[midPoint] order=3

Yakov Revyakin yrevyakin at gmail.com
Tue Mar 29 19:56:36 CEST 2022 

Hi,
My organization structure looks like:

Org "Unit1"
- Org "Unit2"
- - User "User1"
- Org "Link1"
- - User "User2"

There are 2 types of orgs: Unit and Link.

I'd like to assign a role to a user if only the following path exists:
Org "Unit1" -> *Org "Link1"* -> User "User2"
I can do this with order=3 inducement defined in a role assigned to Unit1.

Above you can see that User1 also can be recognized as a source for order=3
assignment.
Org "Unit1" -> Org "Unit2" -> User "User1"
But you can't see any Link org between User1 and parent Unit2. So, the role
should't be assigned to User1.

How to configure this kind of limitation?

Role to be assigned to Unit1:
<role oid="172a6f10-12a5-4600-8939-875da1cf14ab">
    <name>Unit Role</name>
    <inducement>
        <targetRef oid="d492b520-2b48-44df-8a94-88e3a2a33c56"
relation="org:default" type="c:RoleType"/>
        *<order>3</order>*
        <focusType>c:UserType</focusType>
    </inducement>
</role>

The role I am waiting be assigned to User2:
<role oid="d492b520-2b48-44df-8a94-88e3a2a33c56">
    <name>User IT Role</name>
    <inducement>
        <construction>
            <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
relation="org:default" type="c:ResourceType"/>
            <kind>account</kind>
            <intent>default</intent>
        </construction>
    </inducement>
    <condition>
        <expression>
            <script>
                <code>
                    import
com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
                    import
com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;

                    ObjectType o = assignmentPath.getProtoRole();
                    return o instanceof OrgType && ((OrgType)
o).costCenter == "link";
                </code>
            </script>
        </expression>
    </condition>
</role>

I used a condition in a role but the role is not assigned. If I change the
condition simply to true it is always assigned independently of the parent
path. It is not clear how to use assignmentPath to solve the problem. Could
someone help?
J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220329/16b1a146/attachment.htm>

More information about the midPoint mailing list