[midPoint] RES: Condition for Role and MetaRole
Vitor Alves | Gerencianet
vitor.alves at gerencianet.com.br
Thu Sep 23 21:31:53 CEST 2021
Hi Josh,
I believe what you need is to Autoassign a Role. This is possible and you can do it through the link[1]. I needed to do this, because we have several employee profiles, and we need that when a new user is created, he already assigns the correct roles for each one. There are two steps you need to take:
1st) Enable Autoassign in SystemConfiguration
Configuration Menu -> Repository Objects -> All Objects -> SystemConfiguration.
<roleManagement>
<autoassignEnabled>true</autoassignEnabled>
</roleManagement>
2º) Configure Autoassign in Role.
Access your Role, and enter the following code.
<autoassign>
<enabled>true</enabled>
<focus>
<mapping>
<strength>strong</strength>
<source>
<path>organization</path>
</source>
<condition>
<script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ScriptExpressionEvaluatorType">
<code>organization == 'ad-user'</code>
</script>
</condition>
</mapping>
<selector>
<type>UserType</type>
</selector>
</focus>
</autoassign>
Once this is done, for new users, it will already be applied. Hope this helps.
[1] https://docs.evolveum.com/midpoint/reference/roles-policies/role-autoassignment/configuration/
-----
Vitor Alves
AVISO DE CONFIDENCIALIDADE - Esta mensagem da Gerencianet é enviada exclusivamente a seus destinatários e pode conter informações confidenciais, protegidas por sigilo profissional. Se você a recebeu indevidamente, a utilização posterior desta mensagem é desautorizada. Solicitamos que seja devolvida ao remetente para esclarecimento do equívoco.
-----Mensagem original-----
De: midPoint <midpoint-bounces at lists.evolveum.com> Em nome de midpoint-request at lists.evolveum.com
Enviada em: quinta-feira, 23 de setembro de 2021 15:44
Para: midpoint at lists.evolveum.com
Assunto: midPoint Digest, Vol 113, Issue 11
Send midPoint mailing list submissions to
midpoint at lists.evolveum.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.evolveum.com/mailman/listinfo/midpoint
or, via email, send a message with subject or body 'help' to
midpoint-request at lists.evolveum.com
You can reach the person managing the list at
midpoint-owner at lists.evolveum.com
When replying, please edit your Subject line so it is more specific than "Re: Contents of midPoint digest..."
Today's Topics:
1. Condition for Role and MetaRole (Joshua Williams)
2. Re: Org assignment query help (Paul Engle)
3. Re: Condition for Role and MetaRole (Marc Fueller)
4. Re: Org assignment query help (Tax, Jan)
----------------------------------------------------------------------
Message: 1
Date: Thu, 23 Sep 2021 11:35:58 +0200
From: Joshua Williams <jwilliams at globalnaz.org>
To: midpoint at lists.evolveum.com
Subject: [midPoint] Condition for Role and MetaRole
Message-ID: <77EFEE92-32F2-4516-8B3B-66A8E1B1A478 at globalnaz.org>
Content-Type: text/plain; charset=utf-8
Good morning!
We have some users who are standard midpoint users and we have some users pulled from Active Directory. When I want to give a Role to a user, I have to use one MetaRole to write standard users to LDAP and I have to use another MetaRole to write the AD users to LDAP. The reason is the AD users require SASL Passthrough on the LDAP server, so the password data written is different between the two user groups.
Right now I have two Roles - Role_Standard.xml and Role_AD.xml. It would be nice to have one Role with a condition that uses the proper MetaRole to write to LDAP.
All AD users have “ad-user” in the organization attribute in midPoint, so it should be fairly straightforward (I would think). But it isn’t working.
I am trying to use an assignment to call the proper MetaRole. Here is what I have:
<!-- If user is AD, then this role is used to put them in the proper groups and configure SASL Passthrough -->
<assignment>
<targetRef oid="68e686f4-df63-11eb-a318-00ff83f6b50b" type="RoleType"/>
<condition>
<script>
<code>basic.stringify(organization) == “ad-user"</code>
</script>
</condition>
</assignment>
</role>
</objects>
I am fairly new to MidPoint. I have googled and searched, but haven’t been able to find a solution. The Role will not import. Trying to import this particular version, I get “script has no definition.”
Do you have any suggestions for how to do the condition properly in a Role?
Thank you for your time.
Josh
------------------------------
Message: 2
Date: Thu, 23 Sep 2021 09:09:33 -0500
From: Paul Engle <pengle at rice.edu>
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Org assignment query help
Message-ID:
<CAKbtzm5P2qGeXmrCixpj7H4XXjXP9YPvm7aBKhiPwy-qvL9=JA at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
You can use the @ symbol in a path name to dereference something and get to the attributes of the referenced object. So, in your original query, you can replace the inner filter with something like:
<q:filter>
<q:equal>
<q:path>c:targetRef/@/name</q:path>
<q:value>foo</q:value>
</q:equal>
</q:filter>
to get the members of an Org named 'foo'.
