[midPoint] Assigning several roles from a single attribute in a resource inbound mapping

Wed Jul 1 19:16:19 CEST 2020

Hello,

Since my previous message, I managed to get a working, but not entirely
satisfying, solution.

The root of my issue is that I am trying import user-role associations from
a MSSQL Database to Midpoint. I am using the scriptedSQLConnector
1.1.2.0.em3 since there was no sample configuration/script for the 2.x
version of the connector (any samples/help to migrate my connector is
welcome BTW).

In my MSSQL database, the association between user and roles is done via a
link table where each user can be linked to n roles. In order to import
this into Midpoint, I tweaked my SQL query in the SearchScript to compute a
list of comma separated roles linked to the user into a single column
“roles”.

In the user schema in Midpoint, I added a new multi-valued attribute “role”
:

<xsd:element name="role" minOccurs="0" maxOccurs="unbounded"
type="xsd:string">

<xsd:annotation>

<xsd:appinfo>

<a:indexed>true</a:indexed>

<a:displayName>Role</a:displayName>

</xsd:appinfo>

</xsd:annotation>

</xsd:element>

In the resource inbound mapping, I managed to map the list of comma
separated roles into the multi-valued attribute “role” :

<attribute>

<ref>ri:roles</ref>

<displayName>Roles</displayName>

<inbound>

<expression>

<script>

<code>

if (!basic.isEmpty(input))

{

input.tokenize(",")

}

</code>

</script>

</expression>

<target>

<path>$focus/extension/role</path>

</target>

<strength>strong</strength>

</inbound>

</attribute>

In the user template, I added a mapping to automatically assign the roles
from the role “attribute” to the corresponding Midpoint roles :

<item>

<ref>assignment</ref>

<mapping>

<name>auto-assign-role</name>

<authoritative>true</authoritative>

<strength>strong</strength>

<source>

<path>extension/role</path>

</source>

<expression>

<assignmentTargetSearch>

<targetType>RoleType</targetType>

<filter>

<q:equal>

<q:path>identifier</q:path>

<expression>

<script>

<code>

return role

</code>

</script>

</expression>

</q:equal>

</filter>

</assignmentTargetSearch>

</expression>

<target>

<c:path>assignment</c:path>

</target>

</mapping>

</item>

This works well, but I get the feeling this is still a workaround since I
do not leverage the Midpoint concept of “association” between accounts and
entitlements.

I tried the following association :

<association>

<ref>ri:users_member_of_roles</ref>

<kind>entitlement</kind>

<intent>role</intent>

<direction>subjectToObject</direction>

<associationAttribute>ri:roles</associationAttribute>

<valueAttribute>icfs:uid</valueAttribute>

<tolerant>true</tolerant>

</association>

But of course, this does not work since my resource attribute “ri:roles”
contains a list of comma separated roles, instead of a single value.

Is this the right approach? How could I make the Midpoint association work?

-Frederic

On Fri, Jun 26, 2020, 20:00 Frédéric Lohier <frederic at lohier.org> wrote:

> Hello,
>
> In order to assign several roles from a single attribute value in a resource inbound mapping, I wrote the following inbound mapping in my resource, taking some hints from https://wiki.evolveum.com/display/midPoint/Scripting+Hooks, but I get the error “com.evolveum.midpoint.util.exception.ExpressionEvaluationException: No such property: modelContext for class”
> Am I on the correct path? Or is there a better way to do what I want?
>
> <attribute>
> <ref>ri:my_attribute</ref>
> <displayName>My attribute</displayName>
> <inbound>
> <expression>
> <script>
> <code>
> import com.evolveum.midpoint.prism.delta.*;
> import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
> UserType user = (UserType) focus;
> roleName = "My_Role"
> role = midpoint.searchObjectByName(RoleType.class, roleName)
> if (!midpoint.isDirectlyAssigned(role)) {
> // The role is not assigned. Let's assign it. We need to construct a delta to do this
> assignment = new AssignmentType();
> roleTarget = new ObjectReferenceType();
> roleTarget.setOid("00000-0000-0000-000-0000");
> roleTarget.setType(RoleType.COMPLEX_TYPE);
> assignment.setTargetRef(roleTarget);
> assignmentDelta = prismContext.deltaFactory().container().createModificationAdd(UserType.F_ASSIGNMENT, UserType.class, assignment);
> modelContext.getFocusContext().swallowToPrimaryDelta(assignmentDelta);
> log.debug('test assignment  ' + assignmentDelta + ' of user ' + user.getName());
> return  my_attribute;
> }
> </code>
> </script>
> </expression>
> <target>
> <path>$focus/extension/my_attribute</path>
> </target>
> <strength>strong</strength>
> </inbound>
> </attribute>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200701/0a5745fd/attachment.htm>