[midPoint] assignmentTargetSearch in parentOrgRef with ref filter
Pavol Mederly
mederly at evolveum.com
Tue Aug 2 10:22:26 CEST 2022
Hello Sven,
I am not sure if there's a better way how to achieve what you need.
(Experts from the field would surely know.)
But, what is certain, is that your "assignmentTargetSearch" filter is
not OK. You need to change it so it would look for an object with OID of
your parentOrgRef.
You may e.g. search through the samples or midPoint tests to look for an
example. I hope there should be one.
Best regards,
--
Pavol Mederly
Software developer
evolveum.com
On 01/08/2022 09:44, Sven Feyerabend via midPoint wrote:
> Hello everyone,
>
> I am running an instance of midPoint 4.4.1 and I am trying to
> implement a form of delegated administration.
> Ideally I would like to be able to appoint a new admin for an Org by
> simply assigning a role to them. So far I have come up with the
> following concept:
>
> I have two roles: One meta-role (Gruppenadmin) which grants the
> authorizations needed for delegated administration and one role
> (fg-test-admins) that will be directly assigned to the admin users
> which induces the first role.
> The second role is a member of the org which the user should have
> admin privileges for. I thought I could use the parentOrgRef property
> of the second role to assign the user to the Org with a relation of
> manager.
>
> The inducement in the meta-role looks as follows:
>
> ----------------------------------------------------------------------------------------------------
>
>
> <inducement>
> <focusMappings>
> <mapping>
> <authoritative>true</authoritative>
> <name>Testname</name>
> <strength>strong</strength>
> <trace>true</trace>
> <source>
> <path>$immediateRole/parentOrgRef</path>
> </source>
> <expression>
> <trace>true</trace>
> <assignmentTargetSearch>
> <targetType>c:OrgType</targetType>
> <filter>
> <q:ref>
> <q:path>parentOrgRef</q:path>
> <q:value relation="q:any"
> oid="q:any"/>
> </q:ref>
> </filter>
> <assignmentProperties>
> <relation>org:manager</relation>
> </assignmentProperties>
> </assignmentTargetSearch>
> </expression>
> <target>
> <path>$focus/assignment</path>
> </target>
> </mapping>
> </focusMappings>
> <focusType>UserType</focusType>
> </inducement>
>
> ----------------------------------------------------------------------------------------------------
>
>
>
> When evaluating the expression I get the following output:
>
> ----------------------------------------------------------------------------------------------------
>
>
> ---[ EXPRESSION in expression in mapping 'Testname' in assigned
> mapping 'Testname ($immediateRole/parentOrgRef -> $focus/assignment)'
> in role:732c2053-e968-4f83-9dd5-a38f6d3d3d36(Gruppenadmin) in
> role:b07f8e72-a18e-4b8f-b52a-e22addcdce09(fg-test-admins) in
> user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)]---------------------------
> Sources:
> Source parentOrgRef
> old:
> parentOrgRef:
> oid=2e223424-517e-4181-a4bb-5b94b1bcc85c(OrgType)[default]
> delta: null
> new:
> parentOrgRef:
> oid=2e223424-517e-4181-a4bb-5b94b1bcc85c(OrgType)[default]
>
> Variables:
> configuration =>
> TypedValue(systemConfiguration:00000000-0000-0000-0000-000000000001(SystemConfiguration),
> class=SystemConfigurationType)
> assignment =>
> TypedValue(IDI(old=PC(assignment):[PCV(27):[PC(metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.235Z)],
> PrismReferenceImpl({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
> targetType={.../common/common-3}UserType,
> relation={.../common/org-3}default)],
> PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.484Z)],
> PrismReferenceImpl({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
> targetType={.../common/common-3}UserType,
> relation={.../common/org-3}default)],
> PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user)]]],
> PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=b07f8e72-a18e-4b8f-b52a-e22addcdce09,
> targetType={.../common/common-3}RoleType,
