[midPoint] order=3

Yakov Revyakin yrevyakin at gmail.com
Wed Mar 30 16:21:36 CEST 2022 

Hi Pavol,

I tried to move the condition to inducement. The inducement doesn't trigger
account assignment.
I think I know why it doesn't work but I don't know how to proceed the case.

In reality User2 has or has to have the following assignments:
- Org "Link1"
- Org "UnitX"
- Role "User It Role"

As Org "Link1" is among these objects I am waiting for the Role "User IT
Role" will be assigned.

In my condition script
ObjectType o = assignmentPath.getProtoRole();
gets three appropriate objects during 3 distinct cycles (with a lot of
repeating):
OrgType "Link1"
OrgType "UnitX"
RoleType "User IT Role"

I check and return
*o instanceof OrgType && ((OrgType) o).costCenter == "link" *
as a condition result.

In result I have three appropriate condition values:
true
false
false

I think this results in resulting *FALSE*.

To calculate the right condition I need a full and the same assignmentPath
for each cycle and always return true if the right org is in place.
Also
<relativityMode>absolute</relativityMode>
doesn't help me.

I think I can try to make a decision with user.parentOrgRef and
<relativityMode>absolute</relativityMode>.

Probably, you know how to reach the goal with assignmentPath?









On Tue, 29 Mar 2022 at 21:49, Pavol Mederly via midPoint <
midpoint at lists.evolveum.com> wrote:

> Hello Yakov,
>
> this is quite an interesting situation.
>
> I have no time to try this myself, but my guess is that assignmentPath
> should help. I'd consider putting it into the inducement condition, and I
> would simply check if Link1 is on the path.
>
> Another thing to consider could be so-called order constraints, but they
> are limited to relations, not to specific intermediate roles.
>
> Regards,
>
> --
> Pavol Mederly
> Software developerevolveum.com
>
> On 29/03/2022 19:56, Yakov Revyakin via midPoint wrote:
>
> Hi,
> My organization structure looks like:
>
> Org "Unit1"
> - Org "Unit2"
> - - User "User1"
> - Org "Link1"
> - - User "User2"
>
> There are 2 types of orgs: Unit and Link.
>
> I'd like to assign a role to a user if only the following path exists:
> Org "Unit1" -> *Org "Link1"* -> User "User2"
> I can do this with order=3 inducement defined in a role assigned to Unit1.
>
> Above you can see that User1 also can be recognized as a source for
> order=3 assignment.
> Org "Unit1" -> Org "Unit2" -> User "User1"
> But you can't see any Link org between User1 and parent Unit2. So, the
> role should't be assigned to User1.
>
> How to configure this kind of limitation?
>
> Role to be assigned to Unit1:
> <role oid="172a6f10-12a5-4600-8939-875da1cf14ab">
>     <name>Unit Role</name>
>     <inducement>
>         <targetRef oid="d492b520-2b48-44df-8a94-88e3a2a33c56"
> relation="org:default" type="c:RoleType"/>
>         *<order>3</order>*
>         <focusType>c:UserType</focusType>
>     </inducement>
> </role>
>
> The role I am waiting be assigned to User2:
> <role oid="d492b520-2b48-44df-8a94-88e3a2a33c56">
>     <name>User IT Role</name>
>     <inducement>
>         <construction>
>             <resourceRef oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
> relation="org:default" type="c:ResourceType"/>
>             <kind>account</kind>
>             <intent>default</intent>
>         </construction>
>     </inducement>
>     <condition>
>         <expression>
>             <script>
>                 <code>
>                     import
> com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;
>                     import
> com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;
>
>                     ObjectType o = assignmentPath.getProtoRole();
>                     return o instanceof OrgType && ((OrgType)
> o).costCenter == "link";
>                 </code>
>             </script>
>         </expression>
>     </condition>
> </role>
>
> I used a condition in a role but the role is not assigned. If I change the
> condition simply to true it is always assigned independently of the parent
> path. It is not clear how to use assignmentPath to solve the problem. Could
> someone help?
> J
>
>
>
>
>
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220330/adf056b6/attachment.htm>

More information about the midPoint mailing list