<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Pavol,<br>
thanks for Your help!<br>
<br>
Roman<br>
<div class="moz-signature">
<table style="border-collapse:collapse;">
<tbody>
<tr>
<td colspan="2" style="font-family:Arial, sans-serif;
font-size:11px; color:#000000; vertical-align:bottom;">
<p><span style="font-size:14px; font-weight:bold;">Roman
Pudil</span><br>
solution architect<br>
<br>
gsm: [+420] 775 663 666<br>
e-mail: <a href="mailto:roman.pudil@ami.cz">roman.pudil@ami.cz</a>
</p>
</td>
<td style="border-right:1px solid #cccccc;"> </td>
<td> </td>
<td style="font-family:Arial, sans-serif; font-size:11px;
color:#000000; vertical-align:bottom;">
<p> AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel./fax: [+420] 274 783 239<br>
web: <a href="http://www.ami.cz">www.ami.cz</a> </p>
</td>
<td style="border-right:1px solid #cccccc;"> </td>
<td> </td>
<td style="font-family:Arial, sans-serif; font-size:11px;
color:#000000;">
<p> <img src="cid:part3.03050602.08070201@ami.cz"
alt="AMI Praha a.s." title="AMI Praha a.s."> </p>
</td>
</tr>
<tr>
<td colspan="8"><br>
<a
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"><img
src="cid:part4.07030300.06050508@ami.cz" alt=""></a></td>
</tr>
<tr>
<td colspan="8" style="font-family:Arial, sans-serif;
font-size:11px; color:#808080;"> <br>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani
neuzavírá za společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena,
musí mít výhradně písemnou formu.</td>
</tr>
</tbody>
</table>
</div>
<div class="moz-cite-prefix">Dne 23.6.2015 v 12:24 Pavol Mederly
napsal(a):<br>
</div>
<blockquote cite="mid:558933F2.4090203@evolveum.com" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">Hello Roman,<br>
<br>
Something like this works for me - I'm rewriting my
configuration to "your" terms, hopefully not making any mistake:<br>
<br>
1) Define an association in the account definition:<br>
<br>
<tt><association></tt><tt><br>
</tt><tt> <c:ref>ri:rolesAssociation</c:ref></tt><tt><br>
</tt><tt> <matchingRule
xmlns:mr=<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://prism.evolveum.com/xml/ns/public/matching-rule-3">"http://prism.evolveum.com/xml/ns/public/matching-rule-3"</a>>mr:stringIgnoreCase</matchingRule></tt><tt><br>
</tt><tt> <kind>entitlement</kind></tt><tt><br>
</tt><tt> <intent>role</intent></tt><tt><br>
</tt><tt> <direction>subjectToObject</direction></tt><tt><br>
</tt><tt>
<associationAttribute>ri:roles</associationAttribute></tt><tt><br>
</tt><tt>
<valueAttribute>icfs:uid</valueAttribute></tt><tt><br>
</tt><tt></association></tt><tt><br>
</tt><br>
In this case, <tt>ri:rolessAssociation</tt> is the name of the
association. It is "artificial" name by which midPoint will
refer to the association. On the other hand, <tt>ri:roles </tt>is
the name of the actual attribute where information about the
roles of a given user is stored. Kind/intent (entitlement/role)
tells midPoint what kind of objects we are referring to.
