[midPoint] RES: Condition for Role and MetaRole
Joshua Williams
jwilliams at globalnaz.org
Mon Sep 27 08:54:48 CEST 2021
Hi Vitor,
Thank you for your help with this. Unfortunately, I need to manually assign users this Role and not Autoassign them. When I use this mapping in my assignment, the Role fails to import.
I have decided to go a different direction with my Role. Thank you for your time! I appreciate having a community that helps!
Josh
> On Sep 23, 2021, at 9:31 PM, Vitor Alves | Gerencianet via midPoint <midpoint at lists.evolveum.com> wrote:
>
> Hi Josh,
> I believe what you need is to Autoassign a Role. This is possible and you can do it through the link[1]. I needed to do this, because we have several employee profiles, and we need that when a new user is created, he already assigns the correct roles for each one. There are two steps you need to take:
>
> 1st) Enable Autoassign in SystemConfiguration
> Configuration Menu -> Repository Objects -> All Objects -> SystemConfiguration.
> <roleManagement>
> <autoassignEnabled>true</autoassignEnabled>
> </roleManagement>
>
> 2º) Configure Autoassign in Role.
> Access your Role, and enter the following code.
> <autoassign>
> <enabled>true</enabled>
> <focus>
> <mapping>
> <strength>strong</strength>
> <source>
> <path>organization</path>
> </source>
> <condition>
> <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="c:ScriptExpressionEvaluatorType">
> <code>organization == 'ad-user'</code>
> </script>
> </condition>
> </mapping>
> <selector>
> <type>UserType</type>
> </selector>
> </focus>
> </autoassign>
>
> Once this is done, for new users, it will already be applied. Hope this helps.
>
> [1] https://docs.evolveum.com/midpoint/reference/roles-policies/role-autoassignment/configuration/
>
>
>
>
> -----
> Vitor Alves
>
>
>
> AVISO DE CONFIDENCIALIDADE - Esta mensagem da Gerencianet é enviada exclusivamente a seus destinatários e pode conter informações confidenciais, protegidas por sigilo profissional. Se você a recebeu indevidamente, a utilização posterior desta mensagem é desautorizada. Solicitamos que seja devolvida ao remetente para esclarecimento do equívoco.
>
> -----Mensagem original-----
> De: midPoint <midpoint-bounces at lists.evolveum.com> Em nome de midpoint-request at lists.evolveum.com
> Enviada em: quinta-feira, 23 de setembro de 2021 15:44
> Para: midpoint at lists.evolveum.com
> Assunto: midPoint Digest, Vol 113, Issue 11
>
> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
> 1. Condition for Role and MetaRole (Joshua Williams)
> 2. Re: Org assignment query help (Paul Engle)
> 3. Re: Condition for Role and MetaRole (Marc Fueller)
> 4. Re: Org assignment query help (Tax, Jan)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 23 Sep 2021 11:35:58 +0200
> From: Joshua Williams <jwilliams at globalnaz.org>
> To: midpoint at lists.evolveum.com
> Subject: [midPoint] Condition for Role and MetaRole
> Message-ID: <77EFEE92-32F2-4516-8B3B-66A8E1B1A478 at globalnaz.org>
> Content-Type: text/plain; charset=utf-8
>
> Good morning!
> We have some users who are standard midpoint users and we have some users pulled from Active Directory. When I want to give a Role to a user, I have to use one MetaRole to write standard users to LDAP and I have to use another MetaRole to write the AD users to LDAP. The reason is the AD users require SASL Passthrough on the LDAP server, so the password data written is different between the two user groups.
>
> Right now I have two Roles - Role_Standard.xml and Role_AD.xml. It would be nice to have one Role with a condition that uses the proper MetaRole to write to LDAP.
>
> All AD users have “ad-user” in the organization attribute in midPoint, so it should be fairly straightforward (I would think). But it isn’t working.
