[midPoint] assignmentTargetSearch in parentOrgRef with ref filter
Sven Feyerabend
Sven.Feyerabend at stuvus.uni-stuttgart.de
Mon Aug 1 09:44:49 CEST 2022
Hello everyone,
I am running an instance of midPoint 4.4.1 and I am trying to implement
a form of delegated administration.
Ideally I would like to be able to appoint a new admin for an Org by
simply assigning a role to them. So far I have come up with the
following concept:
I have two roles: One meta-role (Gruppenadmin) which grants the
authorizations needed for delegated administration and one role
(fg-test-admins) that will be directly assigned to the admin users which
induces the first role.
The second role is a member of the org which the user should have admin
privileges for. I thought I could use the parentOrgRef property of the
second role to assign the user to the Org with a relation of manager.
The inducement in the meta-role looks as follows:
----------------------------------------------------------------------------------------------------
<inducement>
<focusMappings>
<mapping>
<authoritative>true</authoritative>
<name>Testname</name>
<strength>strong</strength>
<trace>true</trace>
<source>
<path>$immediateRole/parentOrgRef</path>
</source>
<expression>
<trace>true</trace>
<assignmentTargetSearch>
<targetType>c:OrgType</targetType>
<filter>
<q:ref>
<q:path>parentOrgRef</q:path>
<q:value relation="q:any" oid="q:any"/>
</q:ref>
</filter>
<assignmentProperties>
<relation>org:manager</relation>
</assignmentProperties>
</assignmentTargetSearch>
</expression>
<target>
<path>$focus/assignment</path>
</target>
</mapping>
</focusMappings>
<focusType>UserType</focusType>
</inducement>
----------------------------------------------------------------------------------------------------
When evaluating the expression I get the following output:
----------------------------------------------------------------------------------------------------
---[ EXPRESSION in expression in mapping 'Testname' in assigned mapping
'Testname ($immediateRole/parentOrgRef -> $focus/assignment)' in
role:732c2053-e968-4f83-9dd5-a38f6d3d3d36(Gruppenadmin) in
role:b07f8e72-a18e-4b8f-b52a-e22addcdce09(fg-test-admins) in
user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)]---------------------------
Sources:
Source parentOrgRef
old:
parentOrgRef:
oid=2e223424-517e-4181-a4bb-5b94b1bcc85c(OrgType)[default]
delta: null
new:
parentOrgRef:
oid=2e223424-517e-4181-a4bb-5b94b1bcc85c(OrgType)[default]
Variables:
configuration =>
TypedValue(systemConfiguration:00000000-0000-0000-0000-000000000001(SystemConfiguration),
class=SystemConfigurationType)
assignment =>
TypedValue(IDI(old=PC(assignment):[PCV(27):[PC(metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.235Z)],
PrismReferenceImpl({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
targetType={.../common/common-3}UserType,
relation={.../common/org-3}default)],
PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.484Z)],
PrismReferenceImpl({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
targetType={.../common/common-3}UserType,
relation={.../common/org-3}default)],
PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user)]]],
PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=b07f8e72-a18e-4b8f-b52a-e22addcdce09,
targetType={.../common/common-3}RoleType,
relation={.../common/org-3}default)],
PC(activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]],
PC(extension):[PCV(null):[PP({http://example.com/xml/ns/midpoint/schema}stuvusMail):[PPV(String:etestfgadmin at faveve.uni-stuttgart.de)]]]]],
delta=null,
new=PC(assignment):[PCV(27):[PC(metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.235Z)],
PrismReferenceImpl({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
targetType={.../common/common-3}UserType,
relation={.../common/org-3}default)],
PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.484Z)],
PrismReferenceImpl({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
targetType={.../common/common-3}UserType,
relation={.../common/org-3}default)],
PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user)]]],
PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=b07f8e72-a18e-4b8f-b52a-e22addcdce09,
targetType={.../common/common-3}RoleType,
relation={.../common/org-3}default)],
PC(activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]],
PC(extension):[PCV(null):[PP({http://example.com/xml/ns/midpoint/schema}stuvusMail):[PPV(String:etestfgadmin at faveve.uni-stuttgart.de)]]]]]),
definition={.../common/common-3}AssignmentType[0,-1],RAM)
focusAssignment =>
TypedValue(IDI(old=PC(assignment):[PCV(27):[PC(metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.235Z)],
PrismReferenceImpl({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
targetType={.../common/common-3}UserType,
relation={.../common/org-3}default)],
PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.484Z)],
