[midPoint] How to not create an assignment that already exists but is indirect / induced ?

Mon Jan 15 20:16:25 CET 2024

Hello Fabian,

Thanks for your reply, roleMembershipRef seems to be just what I needed, since it contains all the induced roles.

However, during the assignment process, roleMembershipRef still does not contain the value of the new assignment, and midpoint is being a little too efficient and checking the inbound mappings even before writing to the resource.

So, when I assign a role that induces another role that has projection to the resource, the inbound mapping is already being evaluated and creating the direct assignment in one swoop.

Is there maybe a way to stop midpoint from evaluating inbound mappings so soon?  
Or another approach to all this that I’m missing?

Thanks again for your help.

> Em 12 de jan. de 2024, à(s) 05:44, Fabian Noll-Dukiewicz <fabian.noll-dukiewicz at veryfy.gmbh> escreveu:
> 
> Hi,
>  
> I don’t know how to check for indirect assignments, but as workaround you can check which assignments the user already has. I use the function “focus.getRoleMembershipRef()” in objectTemplate to check if the user has a specific assignment. I think it is also possible to use this function in mapping condition in your resource configuration.
>  
> Please let me know if you need some further information.
>  
> Kind regards,
> Fabian
>  
> --
> Fabian Noll-Dukiewicz
> Spezialist Identity & Access Management | Geschäftsführer
> Tel.: +49 152 244 63 211
> Email: fabian.noll-dukiewicz at veryfy.gmbh <mailto:fabian.noll-dukiewicz at veryfy.gmbh>
> Web: https://veryfy.gmbh <https://veryfy.gmbh/>  
>  
>  
> Von: midPoint <midpoint-bounces at lists.evolveum.com> im Auftrag von Alcides Moraes via midPoint <midpoint at lists.evolveum.com>
> Datum: Mittwoch, 10. Januar 2024 um 23:56
> An: midPoint General Discussion <midpoint at lists.evolveum.com>
> Cc: Alcides Moraes <alcides.neto at gmail.com>
> Betreff: [midPoint] How to not create an assignment that already exists but is indirect / induced ?
> 
> Hello list,
>  
> TL;DR - Is there a way to check for indirect assignments in groovy script expressions?
>  
> Now for the full use case:
>  
> We have a resource with a custom in-house connector that is working well for direct assignments.
> There are inbound / outbound mappings to create the assignments given in midpoint and in the resource directly, both ways.
>  
> However, if I give an indirect assignment to an object from midpoint, midpoint also processes the inbound mapping afterwards and then also creates the direct assignment in midpoint as well. 
> How should I filter this? I thought about creating a set condition in the mapping, that would check for indirect assignment, but I don’t think there’s a function for this? Midpoint script library has a isDirectlyAssigned function only.
>  
> I should note that I’m not using an association mapping, because I need to populate the assignment with additional fields (like orgRef for example), and I don’t think I’m able to do this with the association/assignmentTargetSearch approach, so I’m using standard attribute/inbound mapping and create the assignment there.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240115/3c3e8505/attachment-0001.htm>