>
> I am trying to use an assignment to call the proper MetaRole. Here is what I have:
>
> <!-- If user is AD, then this role is used to put them in the proper groups and configure SASL Passthrough -->
> <assignment>
> <targetRef oid="68e686f4-df63-11eb-a318-00ff83f6b50b" type="RoleType"/>
> <condition>
> <script>
> <code>basic.stringify(organization) == “ad-user"</code>
> </script>
> </condition>
> </assignment>
> </role>
> </objects>
>
> I am fairly new to MidPoint. I have googled and searched, but haven’t been able to find a solution. The Role will not import. Trying to import this particular version, I get “script has no definition.”
>
> Do you have any suggestions for how to do the condition properly in a Role?
>
> Thank you for your time.
>
> Josh
>
> ------------------------------
>
> Message: 2
> Date: Thu, 23 Sep 2021 09:09:33 -0500
> From: Paul Engle <pengle at rice.edu>
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] Org assignment query help
> Message-ID:
> <CAKbtzm5P2qGeXmrCixpj7H4XXjXP9YPvm7aBKhiPwy-qvL9=JA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> You can use the @ symbol in a path name to dereference something and get to the attributes of the referenced object. So, in your original query, you can replace the inner filter with something like:
>
> <q:filter>
> <q:equal>
> <q:path>c:targetRef/@/name</q:path>
> <q:value>foo</q:value>
> </q:equal>
> </q:filter>
>
> to get the members of an Org named 'foo'.
>
> --
> Paul Engle
> IAM Architect
> Identity & Access Management
> pengle at rice.edu 713-348-4702
>
> On Wed, Sep 22, 2021 at 8:25 AM Tax, Jan via midPoint <midpoint at lists.evolveum.com> wrote:
>>
>>
>>
>> Hello,
>>
>>
>>
>> I am trying to put together a scripted task that sends a notification email to each member of an org. The task performs correctly when I use the OID to specify the group, but since OIDs for orgs are generated when the org is created, I would like to reference the org by name. I can’t seem to get that to work.
>>
>>
>>
>> I have been using the Query Playground to test the queries. Here is a query that uses OID:
>>
>>
>>
>> <q:QueryType xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1
>> /resource-schema-3"
>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance
>> -3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="q:QueryType">
>>
>> <q:filter>
>>
>> <q:type>
>>
>> <q:type>c:UserType</q:type>
>>
>> <q:filter>
>>
>> <q:exists>
>>
>> <q:path>c:assignment</q:path>
>>
>> <q:filter>
>>
>> <q:ref>
>>
>> <q:path>c:targetRef</q:path>
>>
>> <q:value
>> oid="473aa64d-3940-46da-b54b-43a0292c592b" relation="q:any"
>> type="c:OrgType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="c:ObjectReferenceType">
>>
>> </q:value>
>>
>> </q:ref>
>>
>> </q:filter>
>>
>> </q:exists>
>>
>> </q:filter>
>>
>> </q:type>
>>
>> </q:filter>
>>
>> </q:QueryType>
>>
>>
>>
>> It returns four people assigned to my test org.
>>
>>
>>
>> My attempt to reference the org by name :
>>
>>
>>
>> <q:QueryType xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1
>> /resource-schema-3"
>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance
>> -3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="q:QueryType">
>>
>> <q:filter>
>>
>> <q:type>
>>
>> <q:type>c:UserType</q:type>
>>
>> <q:filter>
>>
>> <q:exists>
>>
>> <q:path>c:assignment</q:path>
>>
>> <q:filter>
>>
>> <q:ref>
>>
>> <q:path>c:targetRef</q:path>
>>
>> <q:value relation="q:any" type="c:OrgType"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="c:ObjectReferenceType">
>>
>> <q:filter>
>>
>> <q:type>
>>
>> <q:type>c:ObjectReferenceType</q:type>
>>
>> <q:filter>
>>
>> <q:equal>
>>
>> <q:path>c:name</q:path>
>>
>> <q:value>test-org</q:value>
>>
>> </q:equal>
>>
>> </q:filter>
>>
>> </q:type>
>>
>> </q:filter>
>>
>> </q:value>
>>
>> </q:ref>
>>
>> </q:filter>
>>
>> </q:exists>
>>
>> </q:filter>
>>
>> </q:type>
>>
>> </q:filter>
>>
>> </q:QueryType>
>>
>>
>>
>> The inner query to find the org works correctly, but when I put in in the context of the assignment query, it returns people assigned to all orgs, not just the one org I have specified.
