[midPoint] Association construction for multi-account resources

Pavol Mederly mederly at evolveum.com
Mon Jun 30 14:04:56 CEST 2025 

Hello Om,

I apologize for my late answer, I was very busy with our development 
project this month. From what I see, you don't need to specify tag in 
the projectionDiscriminator (that looks for group shadows), simply 
because you don't have tags for groups!

So, I think that

<projectionDiscriminator>
   <kind>entitlement</kind>
   <intent>entitlement</intent>
</projectionDiscriminator>

should work just fine - it should select appropriate entitlement for 
given account.

What you perhaps need, though, is to somehow enable the inducement 
"ent-1" only for accounts with tag "abc", and inducement "ent-2" only 
for accounts with tag "gpo".

I would consider adding a condition to particular outbound mappings. (I 
am not sure if it would work, but you can try. The idea is to check the 
tag of the account in question.)

Best regards,

-- 
Pavol Mederly
Software developer
evolveum.com

On 03/06/2025 16:00, Om Bhallamudi via midPoint wrote:
> Hi Pavol,
>
> On Tuesday, 3 June 2025 at 13:58, Pavol Mederly via midPoint 
> <midpoint at lists.evolveum.com> wrote:
>>
>> I am quite surprised you have different tags for groups. Usually, 
>> they are used for accounts. What is your use case?
>>
> Thanks for clearing that up. I am using tags for the accounts, but 
> want to assign different entitlements to the accounts:
>
>  1. Accounts: account-1 (tag: abc), account-2 (tag: gpo)
>  2. Roles:
>      1. abc-account:
>          1. Construct account with tag "abc-account"
>      2. gpo-account
>          1. Construct account with tag "gpo-account"
>      3. ent-1:
>          1. Construct entitlement ent-1 on resource
>          2. Inducement: Associate account with tag: abc with ent-1
>      4. ent-2:
>          1. Construct entitlement ent-2 on resource
>          2. Inducement: Associate account with tag: gpo with ent-2
>  3. Expected output
>      1. Accounts:
>          1. account-1, attributes: entitlements = [ "ent-1"]
>          2. account-2, attributes: entitlements = [ "ent-2"]
>      2. Entitlements:
>          1. ent-1
>          2. ent-2
>
>
> FYI I am using tags for (abc, gpo) and not intents because I'd like 
> the values to be dynamic..
>
> Om Bhallamudi
> Proton AG
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250630/e7a8e237/attachment.htm>

More information about the midPoint mailing list