[midPoint] High-Order inducement with custom relation
Martin
martin.de at myself.com
Wed Nov 13 20:41:38 CET 2019
Hello Pavol,
thanks for helping me there! This is the relation definition:
<relations>
<relation>
<ref xmlns:extension="whatever">extension:myRelation</ref>
<display>
<label>myRelation</label>
</display>
<category>organization</category>
<category>administration</category>
* <kind>member</kind>*
</relation>
<includeDefaultRelations>true</includeDefaultRelations>
</relations>
Adding kind=member did the trick! I had experimented with
defaultFor=member but thats not what I wantend.
The sample here:
https://wiki.evolveum.com/display/midPoint/Relation+Configuration
explains the relation kinds in detail but never shows how it can be set.
Maybe that can be improved.
To satisfy your curiosity:
The real usecase here is a Role (Allow Codesigning) with parameter
(Hostname) that gets assigned to a user. Midpoint should automatically
assign the same role to a second focal object (computer) based on the
parameter.
In detail:
The assignment of the "Allow Codesigning" Role to the user causes the
User to be added to an AD Group and Assigns the Computer as a Service to
the User in Midpoint
The archetype of the computer object should then assign the "Allow
Codesigning" Role also to the computer - but only if it is assigned to
someone with the relation Codesigning - so that it also gets added to
the AD Group but not all existing computers.
Both user and computer are then member of the AD group (which is the
requirement) and the computer will automatically be removed from the
group once no more user claims to require the computer (based on the
user-assignment-parameter)
So far no custom relation would be needed. But once we add a second
usecase that assigns computers to user (e.g. main user) they would
interfere with each other.
Furthermore it makes reporting easy:
- Give me all machines that belong to Subordinate Users of Manager XY
and are used for codesigning (also a requirement by the business)
vs
- Give me all machines where a Subordinate Users of Manager XY is the
main user (possible usecase)
Best regards,
Martin Hoffmann
Am 13.11.2019 um 19:28 schrieb Pavol Mederly:
>
> Hello Martin,
>
> how are your relations defined in the system configuration? In
> particular, have you set a kind=member for myRelation?
>
> [Out of curiosity, what has led you to user a custom relation in this
> context? This is the first time I see such a use :-)]
>
> Best regards,
>
> Pavol Mederly
> Software developer
> evolveum.com
> On 13.11.2019 16:49, Martin Hoffmann wrote:
>>
>> Hi there,
>>
>> I am trying to do an high-order inducement:
>>
>> User ---assignment (relation: “extension:myRelation”) ---> Role A
>> ---assignment---> Archetype B
>>
>> In my Archetype there is the following inducement:
>>
>> <inducement id="14">
>>
>> <focusMappings>
>>
>> <mapping id="15">
>>
>> <name>Testmapping</name>
>>
>> <authoritative>true</authoritative>
>>
>> <strength>strong</strength>
>>
>> <source>
>>
>> <c:path>$immediateRole/name</c:path>
>>
>> </source>
>>
>> <expression>
>>
>> <script
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xsi:type="c:ScriptExpressionEvaluatorType">
>>
>> <code>
>>
>> return "HELLO"
>>
>> </code>
>>
>> </script>
>>
>> </expression>
>>
>> <target>
>>
>> <c:path>$focus/extension/rsJobFunction</c:path>
>>
>> </target>
>>
>> </mapping>
>>
>> </focusMappings>
>>
>> <order>2</order>
>>
>> <focusType>c:UserType</focusType>
>>
>> </inducement>
>>
>> This does work when Role A is assigned to the User with default
>> relation but does not work when the relation is my custom one.
>>
>> Adding an orderConstraint on relation=extension:myRelation causes it
>> to stop working for the default relation, but it does not work for
>> the extension relation either.
>>
>> Am I missing something there or is this a bug? Maybe someone can give
>> me a hint J
>>
>> Best regards,
>> Martin Hoffmann
>>
>>
>>
>> Content provided within this e-mail including any attachments, is for
>> the use of the intended recipients and may contain Rohde & Schwarz
>> company restricted information. Any unauthorized use, disclosure, or
>> distribution of this communication in whole or in part is strictly
>> prohibited. If you are not the intended recipient, please notify the
>> sender by reply email or by telephone and delete the communication in
>> its entirety.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20191113/28d881cf/attachment.htm>
More information about the midPoint
mailing list