PrismReferenceImpl({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
targetType={.../common/common-3}UserType,
relation={.../common/org-3}default)],
PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user)]]],
PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=b07f8e72-a18e-4b8f-b52a-e22addcdce09,
targetType={.../common/common-3}RoleType,
relation={.../common/org-3}default)],
PC(activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]],
delta=null,
new=PC(assignment):[PCV(27):[PC(metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.235Z)],
PrismReferenceImpl({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
targetType={.../common/common-3}UserType,
relation={.../common/org-3}default)],
PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.484Z)],
PrismReferenceImpl({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
targetType={.../common/common-3}UserType,
relation={.../common/org-3}default)],
PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user)]]],
PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=b07f8e72-a18e-4b8f-b52a-e22addcdce09,
targetType={.../common/common-3}RoleType,
relation={.../common/org-3}default)],
PC(activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]]),
definition={.../common/common-3}AssignmentType[0,-1],RAM)
focus (user) =>
TypedValue(ObjectDeltaObject(user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)
+ null = user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)),
definition={.../common/common-3}UserType[1,1],RAM)
source =>
TypedValue(role:732c2053-e968-4f83-9dd5-a38f6d3d3d36(Gruppenadmin),
class=ObjectType)
iterationToken => TypedValue(, class=String)
actor =>
TypedValue(user:00000000-0000-0000-0000-000000000002(administrator),
definition={.../common/common-3}UserType[1,1],RAM)
immediateRole =>
TypedValue(role:b07f8e72-a18e-4b8f-b52a-e22addcdce09(fg-test-admins),
definition={.../common/common-3}AbstractRoleType[1,1],RAM)
null =>
TypedValue(ObjectDeltaObject(user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)
+ null = user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)),
definition={.../common/common-3}UserType[1,1],RAM)
assignmentPath =>
TypedValue(AssignmentPath([AssignmentPathSegment(default:1=1(match):
user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin) id:27
-[default]-> role:b07f8e72-a18e-4b8f-b52a-e22addcdce09(fg-test-admins)),
AssignmentPathSegment(default:1=1(match):
role:b07f8e72-a18e-4b8f-b52a-e22addcdce09(fg-test-admins) inducement
id:2 -[default]->
role:732c2053-e968-4f83-9dd5-a38f6d3d3d36(Gruppenadmin)),
AssignmentPathSegment(default:1=1(match):
role:732c2053-e968-4f83-9dd5-a38f6d3d3d36(Gruppenadmin) inducement id:39
FMappings (1) )]), class=AssignmentPath)
immediateAssignment =>
TypedValue(IDI(old=PC(assignment):[PCV(2):[PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=732c2053-e968-4f83-9dd5-a38f6d3d3d36,
targetType={.../common/common-3}RoleType,
relation={.../common/org-3}default)]]], delta=null,
new=PC(assignment):[PCV(2):[PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=732c2053-e968-4f83-9dd5-a38f6d3d3d36,
targetType={.../common/common-3}RoleType,
relation={.../common/org-3}default)]]]),
definition={.../common/common-3}AssignmentType[0,-1],RAM)
iteration => TypedValue(0, class=Integer)
thisAssignment =>
TypedValue(IDI(old=PC(assignment):[PCV(39):[PC(focusMappings):[PCV(null):[PC(mapping):[PCV(40):[PP({.../common/common-3}name):[PPV(String:Testname)],
PP({.../common/common-3}trace):[PPV(Boolean:true)],
PP({.../common/common-3}authoritative):[PPV(Boolean:true)],
PP({.../common/common-3}strength):[PPV(MappingStrengthType:STRONG)],
PP({.../common/common-3}source):[PPV(VariableBindingDefinitionType:com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType at 5d629bca[description=<null>,documentation=<null>,name=<null>,path=$immediateRole/parentOrgRef,set=<null>,type=<null>])],
PP({.../common/common-3}expression):[PPV(ExpressionType:ExpressionType(trace=true,variable=[],evaluator=assignmentTargetSearch:com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentTargetSearchExpressionEvaluatorType at 9b803b3[assignmentProperties=PCV(null):[PP({.../common/common-3}relation):[PPV(QName:{...common/org-3}manager)]],createOnDemand=<null>,defaultTargetRef=<null>,filter=com.evolveum.prism.xml.ns._public.query_3.SearchFilterType at 21317c8c[description=<null>,text=<null>,filterClauseXNode=XNode(map:1
entries) {
ref=XNode(map:2 entries) {
path=XNode(primitive:parentOrgRef (class
com.evolveum.prism.xml.ns._public.types_3.ItemPathType));
value=XNode(map:2 entries) {
oid=XNode(primitive:parser ValueParser(DOM-less, q:any, namespace
declarations),attr);
relation=XNode(primitive:parser ValueParser(DOM-less, q:any, namespace
declarations),attr) } }
