[midPoint] Entitlements with associations
Keith LeValley
klevalley2 at davenport.edu
Mon Oct 11 15:45:51 CEST 2021
I was hoping someone might be able to explain the interaction with
inducements using associations.
I am using the example from the demo site, the meta role used to grant
group entitlements to openldap. Below is the xml of that inducements
<inducement id="2">
<construction>
<resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
relation="org:default" type="c:ResourceType">
<!-- openldap -->
</resourceRef>
<kind>entitlement</kind>
<intent>group</intent>
</construction>
</inducement>
<inducement id="3">
<construction>
<resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
relation="org:default" type="c:ResourceType">
<!-- openldap -->
</resourceRef>
<kind>account</kind>
<intent>default</intent>
<association id="3">
<ref>ri:group</ref>
<outbound>
<expression>
<associationFromLink xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
<projectionDiscriminator xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
<order>2</order>
</inducement>
This works, when I assign a user to a group, assign that group to the meta
role the user gets the openldap inducement and will be added to the group
in openldap also.
Unfortunately this won't work for my setup, I need to split the inducement
to openldap and to the group. The group and the user still get created but
the association doesn't seem to work, the user is not assigned to the
group. Below is the inducement to the group that entitles the user with
the association
<inducement id="2">
<construction>
<resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
relation="org:default" type="c:ResourceType">
<!-- openldap -->
</resourceRef>
<kind>account</kind>
<intent>default</intent>
<association id="9">
<ref>ri:group</ref>
<outbound>
<expression>
<associationFromLink xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:AssociationFromLinkExpressionEvaluatorType">
<projectionDiscriminator xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:ShadowDiscriminatorType">
<kind>entitlement</kind>
<intent>group</intent>
</projectionDiscriminator>
</associationFromLink>
</expression>
</outbound>
</association>
</construction>
</inducement>
Below is the inducement used to entitle the group
<inducement id="2">
<construction>
<resourceRef oid="2917a607-56a5-46cd-86a6-e8979bec7d31"
relation="org:default" type="c:ResourceType">
<!-- openldap -->
</resourceRef>
<kind>entitlement</kind>
<intent>group</intent>
</construction>
</inducement>
This to me looks like it should work? The user still has the same
inducements; it's just spread between two different roles instead of on a
single meta role.
--
Keith LeValley
Identity Services Architect, Davenport University
phone: (616) 732-1102
klevalley2 at davenport.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20211011/f990e370/attachment.htm>
More information about the midPoint
mailing list