[midPoint] Midpoint - Manager at Identity Level

Markus Calmius markus.calmius at proton.ch
Fri Mar 28 14:56:55 CET 2025 

Hi Mani,

what we did was to extend the user-schema[1] and use that.
We then have a policy/meta-role for all roles that require manager approval that contains the following approver-expression (based on [2]):
<approverExpression >
    <description>approving using users managerID</description>
    <privileges>
        <runPrivileged>true</runPrivileged>
    </privileges>
    <script>
        <code>
            import com.evolveum.midpoint.xml.ns._public.common.common_3.*
            import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
            import com.evolveum.midpoint.prism.query.*

            extension_key = 'managerID' /* the extended attribute name, corresponds to PERSONAL_NUMBER of manager*/
            manager_id = basic.getExtensionPropertyValue(object, extension_key)
            if (manager_id){
                uQuery = midpoint.getPrismContext().queryFor(UserType.class).item(UserType.F_PERSONAL_NUMBER).eq(manager_id).build()
                mngr = midpoint.searchObjects(UserType.class, uQuery) /* it is only one entry */
                if (mngr){
                    return mngr?.get(0)?.getOid()
                }
            }
            else{
                log.error('User {} ({}) has no manager!', basic.getPropertyValue(object, "fullName"), basic.getPropertyValue(object, "emailAddress"))
            }
        </code>
    </script>
</approverExpression>


[1] https://docs.evolveum.com/midpoint/reference/master/schema/custom-schema-extension/
[2] https://docs.evolveum.com/midpoint/reference/support-4.9/cases/approval/examples/1-multi-stage-metarole-driven-approvals/


Markus Calmius
Proton AG


On Thursday, 27 March 2025 at 15:46, midpoint-request at lists.evolveum.com <midpoint-request at lists.evolveum.com> wrote:

> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
> 
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
> 
> 
> Today's Topics:
> 
> 1. Midpoint - Manager at Identity Level (Mani Pasarla)
> 2. Re: Enforcing group membership not working (h2-wada)
> 3. Filter to find user with exactly two given roles (Marie Ioannou)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Thu, 27 Mar 2025 11:16:37 +0000
> From: Mani Pasarla mani.pasarla at h-kare.com
> 
> To: "midpoint at lists.evolveum.com" midpoint at lists.evolveum.com,
> 
> "midpoint-dev at lists.evolveum.com" midpoint-dev at lists.evolveum.com
> 
> Subject: [midPoint] Midpoint - Manager at Identity Level
> Message-ID:
> PN3P287MB0321C009F3445F8A59C28CD1B4A12 at PN3P287MB0321.INDP287.PROD.OUTLOOK.COM
> 
> 
> Content-Type: text/plain; charset="us-ascii"
> 
> Hi all,
> 
> We are currently setting up MidPoint in our lab environment and working on a few IGA use cases for the demo. Based on the current setup, I see that the manager is configured at the organization level, where all manager approvals are routed to the common manager during access requests and access reviews. However, I wanted to check if it is possible to associate the manager identity object at the individual identity level instead of the organization level. Can you confirm if this is possible and let us know if any specific configurations are required to achieve it?
> 
> Regards,
> Manikanta
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250327/12f3c22a/attachment-0001.htm
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Thu, 27 Mar 2025 13:35:24 +0000
> From: h2-wada h2-wada at nri.co.jp
> 
> To: midPoint General Discussion midpoint at lists.evolveum.com, Odd
> 
> Arne Beck oddbeck at gmail.com
> 
> Subject: Re: [midPoint] Enforcing group membership not working
> Message-ID:
> TYWPR01MB83943EECED72B2494CCB3E94C5A12 at TYWPR01MB8394.jpnprd01.prod.outlook.com
> 
> 
> Content-Type: text/plain; charset="iso-2022-jp"
> 
> Hello,
> 
> > However, if I manually add a user to a group in the database using database tools the Group object in midpoint does not reflect this.
> 
> 
> Have you defined an inbound mapping for the association?
> If you want to update membership on the resource side and reflect it in midPoint (e.g., as a member of a RoleType), an inbound mapping is required.
> 
> https://docs.evolveum.com/midpoint/reference/support-4.8/expressions/mappings/inbound-mapping/#association
> 
> > If I then add the same user through the UI it is not triggering any 'update()" method in my connector - almost as if Midpoint is aware that the user is already in the correct group in the database
> 
> 
> Before updating a resource, midPoint fetches the latest state of the resource and calculates the delta.
> Since the connector returns the membership that was directly added on the resource side, midPoint sees no membership changes to apply, and the update is not triggered.
> 
> > I also expected the group synchronization to actually trigger an "update" or "remove" in the code in my connector to remove the user from the group since he's not "officially" added in the group, however no such functionality is triggered either.
> 
> 
> By default, midPoint does not remove memberships added on the resource side.
> However, you can change this behavior by setting <tolerant>false</tolerant>, which allows midPoint to remove such memberships.
> 
> 
> https://docs.evolveum.com/midpoint/reference/support-4.8/resources/entitlements/#entitlement-membership-removal
> 
> 
> Note: The configuration of associations has changed significantly in v4.9. Please refer to the documentation corresponding to your midPoint version.
> 
> 
> Best regards,
> 
> --
> Hiroyuki Wada
> h2-wada at nri.co.jp
> 
> ________________________________________
> ???: midPoint midpoint-bounces at lists.evolveum.com ? Odd Arne Beck via midPoint midpoint at lists.evolveum.com ??????
> 
> ????: 2025?3?27? 6:09
> ??: midPoint General Discussion
> CC: Odd Arne Beck
> ??: [midPoint] Enforcing group membership not working
> 
> Hi!
> 
> I have created a test-connector where users and groups are created in a database, and I can also add groups/membership (entitlements) and that is also reflected in the database.
> 
> If I create a new group it is automatically created in the resource, and when I assign a user to a group the user is created in the resource and the membership is added in the database. When unassigning the user from the group the user is deleted from the resource and also removed from the mapping table for user-> group.
> 
> 
> However, if I manually add a user to a group in the database using database tools the Group object in midpoint does not reflect this. If I then add the same user through the UI it is not triggering any 'update()" method in my connector - almost as if Midpoint is aware that the user is already in the correct group in the database. If I then remove the same user and re-add the user to the group he is removed and then properly added and the group reflects this and the correct update code is run in my connector.
> 
> When adding the user 'manually' It's almost as if midpoint is halfway aware that the user is in the group but not in the group in the UI.
> 
> I also expected the group synchronization to actually trigger an "update" or "remove" in the code in my connector to remove the user from the group since he's not "officially" added in the group, however no such functionality is triggered either.
> 
> Does anyone have an input as to what mechanism I seem to be missing?
> 
> Best regards,
> 
> Odd Beck
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Thu, 27 Mar 2025 14:45:47 +0000
> From: Marie Ioannou marie.ioannou at itconcepts.ch
> 
> To: Marie Ioannou via midPoint midpoint at lists.evolveum.com
> 
> Subject: [midPoint] Filter to find user with exactly two given roles
> Message-ID:
> ZR0P278MB0362D6C6F477F0300F6932AEF0A12 at ZR0P278MB0362.CHEP278.PROD.OUTLOOK.COM
> 
> 
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Dear all,
> 
> Is there a way to filter users who are assigned both Role A and Role B, but no additional roles beyond those two?
> 
> Best regards,
> 
> 
> 
> Dr. Marie Ioannou
> 
> IAM Consultant
> 
> [itc-logo] https://www.itconcepts.ch/
> 
> 
> 
> 
> 
> 
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250327/cbb4a1b7/attachment.htm
> 
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: Outlook-itc-logo.png
> Type: image/png
> Size: 8803 bytes
> Desc: Outlook-itc-logo.png
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20250327/cbb4a1b7/attachment.png
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
> 
> 
> ------------------------------
> 
> End of midPoint Digest, Vol 155, Issue 22
> *****************************************

More information about the midPoint mailing list