> relation={.../common/org-3}default)],
> PC(activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]],
> PC(extension):[PCV(null):[PP({http://example.com/xml/ns/midpoint/schema}stuvusMail):[PPV(String:etestfgadmin at faveve.uni-stuttgart.de)]]]]],
> delta=null,
> new=PC(assignment):[PCV(27):[PC(metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.235Z)],
> PrismReferenceImpl({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
> targetType={.../common/common-3}UserType,
> relation={.../common/org-3}default)],
> PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.484Z)],
> PrismReferenceImpl({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
> targetType={.../common/common-3}UserType,
> relation={.../common/org-3}default)],
> PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user)]]],
> PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=b07f8e72-a18e-4b8f-b52a-e22addcdce09,
> targetType={.../common/common-3}RoleType,
> relation={.../common/org-3}default)],
> PC(activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]],
> PC(extension):[PCV(null):[PP({http://example.com/xml/ns/midpoint/schema}stuvusMail):[PPV(String:etestfgadmin at faveve.uni-stuttgart.de)]]]]]),
> definition={.../common/common-3}AssignmentType[0,-1],RAM)
> focusAssignment =>
> TypedValue(IDI(old=PC(assignment):[PCV(27):[PC(metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.235Z)],
> PrismReferenceImpl({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
> targetType={.../common/common-3}UserType,
> relation={.../common/org-3}default)],
> PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.484Z)],
> PrismReferenceImpl({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
> targetType={.../common/common-3}UserType,
> relation={.../common/org-3}default)],
> PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user)]]],
> PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=b07f8e72-a18e-4b8f-b52a-e22addcdce09,
> targetType={.../common/common-3}RoleType,
> relation={.../common/org-3}default)],
> PC(activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]],
> delta=null,
> new=PC(assignment):[PCV(27):[PC(metadata):[PCV(null):[PP({.../common/common-3}requestTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.235Z)],
> PrismReferenceImpl({.../common/common-3}requestorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
> targetType={.../common/common-3}UserType,
> relation={.../common/org-3}default)],
> PP({.../common/common-3}createTimestamp):[PPV(XMLGregorianCalendarImpl:2022-07-31T12:24:21.484Z)],
> PrismReferenceImpl({.../common/common-3}creatorRef):[PRV(oid=00000000-0000-0000-0000-000000000002,
> targetType={.../common/common-3}UserType,
> relation={.../common/org-3}default)],
> PP({.../common/common-3}createChannel):[PPV(String:http://midpoint.evolveum.com/xml/ns/public/common/channels-3#user)]]],
> PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=b07f8e72-a18e-4b8f-b52a-e22addcdce09,
> targetType={.../common/common-3}RoleType,
> relation={.../common/org-3}default)],
> PC(activation):[PCV(null):[PP({.../common/common-3}effectiveStatus):[PPV(ActivationStatusType:ENABLED)]]]]]),
> definition={.../common/common-3}AssignmentType[0,-1],RAM)
> focus (user) =>
> TypedValue(ObjectDeltaObject(user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)
> + null = user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)),
> definition={.../common/common-3}UserType[1,1],RAM)
> source =>
> TypedValue(role:732c2053-e968-4f83-9dd5-a38f6d3d3d36(Gruppenadmin),
> class=ObjectType)
> iterationToken => TypedValue(, class=String)
> actor =>
> TypedValue(user:00000000-0000-0000-0000-000000000002(administrator),
> definition={.../common/common-3}UserType[1,1],RAM)
> immediateRole =>
> TypedValue(role:b07f8e72-a18e-4b8f-b52a-e22addcdce09(fg-test-admins),
> definition={.../common/common-3}AbstractRoleType[1,1],RAM)
> null =>
> TypedValue(ObjectDeltaObject(user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)
