[midPoint] Roles, Orgs, relations and, probably, orderConstraint

Yakov Revyakin yrevyakin at gmail.com
Thu Jan 26 14:57:17 CET 2023 

Hi Ivan,
This works and suits as a workaround. Thank you.

Using this solution we still have a list of IT roles assigned to the user
indirectly and which don't result in assigning associations because the
metarole prevents this. Those IT roles in the list can confuse any
administrator who can see roles assigned but can't see any income in
resources.
I still would like to understand this <orderConstraint> feature deeper and
how to apply it for my case.
I've prepared some objects.

Org structure contains 2 orgs - top and subordinate:

<org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
     oid="1a4ec491-58d8-4646-9d9f-a00bc4091257">
    <name>Top Org</name>
    <assignment>
        <targetRef oid="13ed0755-e5b6-4f2f-beb5-0eab5e8ac92e"
relation="org:default" type="c:RoleType"/>
    </assignment>
</org>

<org xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
     xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
     oid="e80eb644-6a7b-414d-97dd-7209378708a8"
     version="0">
    <name>Bottom Org</name>
    <assignment>
        <targetRef oid="1a4ec491-58d8-4646-9d9f-a00bc4091257"
relation="org:default" type="c:OrgType"/>
    </assignment>
    <assignment>
        <targetRef oid="1db7b2ac-b840-45d0-b4b7-44a1b63e9050"
relation="org:default" type="c:RoleType"/>
    </assignment>
</org>

Two business roles - Top Role assigned to Top Org, Bottom Role assigned to
Bottom Org.

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
      oid="13ed0755-e5b6-4f2f-beb5-0eab5e8ac92e">
    <name>Top Role</name>
    <inducement>
        <targetRef oid="8bfb56c3-d3f6-4176-91c8-d5b66d866666"
relation="org:default" type="c:RoleType" />
        <orderConstraint>
            <order>2</order>
            <resetOrder>1</resetOrder>
            <relation>org:default</relation>
        </orderConstraint>
        <focusType>c:UserType</focusType>
    </inducement>
</role>

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
      oid="1db7b2ac-b840-45d0-b4b7-44a1b63e9050">
    <name>Bottom Role</name>
    <inducement>
        <targetRef oid="ed7bbc79-e048-4e49-bea7-180b48ef41ea"
relation="org:default" type="c:RoleType" />
        <orderConstraint>
            <order>2</order>
            <resetOrder>1</resetOrder>
            <relation>org:default</relation>
        </orderConstraint>
        <focusType>c:UserType</focusType>
    </inducement>
</role>

Also there are two IT roles which business roles assign

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
" oid="ed7bbc79-e048-4e49-bea7-180b48ef41ea">
    <name>o365-dynamics365-team-members</name>
</role>

<role xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3
" oid="8bfb56c3-d3f6-4176-91c8-d5b66d866666">
    <name>o365-ms365-e3</name>
</role>

.. and two users who living in appropriate orgs

<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
      oid="1d63fb35-9a99-4494-97ac-3977670fea96">
    <name>Top User</name>
    <assignment>
        <targetRef oid="1a4ec491-58d8-4646-9d9f-a00bc4091257"
relation="org:default" type="c:OrgType"/>
    </assignment>
</user>

<user xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
      xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3"
      oid="0d63fb35-9a99-4494-97ac-3977670fea96">
    <name>Bottom User</name>
    <assignment>
        <targetRef oid="e80eb644-6a7b-414d-97dd-7209378708a8"
relation="org:default" type="c:OrgType"/>
    </assignment>
</user>

My expectation is that Midpoint assigns an IT role from Top Role to a
member of Top Org, an IT role from Bottom Role to a member of Bottom Org. *For
this I've set resetOrder=1 *(I think 1 corresponds to organization in
assignmentPath) *for default relation* (member of organization).

Actually, I can see that the Top User received the IT role from the Top
Role, but the Bottom User received the IT role from the Bottom Role and,
also, the IT role from the Top Role!!!! The Top Role assigns its IT roles
to members of its own organization and also to members of all
subordinate orgs.

If I try to use well-known order=2 instead of using orderConstraint I have
proper assignments. But for this case I can't manage relations and if an
org includes a manager who is not a member I can't prevent IT role
assignment to this manager.

Could you explain what actually happens and where my mistake is?
Thanks in advance,
Yakov


On Mon, 23 Jan 2023 at 10:10, Ivan Noris via midPoint <
midpoint at lists.evolveum.com> wrote:

> Hi Yakov,
>
> I was using this for something similar (only members, not managers should
> have a group association given by a metarole in organization unit):
>
>                     <condition>
>                         <script>
>                             <code>
> /* fixes MID-5538 as relation may be null in some waves.
> Checking just for ORG_DEFAULT does not work in such cases. This method
> works even if the relation is null.
>
> Credits to P. Mederly
> */
>
> targetRef != null &&
>  midpoint.relationRegistry.isMember(targetRef.relation) &&
>  !midpoint.relationRegistry.isManager(targetRef.relation)
>                         </code>
>                         </script>
>                     </condition>
>
> I was using this condition in my association/outbound element in metarole,
> but you can try it for your case as well.
>
> The original author of this example is noted in the comments :-)
>
> NOTE: I last used/tested this with midPoint 4.4.something.
>
> Best regards,
>
> Ivan
> On 22. 1. 2023 17:08, Yakov Revyakin via midPoint wrote:
>
> Hi friends,
> I have a question about how to assign something a bit unusual.
>
> There is an Org with 2 users. User1 is a member of the Org, User2 is a
> manager of the Org but isn't a member of it.
> There is a BusinessRole which induces an IT Role to order=2 users.
>
> I'm assigning the BusinessRole to the Org. User1 & User2 are order 2 users
> related to the Business Role (correct?).
>
> Is it possible to differentiate User1 (a member) and User2 (a manager)
> during assigning the IT Role which happens as result of assigning the
> BusinessRole to the Org?
>
> So, I'd like to assign the BusinessRole to the Org and have the IT Role
> assigned to members of the Org only (User1).
>
> Thanks in advance,
> J
>
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ivan Noris
> Expert Identity Engineerevolveum.com
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230126/c3f09116/attachment.htm>

More information about the midPoint mailing list