[midPoint] Certification with object role - target user

Pavol Mederly mederly at evolveum.com
Tue Mar 22 18:31:28 CET 2022 

Hello Markus,

when we talk about memberships, what you certify is the assignment.

It is not possible to certify a membership that has no corresponding 
assignment (i.e. an indirect, or induced, membership). The reason is 
simple: if the reviewer decides that such membership should not exist, 
there is no way of automatically determining what should be done to 
remove such membership.

Therefore, only assignments can be certified. At least for now.

And the current implementation is such that midPoint searches for the 
assignment holder (typically a user), and then goes through the list of 
his/her assignments, and creates certification cases for them.

Alternatively, you can search for roles, and certify their assignments 
or inducements.

It can be seen here:

https://github.com/Evolveum/midpoint/blob/1fcd21fa98ae24ee6a42ba2b9f35decb9e77f7a0/model/certification-impl/src/main/java/com/evolveum/midpoint/certification/impl/handlers/DirectAssignmentCertificationHandler.java#L52-L75

Best regards,

-- 
Pavol Mederly
Software developer
evolveum.com

On 22/03/2022 16:11, Markus Steiner via midPoint wrote:
> Hi everyone
>
> I have to certify the members of some specific roles.
> So I configured the scope of a certification with object type = 'roles' followed by a filter criteria.
> As target I configured users
>
>     <scopeDefinition xsi:type="c:AccessCertificationAssignmentReviewScopeType">
>          <name>test-certification</name>
>          <description>test-certification</description>
>          <objectType>RoleType</objectType>
>          <includeAssignments>true</includeAssignments>
>          <includeInducements>false</includeInducements>
>          <includeResources>false</includeResources>
>          <includeRoles>false</includeRoles>
>          <includeOrgs>false</includeOrgs>
>          <includeServices>false</includeServices>
>          <includeUsers>true</includeUsers>
>          <enabledItemsOnly>false</enabledItemsOnly>
>          <relation>q:any</relation>
>      </scopeDefinition>
>
> Does not work. I get no task with assignments to certify.
>
> The opposite way with object type = users and target = roles it runs perfect.
> Do I have to use users as object and filter the roles after?
>
> Thanks for any hint!
>
> Markus
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint

More information about the midPoint mailing list