[midPoint] Question about parametric inducements
Ivan Noris
ivan.noris at evolveum.com
Thu Apr 30 09:26:34 CEST 2026
Hi,
how do you need to use the orgRef information in the induced application
roles?
In one of my previous projects, I was using the following principle:
1. users has Business roles assigned with orgRef. Example: business
role: "Municipality-related services" and orgRef referred to the
municipality modelled as OrgType in midPoint
2. the business roles had inducements to application roles. Example:
business role "Municipality-related services" induced "E-mail service" role
3. the "E-mail service" role can access the orgRef from the first
assignment in the row, i.e. from User to business role, by using the
following path expression: $assignment/orgRef and I was using
midpoint.getOrgByOid(orgRef.oid) to access the OrgType if needed
In my specific case, I needed to take organization's name
In my case, orgRef was set only in the first (direct) assignment.
If you are interested into _prehistoric_ midPoint era (2014) example in
more detail, such application roles were described in the following blog
entry: https://evolveum.com/working-multi-tenant-roles/ (I used
"tenantRef" instead of "orgRef", but it would work with orgRef in the
same way).
I hope this can help.
Best regards,
Ivan
On 4/28/26 13:40, Pilar von Pilchau Wenzel - AKDB via midPoint wrote:
> Hi,
>
> I have a question about parametric inducements.
>
> What I have understood so far from reading the docs:
>
> 1.
> Application roles are the lowest level of roles and define access
> to an application
> 2.
> If possible, application roles should not be assigned directly to
> a user
> 3.
> The hierarchy shoud be business role -> application role (via
> inducement)
>
>
> I want to define an application role with an orgRef. I have a business
> role that I assign to a user with an orgRef which I can set when I do
> the assignment. Now I want to add an inducement of the application
> role that takes the orgRef from the business role assignment.
> Unfortunately, I could not find a way to set the orgRef from the
> inducement dynamically. It worked when I set it manually. The only
> solution that I found so far was using a focus mapping and create an
> assignment of the application role to the user with the orgRef taken
> from the business role assignment. But then I have an assignment of
> the application role on the user, which is what I should avoid.
>
> So my question is, am I even on the right track? And if so, is there a
> way to parametrize the inducement dynamically?
>
> I am still at my first steps with midpoint and happy for any suggestions.
>
> Best regards
>
> *Dr. Wenzel Pilar von Pilchau*
> Prozessanalyst
> Process Management & Digitalisation
> Mobile +49 162 2530060
> Email Pilar-von-Pilchau.Wenzel at akdb.de
> *AKDB* · Anstalt des öffentlichen Rechts
> Hansastraße 12-16 · 80686 München
> www.akdb.de <https://www.akdb.de/>
> AKDB Logo
>
> Great Place to Work Certified
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
--
Ivan Noris
Expert Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260430/caef4527/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-Mobile.png
Type: image/png
Size: 404 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260430/caef4527/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-Email.png
Type: image/png
Size: 924 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260430/caef4527/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-AKDB Logo.png
Type: image/png
Size: 3456 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260430/caef4527/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-Great Plac.png
Type: image/png
Size: 72182 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260430/caef4527/attachment-0007.png>
More information about the midPoint
mailing list