org of "Couldn't
retrieve name for null".  However, if I move the filter to the
targetRef element (i.e. turn this into an Org inducement):

~    <inducement>
~        <targetRef relation="org:default" type="c:OrgType">
~            <filter>
~                <q:inOid>

<q:value>cc13826f-4841-4008-a7e9-c6eb97eb91b0</q:value>
~                </q:inOid>
~            </filter>
~        </targetRef>
~    </inducement>

the filter works as expected (assigning the User object to the Org
object, as opposed to assigning a parametric meta-role linked to the Org
).

Looking at the schema suggests that adding
<resolutionTime>run</resolutionTime> to the <orgRef/> element may make
the parametric assignment work, but I haven't been able to make this
stick.

- -- 
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEgF3NFfO9FqlA+ME+lGGnynav474FAlza86AACgkQlGGnynav
476KSg//athjgLR+ULT+63rN97gWx61Wr6Ro6ydC5tEUr4PqSe25mDAQ95Vi4cr0
hEjrpQWekQpQVqyZccEQDgJFc99002O04QO37X89wtd+mizlai2uPiZSzDjrKjMD
FiMHphGjPtTg/cfHhY6f2Bh7TYiNS6KMY/CvxSsomlyxSkqtXeBTE+u5GjED56SA
Ulyn2mKuKLbVRjHT9tTtRRYsrKEhVi6LqjoytktegiU7/XXtG/DFt+0OQc51+G8M
JKoQd2EN2bxhCci+R+YT6n6Xl6u7C996LPc0J9WtybkaBF/3Uc+U76AIHs38iFMe
IatUcaQYFr7wNImMC6rEbZQQzgkAgvQX7Wnss4UL3s7abRPwpdJwMD9mhfiYvcu9
05FzveN/Il33x7zIiqw3XAMzhEMWP+WTWD38gTECoOCDOcxR+/5vTKeFitGmf6Xs
IBrO58OpnXbV2dIzMr6TLG2JiUBgPPGqIwRDx1SaPhoNuRbcjpA8dCECe8tnNFsP
raw9i9kWgAszNxzRAoP35Ig5bgDNnHIe9nV5S/udUWibj87wyD7EnfoFB5LDizEy
WAe8rEoGcYUZLeJr7dw1dqlPsriy2bBJicXb4cjEjyJGvORFGpFiJBSozKmE6Gf0
r86zkww8VjAM7DHKejXcCbwRoGhqgTVAa5SVw1BgHE/gIhpU1ak=
=5UpN
-----END PGP SIGNATURE-----



More information about the midPoint mailing list