>>
>>
>>
>> Any guidance is appreciated.
>>
>>
>>
>> Jan
>>
>> --
>>
>> Johannes (Jan) Tax
>>
>> ITS Identity Management
>>
>> University of North Carolina at Chapel Hill
>>
>> +1 919 962 5642
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> Message: 3
> Date: Thu, 23 Sep 2021 16:21:37 +0200
> From: Marc Fueller <marc.fueller at daasi.de>
> To: Joshua Williams via midPoint <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] Condition for Role and MetaRole
> Message-ID: <756fbf7e-6968-69c5-5aa6-77b3eb356f2f at daasi.de>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> Hi Joshua,
>
> it seem to be an error in your XML structure. <condition> should look like this:
>
> <condition> <expression> <script> <code>...</code> </script> </expression> </condition>
>
> Hope that helps.
>
> Marc
>
>
> Am 23.09.21 um 11:35 schrieb Joshua Williams via midPoint:
>> Good morning!
>> We have some users who are standard midpoint users and we have some users pulled from Active Directory. When I want to give a Role to a user, I have to use one MetaRole to write standard users to LDAP and I have to use another MetaRole to write the AD users to LDAP. The reason is the AD users require SASL Passthrough on the LDAP server, so the password data written is different between the two user groups.
>>
>> Right now I have two Roles - Role_Standard.xml and Role_AD.xml. It would be nice to have one Role with a condition that uses the proper MetaRole to write to LDAP.
>>
>> All AD users have “ad-user” in the organization attribute in midPoint, so it should be fairly straightforward (I would think). But it isn’t working.
>>
>> I am trying to use an assignment to call the proper MetaRole. Here is what I have:
>>
>> <!-- If user is AD, then this role is used to put them in the proper
>> groups and configure SASL Passthrough -->
>> <assignment>
>> <targetRef oid="68e686f4-df63-11eb-a318-00ff83f6b50b" type="RoleType"/>
>> <condition>
>> <script>
>> <code>basic.stringify(organization) == “ad-user"</code>
>> </script>
>> </condition>
>> </assignment>
>> </role>
>> </objects>
>>
>> I am fairly new to MidPoint. I have googled and searched, but haven’t been able to find a solution. The Role will not import. Trying to import this particular version, I get “script has no definition.”
>>
>> Do you have any suggestions for how to do the condition properly in a Role?
>>
>> Thank you for your time.
>>
>> Josh
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Marc Füller
> Consultant
>
> DAASI International GmbH
> Europaplatz 3
> D-72072 Tübingen
> Germany
>
> phone: +49 7071 407109-0
> fax: +49 7071 407109-9
> email:marc.fueller at daasi.de
> web:www.daasi.de
> Sitz der Gesellschaft: Tübingen
> Registergericht: Amtsgericht Stuttgart, HRB 382175
> Geschäftsleitung: Peter Gietz
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210923/9d747d48/attachment-0001.htm>
>
> ------------------------------
>
> Message: 4
> Date: Thu, 23 Sep 2021 18:43:49 +0000
> From: "Tax, Jan" <tax at unc.edu>
> To: Paul Engle <pengle at rice.edu>, midPoint General Discussion
> <midpoint at lists.evolveum.com>
> Subject: Re: [midPoint] Org assignment query help
> Message-ID:
> <BL1PR03MB6101864F249F59F29F051180B5A39 at BL1PR03MB6101.namprd03.prod.outlook.com>
>
> Content-Type: text/plain; charset="windows-1252"
>
> Thanks Paul!
>
> That worked, and got me to find the section of the Query API documentation about special symbols in item paths.