> + null = user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)),
> definition={.../common/common-3}UserType[1,1],RAM)
> assignmentPath =>
> TypedValue(AssignmentPath([AssignmentPathSegment(default:1=1(match):
> user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin) id:27
> -[default]->
> role:b07f8e72-a18e-4b8f-b52a-e22addcdce09(fg-test-admins)),
> AssignmentPathSegment(default:1=1(match):
> role:b07f8e72-a18e-4b8f-b52a-e22addcdce09(fg-test-admins) inducement
> id:2 -[default]->
> role:732c2053-e968-4f83-9dd5-a38f6d3d3d36(Gruppenadmin)),
> AssignmentPathSegment(default:1=1(match):
> role:732c2053-e968-4f83-9dd5-a38f6d3d3d36(Gruppenadmin) inducement
> id:39 FMappings (1) )]), class=AssignmentPath)
> immediateAssignment =>
> TypedValue(IDI(old=PC(assignment):[PCV(2):[PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=732c2053-e968-4f83-9dd5-a38f6d3d3d36,
> targetType={.../common/common-3}RoleType,
> relation={.../common/org-3}default)]]], delta=null,
> new=PC(assignment):[PCV(2):[PrismReferenceImpl({.../common/common-3}targetRef):[PRV(oid=732c2053-e968-4f83-9dd5-a38f6d3d3d36,
> targetType={.../common/common-3}RoleType,
> relation={.../common/org-3}default)]]]),
> definition={.../common/common-3}AssignmentType[0,-1],RAM)
> iteration => TypedValue(0, class=Integer)
> thisAssignment =>
> TypedValue(IDI(old=PC(assignment):[PCV(39):[PC(focusMappings):[PCV(null):[PC(mapping):[PCV(40):[PP({.../common/common-3}name):[PPV(String:Testname)],
> PP({.../common/common-3}trace):[PPV(Boolean:true)],
> PP({.../common/common-3}authoritative):[PPV(Boolean:true)],
> PP({.../common/common-3}strength):[PPV(MappingStrengthType:STRONG)],
> PP({.../common/common-3}source):[PPV(VariableBindingDefinitionType:com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType at 5d629bca[description=<null>,documentation=<null>,name=<null>,path=$immediateRole/parentOrgRef,set=<null>,type=<null>])],
> PP({.../common/common-3}expression):[PPV(ExpressionType:ExpressionType(trace=true,variable=[],evaluator=assignmentTargetSearch:com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentTargetSearchExpressionEvaluatorType at 9b803b3[assignmentProperties=PCV(null):[PP({.../common/common-3}relation):[PPV(QName:{...common/org-3}manager)]],createOnDemand=<null>,defaultTargetRef=<null>,filter=com.evolveum.prism.xml.ns._public.query_3.SearchFilterType at 21317c8c[description=<null>,text=<null>,filterClauseXNode=XNode(map:1
> entries) {
> ref=XNode(map:2 entries) {
> path=XNode(primitive:parentOrgRef (class
> com.evolveum.prism.xml.ns._public.types_3.ItemPathType));
> value=XNode(map:2 entries) {
> oid=XNode(primitive:parser ValueParser(DOM-less, q:any, namespace
> declarations),attr);
> relation=XNode(primitive:parser ValueParser(DOM-less, q:any, namespace
> declarations),attr) } }
> },frozen=false],oid=<null>,populate=<null>,populateObject=<null>,searchStrategy=<null>,targetType={http://midpoint.evolveum.com/xml/ns/public/common/common-3}OrgType,condition=<null>,description=<null>,documentation=<null>,includeNullInputs=<null>,relativityMode=<null>,trace=<null>]))],
> PP({.../common/common-3}target):[PPV(VariableBindingDefinitionType:com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType at 6ac153d1[description=<null>,documentation=<null>,name=<null>,path=$focus/assignment,set=<null>,type=<null>])]]]]],
> PP({.../common/common-3}focusType):[PPV(QName:UserType)]]],
> delta=null,
> new=PC(assignment):[PCV(39):[PC(focusMappings):[PCV(null):[PC(mapping):[PCV(40):[PP({.../common/common-3}name):[PPV(String:Testname)],
> PP({.../common/common-3}trace):[PPV(Boolean:true)],
> PP({.../common/common-3}authoritative):[PPV(Boolean:true)],
> PP({.../common/common-3}strength):[PPV(MappingStrengthType:STRONG)],
> PP({.../common/common-3}source):[PPV(VariableBindingDefinitionType:com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType at 23b43988[description=<null>,documentation=<null>,name=<null>,path=$immediateRole/parentOrgRef,set=<null>,type=<null>])],