--
Paul Engle
IAM Architect
Identity & Access Management
pengle at rice.edu 713-348-4702
On Wed, Sep 22, 2021 at 8:25 AM Tax, Jan via midPoint <midpoint at lists.evolveum.com> wrote:
>
>
>
> Hello,
>
>
>
> I am trying to put together a scripted task that sends a notification email to each member of an org. The task performs correctly when I use the OID to specify the group, but since OIDs for orgs are generated when the org is created, I would like to reference the org by name. I can’t seem to get that to work.
>
>
>
> I have been using the Query Playground to test the queries. Here is a query that uses OID:
>
>
>
> <q:QueryType xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1
> /resource-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance
> -3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="q:QueryType">
>
> <q:filter>
>
> <q:type>
>
> <q:type>c:UserType</q:type>
>
> <q:filter>
>
> <q:exists>
>
> <q:path>c:assignment</q:path>
>
> <q:filter>
>
> <q:ref>
>
> <q:path>c:targetRef</q:path>
>
> <q:value
> oid="473aa64d-3940-46da-b54b-43a0292c592b" relation="q:any"
> type="c:OrgType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ObjectReferenceType">
>
> </q:value>
>
> </q:ref>
>
> </q:filter>
>
> </q:exists>
>
> </q:filter>
>
> </q:type>
>
> </q:filter>
>
> </q:QueryType>
>
>
>
> It returns four people assigned to my test org.
>
>
>
> My attempt to reference the org by name :
>
>
>
> <q:QueryType xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1
> /resource-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance
> -3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="q:QueryType">
>
> <q:filter>
>
> <q:type>
>
> <q:type>c:UserType</q:type>
>
> <q:filter>
>
> <q:exists>
>
> <q:path>c:assignment</q:path>
>
> <q:filter>
>
> <q:ref>
>
> <q:path>c:targetRef</q:path>
>
> <q:value relation="q:any" type="c:OrgType"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ObjectReferenceType">
>
> <q:filter>
>
> <q:type>
>
> <q:type>c:ObjectReferenceType</q:type>
>
> <q:filter>
>
> <q:equal>
>
> <q:path>c:name</q:path>
>
> <q:value>test-org</q:value>
>
> </q:equal>
>
> </q:filter>
>
> </q:type>
>
> </q:filter>
>
> </q:value>
>
> </q:ref>
>
> </q:filter>
>
> </q:exists>
>
> </q:filter>
>
> </q:type>
>
> </q:filter>
>
> </q:QueryType>
>
>
>
> The inner query to find the org works correctly, but when I put in in the context of the assignment query, it returns people assigned to all orgs, not just the one org I have specified.
>
>
>
> Any guidance is appreciated.
>
>
>
> Jan
>
> --
>
> Johannes (Jan) Tax
>
> ITS Identity Management
>
> University of North Carolina at Chapel Hill
>
> +1 919 962 5642
>
>
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
------------------------------
Message: 3
Date: Thu, 23 Sep 2021 16:21:37 +0200
From: Marc Fueller <marc.fueller at daasi.de>
To: Joshua Williams via midPoint <midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Condition for Role and MetaRole
Message-ID: <756fbf7e-6968-69c5-5aa6-77b3eb356f2f at daasi.de>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Hi Joshua,
it seem to be an error in your XML structure. <condition> should look like this:
<condition> <expression> <script> <code>...</code> </script> </expression> </condition>
Hope that helps.
Marc
Am 23.09.21 um 11:35 schrieb Joshua Williams via midPoint:
> Good morning!
> We have some users who are standard midpoint users and we have some users pulled from Active Directory. When I want to give a Role to a user, I have to use one MetaRole to write standard users to LDAP and I have to use another MetaRole to write the AD users to LDAP. The reason is the AD users require SASL Passthrough on the LDAP server, so the password data written is different between the two user groups.
>
> Right now I have two Roles - Role_Standard.xml and Role_AD.xml. It would be nice to have one Role with a condition that uses the proper MetaRole to write to LDAP.
>
> All AD users have “ad-user” in the organization attribute in midPoint, so it should be fairly straightforward (I would think). But it isn’t working.
>
> I am trying to use an assignment to call the proper MetaRole. Here is what I have:
>
> <!-- If user is AD, then this role is used to put them in the proper
> groups and configure SASL Passthrough -->
> <assignment>
> <targetRef oid="68e686f4-df63-11eb-a318-00ff83f6b50b" type="RoleType"/>
> <condition>
> <script>
> <code>basic.stringify(organization) == “ad-user"</code>
> </script>
> </condition>
> </assignment>
> </role>
> </objects>
>
> I am fairly new to MidPoint. I have googled and searched, but haven’t been able to find a solution. The Role will not import. Trying to import this particular version, I get “script has no definition.”