},frozen=false],oid=<null>,populate=<null>,populateObject=<null>,searchStrategy=<null>,targetType={http://midpoint.evolveum.com/xml/ns/public/common/common-3}OrgType,condition=<null>,description=<null>,documentation=<null>,includeNullInputs=<null>,relativityMode=<null>,trace=<null>]))],
PP({.../common/common-3}target):[PPV(VariableBindingDefinitionType:com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType at 6ac153d1[description=<null>,documentation=<null>,name=<null>,path=$focus/assignment,set=<null>,type=<null>])]]]]],
PP({.../common/common-3}focusType):[PPV(QName:UserType)]]], delta=null,
new=PC(assignment):[PCV(39):[PC(focusMappings):[PCV(null):[PC(mapping):[PCV(40):[PP({.../common/common-3}name):[PPV(String:Testname)],
PP({.../common/common-3}trace):[PPV(Boolean:true)],
PP({.../common/common-3}authoritative):[PPV(Boolean:true)],
PP({.../common/common-3}strength):[PPV(MappingStrengthType:STRONG)],
PP({.../common/common-3}source):[PPV(VariableBindingDefinitionType:com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType at 23b43988[description=<null>,documentation=<null>,name=<null>,path=$immediateRole/parentOrgRef,set=<null>,type=<null>])],
PP({.../common/common-3}expression):[PPV(ExpressionType:ExpressionType(trace=true,variable=[],evaluator=assignmentTargetSearch:com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentTargetSearchExpressionEvaluatorType at 6ad803d6[assignmentProperties=PCV(null):[PP({.../common/common-3}relation):[PPV(QName:{...common/org-3}manager)]],createOnDemand=<null>,defaultTargetRef=<null>,filter=com.evolveum.prism.xml.ns._public.query_3.SearchFilterType at 4027d71d[description=<null>,text=<null>,filterClauseXNode=XNode(map:1
entries) {
ref=XNode(map:2 entries) {
path=XNode(primitive:parentOrgRef (class
com.evolveum.prism.xml.ns._public.types_3.ItemPathType));
value=XNode(map:2 entries) {
oid=XNode(primitive:parser ValueParser(DOM-less, q:any, namespace
declarations),attr);
relation=XNode(primitive:parser ValueParser(DOM-less, q:any, namespace
declarations),attr) } }
},frozen=false],oid=<null>,populate=<null>,populateObject=<null>,searchStrategy=<null>,targetType={http://midpoint.evolveum.com/xml/ns/public/common/common-3}OrgType,condition=<null>,description=<null>,documentation=<null>,includeNullInputs=<null>,relativityMode=<null>,trace=<null>]))],
PP({.../common/common-3}target):[PPV(VariableBindingDefinitionType:com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType at 20984b13[description=<null>,documentation=<null>,name=<null>,path=$focus/assignment,set=<null>,type=<null>])]]]]],
PP({.../common/common-3}focusType):[PPV(QName:UserType)]]]),
definition={.../common/common-3}AssignmentType[0,-1],RAM)
operation => TypedValue(modify, class=String)
Output definition: PCD:{.../common/common-3}assignment
{.../common/common-3}AssignmentType[0,-1],RAM
Evaluators: assignmentTargetSearchExpression
Result:
------------------------------------------------------
2022-08-01 07:09:01,918 [MODEL] [http-nio-8080-exec-9] INFO
(com.evolveum.midpoint.model.common.mapping.AbstractMappingImpl):
Mapping trace:
---[ MAPPING 'Testname' in assigned mapping 'Testname
($immediateRole/parentOrgRef -> $focus/assignment)' in
role:732c2053-e968-4f83-9dd5-a38f6d3d3d36(Gruppenadmin) in
role:b07f8e72-a18e-4b8f-b52a-e22addcdce09(fg-test-admins) in
user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)]---------------------------
Strength: STRONG
Source parentOrgRef:
old:
PrismReferenceImpl({.../common/common-3}parentOrgRef):[PRV(oid=2e223424-517e-4181-a4bb-5b94b1bcc85c,
targetType={.../common/common-3}OrgType,
relation={.../common/org-3}default)]
delta: null
new:
PrismReferenceImpl({.../common/common-3}parentOrgRef):[PRV(oid=2e223424-517e-4181-a4bb-5b94b1bcc85c,
targetType={.../common/common-3}OrgType,
relation={.../common/org-3}default)]
Target: PCD:{.../common/common-3}assignment
{.../common/common-3}AssignmentType[0,-1],RAM
Expression: assignmentTargetSearchExpression
Condition: true -> true
Result:
------------------------------------------------------
2022-08-01 07:09:01,920 [MODEL] [http-nio-8080-exec-9] TRACE
(com.evolveum.midpoint.model.impl.lens.ChangeExecutor): Skipping focus
change execute, because focus delta is empty and there are no
projections changes
2022-08-01 07:09:01,920 [MODEL] [http-nio-8080-exec-9] TRACE
(com.evolveum.midpoint.model.impl.lens.ChangeExecutor): Restart
requested = false
----------------------------------------------------------------------------------------------------
Since the Result in both evaluations is empty I'm guessing something
with my filter doesn't work the way I would like it to. But the OID
2e223424-517e-4181-a4bb-5b94b1bcc85c listed in sources parentOrgRef is
the one I was hoping to assign to the user.
Is what I'm trying to achieve even possible? Or is there another way to
solve my problem that I am simply not aware of?
Kind regards
Sven
More information about the midPoint
mailing list