<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Courier New \;color\:windowtext";
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Tahoma","sans-serif";
color:#1F497D;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"Préformaté HTML Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Texte de bulles Car";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:#1F497D;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Tahoma","sans-serif";
color:#1F497D;}
span.PrformatHTMLCar
{mso-style-name:"Préformaté HTML Car";
mso-style-priority:99;
mso-style-link:"Préformaté HTML";
font-family:"Courier New";}
span.TextedebullesCar
{mso-style-name:"Texte de bulles Car";
mso-style-priority:99;
mso-style-link:"Texte de bulles";
font-family:"Tahoma","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Tahoma","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Tahoma","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:28382959;
mso-list-type:hybrid;
mso-list-template-ids:-269607804 -596084110 67895299 67895301 67895297 67895299 67895301 67895297 67895299 67895301;}
@list l0:level1
{mso-level-start-at:2013;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-font-family:Calibri;}
@list l0:level2
{mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-tab-stop:108.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level4
{mso-level-tab-stop:144.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-tab-stop:180.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-tab-stop:216.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level7
{mso-level-tab-stop:252.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-tab-stop:288.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-tab-stop:324.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=FR link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Hi Ivan,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>You seem to have all answers to my questions ! So I’ll raise the level a bit </span><span lang=EN-US style='font-family:Wingdings;color:#1F497D'>J</span><span lang=EN-US style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>I’ve read from the <a href="https://wiki.evolveum.com/display/midPoint/Advanced+RBAC">https://wiki.evolveum.com/display/midPoint/Advanced+RBAC</a> page that midpoint implements parametric roles.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>This is pretty convenient from our point of view and it is the first time we see it implemented in an IM product without having to use custom code everywhere.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>From my comprehension, those role parameters are listed somewhere to give role/parameter association, and limit parameter permitted values.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Then, how much parameter lists can I associate to a role ? Lets take an example.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Imagine we have a team of sales men. They have different access right in the sale app depending on their geographic area, on their type of clients and on their line of products.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Then I would have one role : role_salesman<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>And three parametric lists : [area][client][product]<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>So, is it possible to have multiple parameters associated to a role ?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>And is it possible to have multiple values ? Like vendor to both EMEA and ASIA areas, and 3 or 4 different lines of products ?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Regards,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Salim<o:p></o:p></span></p><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p></div><p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='color:windowtext'>De :</span></b><span style='color:windowtext'> midpoint-bounces@lists.evolveum.com [mailto:midpoint-bounces@lists.evolveum.com] <b>De la part de</b> Ivan Noris<br><b>Envoyé :</b> jeudi 18 juillet 2013 14:39<br><b>À :</b> midpoint@lists.evolveum.com<br><b>Objet :</b> Re: [midPoint] Role template "role-sailor"<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>Hi Salim,<br><br>see my answers inline:<o:p></o:p></p><div><p class=MsoNormal>On 07/18/2013 01:38 PM, Salim Boulkour wrote:<o:p></o:p></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span lang=EN-US>Hey everyone,</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>I began playing with roles in midpoint and am trying to understand the contents of <a href="https://svn.evolveum.com/midpoint/tags/midpoint-2.1.2/samples/roles/role-sailor.xml">https://svn.evolveum.com/midpoint/tags/midpoint-2.1.2/samples/roles/role-sailor.xml</a>.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>Role description says :</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-family:"Courier New ;color:windowtext","serif"'>A basic role, that specifies <b><u>account on OpenDJ resource</u></b></span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-family:"Courier New ;color:windowtext","serif"'>and also sets "employeeType" attribute to a fixed value and it sets "destinationIndicator"</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US style='font-family:"Courier New ;color:windowtext","serif"'>as a copy of a user property.</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US>What interests me here, is the ability to do modifications to the account. So my questions are :</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]><span lang=EN-US>Does the account has to be created before assigning that role to a user ? Or account would be created as soon as role is given to the user ?</span><o:p></o:p></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p></blockquote><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";color:black'><br>The account will be created as soon you assign this role to user.<br>The attributes will be set as specified by mappings in the role (employeeNumber, destinationIndicator).<br><br><br><o:p></o:p></span></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]><span lang=EN-US>I understand the OID in ‘resourceRef’ being the way to specify the targeted resource. Is this the only way to specify it ? (As the doc on the data model stated I wouldn’t have to play with OIDs much ;) )</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";color:black'><br>Yes this is the only reference type - by oid. In the next releases, more parts of administrative GUI will be enhanced by wizards so that you can select the resource instead of typing its oid. But so far you have to create the role(s) and refer to resource oid to make a reference. IF you need to prepare a set of configuration (XML) files, e.g. resources and roles, and wish to import them and make some tests, you may use your own oids, just be sure to make them unique.<br><br><br><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US> </span><o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>-<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]><span lang=EN-US>If I specify in the role a resource attribute that is already handled by the resource/connector conf’, what would happen ? Has the value given by the role assignment a higher priority than the default one ?</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif";color:black'><br>Very good question. Please see <a href="https://wiki.evolveum.com/display/midPoint/Mapping">https://wiki.evolveum.com/display/midPoint/Mapping</a> especially "Mapping Order":<br>"When defining multiple mappings for single-valued attribute, every next applied mapping in order rewrites the value of attribute. Be sure to check, if this is what you want. In case of multiple-value attributes, mappings simply add next values to the attribute values list. "<o:p></o:p></span></p><p>So it depends mainly on the single/multi value attribute. For multi-value it would do what you perhaps expect - merge.<o:p></o:p></p><p>Regards,<br>Ivan<o:p></o:p></p><pre>-- <o:p></o:p></pre><pre> Ing. Ivan Noris<o:p></o:p></pre><pre> Consultant<o:p></o:p></pre><pre> Evolveum, s.r.o<o:p></o:p></pre><pre> ___________________________________________________<o:p></o:p></pre><pre> "Semper cautus - semper paratus - semper idem Vix."<o:p></o:p></pre></div></body></html>