>
> Do you have any suggestions for how to do the condition properly in a Role?
>
> Thank you for your time.
>
> Josh
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
--
Marc Füller
Consultant
DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany
phone: +49 7071 407109-0
fax: +49 7071 407109-9
email:marc.fueller at daasi.de
web:www.daasi.de
Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210923/9d747d48/attachment-0001.htm>
------------------------------
Message: 4
Date: Thu, 23 Sep 2021 18:43:49 +0000
From: "Tax, Jan" <tax at unc.edu>
To: Paul Engle <pengle at rice.edu>, midPoint General Discussion
<midpoint at lists.evolveum.com>
Subject: Re: [midPoint] Org assignment query help
Message-ID:
<BL1PR03MB6101864F249F59F29F051180B5A39 at BL1PR03MB6101.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"
Thanks Paul!
That worked, and got me to find the section of the Query API documentation about special symbols in item paths.
Jan
From: Paul Engle <pengle at rice.edu>
Date: Thursday, September 23, 2021 at 10:09 AM
To: midPoint General Discussion <midpoint at lists.evolveum.com>
Cc: Tax, Jan <tax at unc.edu>
Subject: Re: [midPoint] Org assignment query help You can use the @ symbol in a path name to dereference something and get to the attributes of the referenced object. So, in your original query, you can replace the inner filter with something like:
<q:filter>
<q:equal>
<q:path>c:targetRef/@/name</q:path>
<q:value>foo</q:value>
</q:equal>
</q:filter>
to get the members of an Org named 'foo'.
--
Paul Engle
IAM Architect
Identity & Access Management
pengle at rice.edu 713-348-4702
On Wed, Sep 22, 2021 at 8:25 AM Tax, Jan via midPoint <midpoint at lists.evolveum.com> wrote:
>
>
>
> Hello,
>
>
>
> I am trying to put together a scripted task that sends a notification email to each member of an org. The task performs correctly when I use the OID to specify the group, but since OIDs for orgs are generated when the org is created, I would like to reference the org by name. I can’t seem to get that to work.
>
>
>
> I have been using the Query Playground to test the queries. Here is a query that uses OID:
>
>
>
> <q:QueryType xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1
> /resource-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance
> -3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="q:QueryType">
>
> <q:filter>
>
> <q:type>
>
> <q:type>c:UserType</q:type>
>
> <q:filter>
>
> <q:exists>
>
> <q:path>c:assignment</q:path>
>
> <q:filter>
>
> <q:ref>
>
> <q:path>c:targetRef</q:path>
>
> <q:value
> oid="473aa64d-3940-46da-b54b-43a0292c592b" relation="q:any"
> type="c:OrgType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ObjectReferenceType">
>
> </q:value>
>
> </q:ref>
>
> </q:filter>
>
> </q:exists>
>
> </q:filter>
>
> </q:type>
>
> </q:filter>
>
> </q:QueryType>
>
>
>
> It returns four people assigned to my test org.
>
>
>
> My attempt to reference the org by name :
>
>
>
> <q:QueryType xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1
> /resource-schema-3"
> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance
> -3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="q:QueryType">
>
> <q:filter>
>
> <q:type>
>
> <q:type>c:UserType</q:type>
>
> <q:filter>
>
> <q:exists>
>
> <q:path>c:assignment</q:path>
>
> <q:filter>
>
> <q:ref>
>
> <q:path>c:targetRef</q:path>
>
> <q:value relation="q:any" type="c:OrgType"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="c:ObjectReferenceType">
>
> <q:filter>
>
> <q:type>
>
> <q:type>c:ObjectReferenceType</q:type>
>
> <q:filter>
>
> <q:equal>
>
> <q:path>c:name</q:path>
>
> <q:value>test-org</q:value>
>
> </q:equal>
>
> </q:filter>
>
> </q:type>
>
> </q:filter>
>
> </q:value>
>
> </q:ref>
>
> </q:filter>
>
> </q:exists>
>
> </q:filter>
>
> </q:type>
>
> </q:filter>
>
> </q:QueryType>
>
>
>
> The inner query to find the org works correctly, but when I put in in the context of the assignment query, it returns people assigned to all orgs, not just the one org I have specified.
>
>
>
> Any guidance is appreciated.
>
>
>
> Jan
>
> --
>
> Johannes (Jan) Tax
>
> ITS Identity Management
>
> University of North Carolina at Chapel Hill
>
> +1 919 962 5642
>
>
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210923/7e52430a/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
------------------------------
End of midPoint Digest, Vol 113, Issue 11
*****************************************
More information about the midPoint
mailing list