[midPoint] How to not create an assignment that already exists but is indirect / induced ?

Mon Jan 15 20:58:22 CET 2024

Nevermind, that change was only showing on the “Show changes” page, I guess it makes sense that roleMembershipRef is never written there. Possible bug here?

So that works! I check if the role.oid is in roleMembershipRef but not in the focus assignments, and thus return the null value for it, so it is not created.

Thanks!

> Em 15 de jan. de 2024, à(s) 16:16, Alcides Moraes <alcides.neto at gmail.com> escreveu:
> 
> Hello Fabian,
> 
> Thanks for your reply, roleMembershipRef seems to be just what I needed, since it contains all the induced roles.
> 
> However, during the assignment process, roleMembershipRef still does not contain the value of the new assignment, and midpoint is being a little too efficient and checking the inbound mappings even before writing to the resource.
> 
> So, when I assign a role that induces another role that has projection to the resource, the inbound mapping is already being evaluated and creating the direct assignment in one swoop.
> 
> Is there maybe a way to stop midpoint from evaluating inbound mappings so soon?  
> Or another approach to all this that I’m missing?
> 
> Thanks again for your help.
> 
>> Em 12 de jan. de 2024, à(s) 05:44, Fabian Noll-Dukiewicz <fabian.noll-dukiewicz at veryfy.gmbh> escreveu:
>> 
>> Hi,
>>  
>> I don’t know how to check for indirect assignments, but as workaround you can check which assignments the user already has. I use the function “focus.getRoleMembershipRef()” in objectTemplate to check if the user has a specific assignment. I think it is also possible to use this function in mapping condition in your resource configuration.
>>  
>> Please let me know if you need some further information.
>>  
>> Kind regards,
>> Fabian
>>  
>> --
>> Fabian Noll-Dukiewicz
>> Spezialist Identity & Access Management | Geschäftsführer
>> Tel.: +49 152 244 63 211
>> Email: fabian.noll-dukiewicz at veryfy.gmbh <mailto:fabian.noll-dukiewicz at veryfy.gmbh>
>> Web: https://veryfy.gmbh <https://veryfy.gmbh/>  
>>  
>>  
>> Von: midPoint <midpoint-bounces at lists.evolveum.com> im Auftrag von Alcides Moraes via midPoint <midpoint at lists.evolveum.com>
>> Datum: Mittwoch, 10. Januar 2024 um 23:56
>> An: midPoint General Discussion <midpoint at lists.evolveum.com>
>> Cc: Alcides Moraes <alcides.neto at gmail.com>
>> Betreff: [midPoint] How to not create an assignment that already exists but is indirect / induced ?
>> 
>> Hello list,
>>  
>> TL;DR - Is there a way to check for indirect assignments in groovy script expressions?
>>  
>> Now for the full use case:
>>  
>> We have a resource with a custom in-house connector that is working well for direct assignments.
>> There are inbound / outbound mappings to create the assignments given in midpoint and in the resource directly, both ways.
>>  
>> However, if I give an indirect assignment to an object from midpoint, midpoint also processes the inbound mapping afterwards and then also creates the direct assignment in midpoint as well. 
>> How should I filter this? I thought about creating a set condition in the mapping, that would check for indirect assignment, but I don’t think there’s a function for this? Midpoint script library has a isDirectlyAssigned function only.
>>  
>> I should note that I’m not using an association mapping, because I need to populate the assignment with additional fields (like orgRef for example), and I don’t think I’m able to do this with the association/assignmentTargetSearch approach, so I’m using standard attribute/inbound mapping and create the assignment there.
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240115/dcc9d18c/attachment.htm>