> PP({.../common/common-3}expression):[PPV(ExpressionType:ExpressionType(trace=true,variable=[],evaluator=assignmentTargetSearch:com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentTargetSearchExpressionEvaluatorType at 6ad803d6[assignmentProperties=PCV(null):[PP({.../common/common-3}relation):[PPV(QName:{...common/org-3}manager)]],createOnDemand=<null>,defaultTargetRef=<null>,filter=com.evolveum.prism.xml.ns._public.query_3.SearchFilterType at 4027d71d[description=<null>,text=<null>,filterClauseXNode=XNode(map:1
> entries) {
> ref=XNode(map:2 entries) {
> path=XNode(primitive:parentOrgRef (class
> com.evolveum.prism.xml.ns._public.types_3.ItemPathType));
> value=XNode(map:2 entries) {
> oid=XNode(primitive:parser ValueParser(DOM-less, q:any, namespace
> declarations),attr);
> relation=XNode(primitive:parser ValueParser(DOM-less, q:any, namespace
> declarations),attr) } }
> },frozen=false],oid=<null>,populate=<null>,populateObject=<null>,searchStrategy=<null>,targetType={http://midpoint.evolveum.com/xml/ns/public/common/common-3}OrgType,condition=<null>,description=<null>,documentation=<null>,includeNullInputs=<null>,relativityMode=<null>,trace=<null>]))],
> PP({.../common/common-3}target):[PPV(VariableBindingDefinitionType:com.evolveum.midpoint.xml.ns._public.common.common_3.VariableBindingDefinitionType at 20984b13[description=<null>,documentation=<null>,name=<null>,path=$focus/assignment,set=<null>,type=<null>])]]]]],
> PP({.../common/common-3}focusType):[PPV(QName:UserType)]]]),
> definition={.../common/common-3}AssignmentType[0,-1],RAM)
> operation => TypedValue(modify, class=String)
> Output definition: PCD:{.../common/common-3}assignment
> {.../common/common-3}AssignmentType[0,-1],RAM
> Evaluators: assignmentTargetSearchExpression
> Result:
> ------------------------------------------------------
> 2022-08-01 07:09:01,918 [MODEL] [http-nio-8080-exec-9] INFO
> (com.evolveum.midpoint.model.common.mapping.AbstractMappingImpl):
> Mapping trace:
> ---[ MAPPING 'Testname' in assigned mapping 'Testname
> ($immediateRole/parentOrgRef -> $focus/assignment)' in
> role:732c2053-e968-4f83-9dd5-a38f6d3d3d36(Gruppenadmin) in
> role:b07f8e72-a18e-4b8f-b52a-e22addcdce09(fg-test-admins) in
> user:735a2e75-6285-4285-a8fa-99395d8af41a(etestfgadmin)]---------------------------
> Strength: STRONG
> Source parentOrgRef:
> old:
> PrismReferenceImpl({.../common/common-3}parentOrgRef):[PRV(oid=2e223424-517e-4181-a4bb-5b94b1bcc85c,
> targetType={.../common/common-3}OrgType,
> relation={.../common/org-3}default)]
> delta: null
> new:
> PrismReferenceImpl({.../common/common-3}parentOrgRef):[PRV(oid=2e223424-517e-4181-a4bb-5b94b1bcc85c,
> targetType={.../common/common-3}OrgType,
> relation={.../common/org-3}default)]
> Target: PCD:{.../common/common-3}assignment
> {.../common/common-3}AssignmentType[0,-1],RAM
> Expression: assignmentTargetSearchExpression
> Condition: true -> true
> Result:
> ------------------------------------------------------
> 2022-08-01 07:09:01,920 [MODEL] [http-nio-8080-exec-9] TRACE
> (com.evolveum.midpoint.model.impl.lens.ChangeExecutor): Skipping focus
> change execute, because focus delta is empty and there are no
> projections changes
> 2022-08-01 07:09:01,920 [MODEL] [http-nio-8080-exec-9] TRACE
> (com.evolveum.midpoint.model.impl.lens.ChangeExecutor): Restart
> requested = false
>
> ----------------------------------------------------------------------------------------------------
>
>
>
> Since the Result in both evaluations is empty I'm guessing something
> with my filter doesn't work the way I would like it to. But the OID
> 2e223424-517e-4181-a4bb-5b94b1bcc85c listed in sources parentOrgRef is
> the one I was hoping to assign to the user.
>
> Is what I'm trying to achieve even possible? Or is there another way
> to solve my problem that I am simply not aware of?
>
> Kind regards
>
> Sven
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
More information about the midPoint
mailing list