[midPoint] High-Order inducement with custom relation

Pavol Mederly mederly at evolveum.com
Thu Nov 14 16:47:36 CET 2019 

Hello Martin,

I am glad it works. And thank you for the explanation. :)

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 13.11.2019 20:41, Martin wrote:
> Hello Pavol,
>
> thanks for helping me there! This is the relation definition:
>
> <relations>
>     <relation>
>         <ref xmlns:extension="whatever">extension:myRelation</ref>
>         <display>
>             <label>myRelation</label>
>         </display>
>         <category>organization</category>
>         <category>administration</category>
> *        <kind>member</kind>*
>     </relation>
> <includeDefaultRelations>true</includeDefaultRelations>
> </relations>
>
> Adding kind=member did the trick! I had experimented with 
> defaultFor=member but thats not what I wantend.
> The sample here: 
> https://wiki.evolveum.com/display/midPoint/Relation+Configuration 
> explains the relation kinds in detail but never shows how it can be 
> set. Maybe that can be improved.
>
> To satisfy your curiosity:
>
> The real usecase here is a Role (Allow Codesigning) with parameter 
> (Hostname) that gets assigned to a user. Midpoint should automatically 
> assign the same role to a second focal object (computer) based on the 
> parameter.
>
> In detail:
> The assignment of the "Allow Codesigning" Role to the user causes the 
> User to be added to an AD Group and Assigns the Computer as a Service 
> to the User in Midpoint
> The archetype of the computer object should then assign the "Allow 
> Codesigning" Role also to the computer - but only if it is assigned to 
> someone with the relation Codesigning - so that it also gets added to 
> the AD Group but not all existing computers.
> Both user and computer are then member of the AD group (which is the 
> requirement) and the computer will automatically be removed from the 
> group once no more user claims to require the computer (based on the 
> user-assignment-parameter)
> So far no custom relation would be needed. But once we add a second 
> usecase that assigns computers to user (e.g. main user) they would 
> interfere with each other.
>
> Furthermore it makes reporting easy:
> - Give me all machines that belong to Subordinate Users of Manager XY 
> and are used for codesigning (also a requirement by the business)
> vs
> - Give me all machines where a Subordinate Users of Manager XY is the 
> main user (possible usecase)
>
> Best regards,
>
> Martin Hoffmann
>
> Am 13.11.2019 um 19:28 schrieb Pavol Mederly:
>>
>> Hello Martin,
>>
>> how are your relations defined in the system configuration? In 
>> particular, have you set a kind=member for myRelation?
>>
>> [Out of curiosity, what has led you to user a custom relation in this 
>> context? This is the first time I see such a use :-)]
>>
>> Best regards,
>>
>> Pavol Mederly
>> Software developer
>> evolveum.com
>> On 13.11.2019 16:49, Martin Hoffmann wrote:
>>>
>>> Hi there,
>>>
>>> I am trying to do an high-order inducement:
>>>
>>> User ---assignment (relation: “extension:myRelation”) ---> Role A 
>>> ---assignment---> Archetype B
>>>
>>> In my Archetype there is the following inducement:
>>>
>>>     <inducement id="14">
>>>
>>>         <focusMappings>
>>>
>>>             <mapping id="15">
>>>
>>> <name>Testmapping</name>
>>>
>>> <authoritative>true</authoritative>
>>>
>>> <strength>strong</strength>
>>>
>>>                 <source>
>>>
>>> <c:path>$immediateRole/name</c:path>
>>>
>>>                 </source>
>>>
>>>                 <expression>
>>>
>>>                     <script 
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
>>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" 
>>> xsi:type="c:ScriptExpressionEvaluatorType">
>>>
>>>                         <code>
>>>
>>>                               return "HELLO"
>>>
>>>                         </code>
>>>
>>>                     </script>
>>>
>>>                 </expression>
>>>
>>>                 <target>
>>>
>>> <c:path>$focus/extension/rsJobFunction</c:path>
>>>
>>>                 </target>
>>>
>>>             </mapping>
>>>
>>>         </focusMappings>
>>>
>>>         <order>2</order>
>>>
>>> <focusType>c:UserType</focusType>
>>>
>>>     </inducement>
>>>
>>> This does work when Role A is assigned to the User with default 
>>> relation but does not work when the relation is my custom one.
>>>
>>> Adding an orderConstraint on relation=extension:myRelation causes it 
>>> to stop working for the default relation, but it does not work for 
>>> the extension relation either.
>>>
>>> Am I missing something there or is this a bug? Maybe someone can 
>>> give me a hint J
>>>
>>> Best regards,
>>> Martin Hoffmann
>>>
>>>
>>>
>>> Content provided within this e-mail including any attachments, is 
>>> for the use of the intended recipients and may contain Rohde & 
>>> Schwarz company restricted information. Any unauthorized use, 
>>> disclosure, or distribution of this communication in whole or in 
>>> part is strictly prohibited. If you are not the intended recipient, 
>>> please notify the sender by reply email or by telephone and delete 
>>> the communication in its entirety.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20191114/2643d6dd/attachment.htm>

More information about the midPoint mailing list