ValueAttribute = icfs:uid tells it that in the <tt>roles</tt>
attribute there are uids (not names) of the given roles. If
there are names, you would have to provide icfs:name here.<br>
<br>
2) Now, define the fact that a midPoint Role would correspond to
your resource's role object <b>and</b> that any user that has
an assignment of the midPoint role would be assigned the
resource's role object to his account.<br>
<br>
The easiest way is to define a metarole like this:<br>
<br>
<tt><role xmlns=<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a></tt><tt><br>
</tt><tt>
xmlns:icfs=<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3">"http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3"</a></tt><tt><br>
</tt><tt> xmlns:t=<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://prism.evolveum.com/xml/ns/public/types-3">"http://prism.evolveum.com/xml/ns/public/types-3"</a></tt><tt><br>
</tt><tt> xmlns:c=<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a></tt><tt><br>
</tt><tt> xmlns:q=<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://prism.evolveum.com/xml/ns/public/query-3">"http://prism.evolveum.com/xml/ns/public/query-3"</a></tt><tt><br>
</tt><tt>
xmlns:ri=<a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a></tt><tt>><br>
</tt><tt><br>
</tt><tt> <name>Metarole</name></tt><tt><br>
</tt><tt> <displayName>Metarole</displayName></tt><tt><br>
</tt><tt> <inducement id="1"></tt><tt> <b><font
color="#009900"><!-- this tells midPoint to create
resource's role object for any midPoint Role that has this
metarole assigned --></font></b><br>
</tt><tt> <construction></tt><tt><br>
</tt><tt> <resourceRef </tt><tt>oid="<b>(your
resource OID goes here)</b>"/</tt><tt>></tt><tt><br>
</tt><tt> <kind>entitlement</kind></tt><tt><br>
</tt><tt> <intent>role</intent></tt><tt><br>
</tt><tt> </construction></tt><tt><br>
</tt><tt> </inducement></tt><tt><br>
</tt><tt> <inducement id="2"></tt><tt> </tt><tt><b><font
color="#009900"><!-- this tells that any user having
assigned midPoint Role will get the corresponding
resource's role associated to him --></font></b></tt><tt>
<br>
<construction></tt><tt><br>
</tt><tt> <resourceRef </tt><tt>oid="<b>(your
resource OID goes here)</b>"/</tt><tt>></tt><tt><br>
</tt><tt> <kind>account</kind></tt><tt><br>
</tt><tt> <intent>default</intent></tt><tt><br>
</tt><tt> <association></tt><tt><br>
</tt><tt>
<c:ref>ri:rolesAssociation</c:ref></tt><tt><br>
</tt><tt> <outbound></tt><tt><br>
</tt><tt> <expression></tt><tt><br>
</tt><tt> <associationFromLink></tt><tt><br>
</tt><tt> <projectionDiscriminator></tt><tt><br>
</tt><tt>
<kind>entitlement</kind></tt><tt><br>
</tt><tt>
<intent>role</intent></tt><tt><br>
</tt><tt> </projectionDiscriminator></tt><tt><br>
</tt><tt> </associationFromLink></tt><tt><br>
</tt><tt> </expression></tt><tt><br>
</tt><tt> </outbound></tt><tt><br>
</tt><tt> </association></tt><tt><br>
</tt><tt> </construction></tt><tt><br>
</tt><tt> <order>2</order></tt><tt><br>
</tt><tt> </inducement></tt><tt><br>
</tt><tt> <requestable>false</requestable></tt><tt><br>
</tt><tt></role><br>
<br>
</tt>Hope this helps.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
</div>
<blockquote cite="mid:55882620.1040200@ami.cz" type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
Hi Pavol,<br>
thanks for great advice!<br>
<br>
Now I have all application roles saved as multi-valued attribute
in the user in MidPoint.<br>
How can I associate these values with entitlements (roles) in
MidPoint? "AssignmentTargetSearch" in mapping gives me
"Expression returned more than one value" exception (yes,
attribute is multi-valued).<br>
<br>
Thanks!<br>
<br>
Regards<br>
R. Pudil<br>
<br>
<div class="moz-signature">
<title></title>
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<p> </p>
<table style="border-collapse:collapse;">
