[midPoint] order=3

Pavol Mederly mederly at evolveum.com
Tue Mar 29 20:48:59 CEST 2022 

Hello Yakov,

this is quite an interesting situation.

I have no time to try this myself, but my guess is that assignmentPath 
should help. I'd consider putting it into the inducement condition, and 
I would simply check if Link1 is on the path.

Another thing to consider could be so-called order constraints, but they 
are limited to relations, not to specific intermediate roles.

Regards,

-- 
Pavol Mederly
Software developer
evolveum.com

On 29/03/2022 19:56, Yakov Revyakin via midPoint wrote:
> Hi,
> My organization structure looks like:
>
> Org "Unit1"
> - Org "Unit2"
> - - User "User1"
> - Org "Link1"
> - - User "User2"
>
> There are 2 types of orgs: Unit and Link.
>
> I'd like to assign a role to a user if only the following path exists:
> Org "Unit1" -> *Org "Link1"* -> User "User2"
> I can do this with order=3 inducement defined in a role assigned to Unit1.
>
> Above you can see that User1 also can be recognized as a source for 
> order=3 assignment.
> Org "Unit1" -> Org "Unit2" -> User "User1"
> But you can't see any Link org between User1 and parent Unit2. So, the 
> role should't be assigned to User1.
>
> How to configure this kind of limitation?
>
> Role to be assigned to Unit1:
> <role oid="172a6f10-12a5-4600-8939-875da1cf14ab">
>     <name>Unit Role</name>
>     <inducement>
>         <targetRef oid="d492b520-2b48-44df-8a94-88e3a2a33c56" 
> relation="org:default" type="c:RoleType"/>
> *<order>3</order>*
>         <focusType>c:UserType</focusType>
>     </inducement>
> </role>
>
> The role I am waiting be assigned to User2:
> <role oid="d492b520-2b48-44df-8a94-88e3a2a33c56">
>     <name>User IT Role</name>
>     <inducement>
>         <construction>
>             <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" 
> relation="org:default" type="c:ResourceType"/>
>             <kind>account</kind>
>             <intent>default</intent>
>         </construction>
>     </inducement>
>     <condition>
>         <expression>
>             <script>
>                 <code>
>                     import 
> com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
>                     import 
> com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
>
>                     ObjectType o = assignmentPath.getProtoRole();
>                     return o instanceof OrgType && ((OrgType) 
> o).costCenter == "link";
>                 </code>
>             </script>
>         </expression>
>     </condition>
> </role>
>
> I used a condition in a role but the role is not assigned. If I change 
> the condition simply to true it is always assigned independently of 
> the parent path. It is not clear how to use assignmentPath to solve 
> the problem. Could someone help?
> J
>
>
>
>
>
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220329/cb3afa1a/attachment.htm>

More information about the midPoint mailing list