>
> Jan
> From: Paul Engle <pengle at rice.edu>
> Date: Thursday, September 23, 2021 at 10:09 AM
> To: midPoint General Discussion <midpoint at lists.evolveum.com>
> Cc: Tax, Jan <tax at unc.edu>
> Subject: Re: [midPoint] Org assignment query help You can use the @ symbol in a path name to dereference something and get to the attributes of the referenced object. So, in your original query, you can replace the inner filter with something like:
>
> <q:filter>
> <q:equal>
> <q:path>c:targetRef/@/name</q:path>
> <q:value>foo</q:value>
> </q:equal>
> </q:filter>
>
> to get the members of an Org named 'foo'.
>
> --
> Paul Engle
> IAM Architect
> Identity & Access Management
> pengle at rice.edu 713-348-4702
>
> On Wed, Sep 22, 2021 at 8:25 AM Tax, Jan via midPoint <midpoint at lists.evolveum.com> wrote:
>>
>>
>>
>> Hello,
>>
>>
>>
>> I am trying to put together a scripted task that sends a notification email to each member of an org. The task performs correctly when I use the OID to specify the group, but since OIDs for orgs are generated when the org is created, I would like to reference the org by name. I can’t seem to get that to work.
>>
>>
>>
>> I have been using the Query Playground to test the queries. Here is a query that uses OID:
>>
>>
>>
>> <q:QueryType xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1
>> /resource-schema-3"
>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance
>> -3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="q:QueryType">
>>
>> <q:filter>
>>
>> <q:type>
>>
>> <q:type>c:UserType</q:type>
>>
>> <q:filter>
>>
>> <q:exists>
>>
>> <q:path>c:assignment</q:path>
>>
>> <q:filter>
>>
>> <q:ref>
>>
>> <q:path>c:targetRef</q:path>
>>
>> <q:value
>> oid="473aa64d-3940-46da-b54b-43a0292c592b" relation="q:any"
>> type="c:OrgType" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="c:ObjectReferenceType">
>>
>> </q:value>
>>
>> </q:ref>
>>
>> </q:filter>
>>
>> </q:exists>
>>
>> </q:filter>
>>
>> </q:type>
>>
>> </q:filter>
>>
>> </q:QueryType>
>>
>>
>>
>> It returns four people assigned to my test org.
>>
>>
>>
>> My attempt to reference the org by name :
>>
>>
>>
>> <q:QueryType xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1
>> /resource-schema-3"
>> xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
>> xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance
>> -3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="q:QueryType">
>>
>> <q:filter>
>>
>> <q:type>
>>
>> <q:type>c:UserType</q:type>
>>
>> <q:filter>
>>
>> <q:exists>
>>
>> <q:path>c:assignment</q:path>
>>
>> <q:filter>
>>
>> <q:ref>
>>
>> <q:path>c:targetRef</q:path>
>>
>> <q:value relation="q:any" type="c:OrgType"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xsi:type="c:ObjectReferenceType">
>>
>> <q:filter>
>>
>> <q:type>
>>
>> <q:type>c:ObjectReferenceType</q:type>
>>
>> <q:filter>
>>
>> <q:equal>
>>
>> <q:path>c:name</q:path>
>>
>> <q:value>test-org</q:value>
>>
>> </q:equal>
>>
>> </q:filter>
>>
>> </q:type>
>>
>> </q:filter>
>>
>> </q:value>
>>
>> </q:ref>
>>
>> </q:filter>
>>
>> </q:exists>
>>
>> </q:filter>
>>
>> </q:type>
>>
>> </q:filter>
>>
>> </q:QueryType>
>>
>>
>>
>> The inner query to find the org works correctly, but when I put in in the context of the assignment query, it returns people assigned to all orgs, not just the one org I have specified.
>>
>>
>>
>> Any guidance is appreciated.
>>
>>
>>
>> Jan
>>
>> --
>>
>> Johannes (Jan) Tax
>>
>> ITS Identity Management
>>
>> University of North Carolina at Chapel Hill
>>
>> +1 919 962 5642
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210923/7e52430a/attachment.htm>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 113, Issue 11
> *****************************************
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list