<tbody>
<tr>
<td colspan="2" style="font-family:Arial, sans-serif;
font-size:11px; color:#000000; vertical-align:bottom;">
<p> <span style="font-size:14px; font-weight:bold;">Roman
Pudil</span><br>
solution architect<br>
<br>
gsm: [+420] 775 663 666<br>
e-mail: <a moz-do-not-send="true"
href="mailto:roman.pudil@ami.cz">roman.pudil@ami.cz</a>
</p>
</td>
<td style="border-right:1px solid #cccccc;"> </td>
<td> </td>
<td style="font-family:Arial, sans-serif;
font-size:11px; color:#000000; vertical-align:bottom;">
<p> AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel./fax: [+420] 274 783 239<br>
web: <a moz-do-not-send="true"
href="http://www.ami.cz">www.ami.cz</a> </p>
</td>
<td style="border-right:1px solid #cccccc;"> </td>
<td> </td>
<td style="font-family:Arial, sans-serif;
font-size:11px; color:#000000;">
<p> <img src="cid:part15.03080304.03010506@ami.cz"
alt="AMI Praha a.s." title="AMI Praha a.s."> </p>
</td>
</tr>
<tr>
<td colspan="8"><br>
<a moz-do-not-send="true"
href="http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management"><img
src="cid:part16.04000804.00030607@ami.cz" alt=""></a></td>
</tr>
<tr>
<td colspan="8" style="font-family:Arial, sans-serif;
font-size:11px; color:#808080;"> <br>
Textem tohoto e-mailu podepisující neslibuje uzavřít
ani neuzavírá za společnost AMI Praha a.s.<br>
jakoukoliv smlouvu. Každá smlouva, pokud bude
uzavřena, musí mít výhradně písemnou formu.</td>
</tr>
</tbody>
</table>
</div>
<div class="moz-cite-prefix">Dne 20.6.2015 v 18:38 Pavol Mederly
napsal(a):<br>
</div>
<blockquote cite="mid:55859715.4010001@evolveum.com" type="cite">
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hello Roman,<br>
<br>
we've recently implemented this scenario for one of our
customers.<br>
<br>
It was done via ScriptedSQL connector, as one resource,
having two object classes:<br>
<br>
- users<br>
- roles<br>
<br>
The user-role association was implemented as a multi-valued
attribute called "roles" in the user. (It could be done also
via attribute "users"/"members" in the role object, but we
chose this way because the user in our case has fewer roles
than there are users for a given role.)<br>
<br>
Groovy scripts in the connector were used as a wrapper that
called stored procedures in the database. These procedures
were responsible for manipulating the tables, including
updating user-role table based on the information that came
in the "roles" attribute.<br>
<br>
It is more complex than using the simple DB connector, but
works nicely.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
On 20. 6. 2015 18:07, Roman Pudil - AMI Praha a.s. wrote:<br>
</div>
<blockquote
cite="mid:CAEvfcR9SjJSbD02WP2XEWknhcQza0NG6pjuOP9GHEvc8p=Kauw@mail.gmail.com"
type="cite">
<div dir="ltr">Hi all,
<div>I have 3 tables in database.<br>
</div>
<div><br>
</div>
<div>1) table with users</div>
<div>2) talbe with roles</div>
<div>3) table with users id's assigned to roles id's (M:N
relation)</div>
<div><br>
</div>
<div>First table and second table are connected to
midPoint as two database resources (DB users as
identities, DB roles as midPoint roles). But how to
process third table to MidPoint with users to groups
relations? As third resource or not? How? What is best
practice?</div>
<div><br>
</div>
<div>Thanks for any idea!</div>
<div><br>
</div>
<div>Regards!</div>
<div>Roman Pudil</div>
<div>AMI Praha, a.s.</div>
</div>
<div dir="ltr">-- <br>
</div>
<div dir="ltr">
<div>
<p> <span>Roman Pudil</span><br>
solution architect<br>
gsm: [+420] 775 663 666<br>
e-mail: <a moz-do-not-send="true">roman.pudil@ami.cz</a></p>
<table>
<tbody>
<tr>
<td>
<p> AMI Praha a.s.<br>
Pláničkova 11<br>
162 00 Praha 6<br>
tel./fax: [+420] 274 783 239<br>
web: <a moz-do-not-send="true">www.ami.cz</a>
</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>