<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Hello Anton,<br>
      <br>
      one of options is to get a list of all the user assignments, and
      act on it. In a similar way that I wrote Roman today morning, i.e.<br>
      <br>
      <tt>    <outbound></tt><tt><br>
      </tt><tt>      <strength>strong</strength></tt><tt><br>
      </tt><tt>      <source></tt><tt><br>
      </tt><tt>         <c:path>assignment</c:path></tt><tt><br>
      </tt><tt>      </source><br>
              <source> ....... any other sources, e.g. name, ...
        </source><br>
      </tt><tt> </tt><tt>      <expression></tt><tt><br>
      </tt><tt>         <script><br>
      </tt><tt><tt>           
          <relativityMode>absolute</relativityMode></tt><tt><br>
        </tt>            <code><br>
                        isStaff = false<br>
                        isAdmin = false<br>
                        ...<br>
      </tt><tt><tt>                log.info('assignment = {}',
          assignment)          // assignment is a PrismContainer</tt><tt><br>
        </tt><tt>                for (assignmentValue in
          assignment.getValues()) {</tt><tt><br>
        </tt><tt>                  log.info('checking {}',
          assignmentValue)</tt><tt><br>
        </tt><tt>                  targetRef =
          assignmentValue.asContainerable().getTargetRef()</tt><tt><br>
        </tt><tt>                  if (targetRef?.getOid()?.equals("<font
            color="#cc0000">....staff role OID.....</font>")) {</tt><tt><br>
                               isStaff = true<br>
        </tt><tt>                  }</tt><tt> </tt></tt><tt><tt><tt><tt>else
              if (targetRef?.getOid()?.equals("<font color="#cc0000">....admin
                role OID.....</font>")) {</tt><tt><br>
                                   isAdmin = true<br>
            </tt><tt>                  }<br>
                                ...<br>
                              }<br>
              <br>
                              ... and now construct the DN based on
              isStaff, isAdmin etc.<br>
            </tt><tt> </tt></tt> </tt><tt>                  </tt><tt><br>
        </tt>            </code><br>
                 </script><br>
      </tt><tt> </tt><tt>      </expression></tt><br>
      <tt>   </outbound></tt><tt><br>
      </tt><br>
      I haven't actually tried it; but it could work.<br>
      <br>
      Another, and perhaps more elegant, way is to induce some user
      properties in the roles. E.g. admin role could put value of
      "Admin" to "employeeType" property. It would look like this:<br>
      <br>
      <tt><role></tt><tt><br>
      </tt><tt>    <name>admin</name></tt><tt><br>
      </tt><tt>    <displayName>admin</displayName></tt><tt><br>
      </tt><tt>    <inducement></tt><tt><br>
      </tt><tt>        <focusMappings></tt><tt><br>
      </tt><tt>            <mapping></tt><tt><br>
      </tt><tt>                <expression></tt><tt><br>
      </tt><tt>                    <value>Admin</value></tt><tt><br>
      </tt><tt>                </expression></tt><tt><br>
      </tt><tt>                <target></tt><tt><br>
      </tt><tt>                    <path>employeeType</path></tt><tt><br>
      </tt><tt>                </target></tt><tt><br>
      </tt><tt>            </mapping></tt><tt><br>
      </tt><tt>        </focusMappings></tt><tt><br>
      </tt><tt>    </inducement></tt><tt><br>
      </tt><tt></role></tt><tt><br>
      </tt><br>
      And then you can use employeeType as just another source when
      constructing the user DN. Beware of situations when there would be
      more than one employeeType value (e.g. user would be both admin
      and let's say manager). Naive implementation of the mapping would
      yield to two DN's for the user.<br>
      <br>
      Maybe someone with more experiences in midPoint deployment (Ivan?)
      would improve these options a bit.<br>
      <br>
      Best regards,<br>
      Pavol<br>
      <br>
      On 26. 6. 2015 19:08, <a class="moz-txt-link-abbreviated" href="mailto:midpoint@mybtinternet.com">midpoint@mybtinternet.com</a> wrote:<br>
    </div>
    <blockquote
      cite="mid:33446303.48704.1435338488969.JavaMail.defaultUser@defaultHost"
      type="cite">Hi,<br>
      <br>
        I have a role defined with an inducement for an Active Directory
      account and am able to successfully<br>
        provision a basic account. However, I need the target container
      to be variable based on the user's<br>
        role; e.g. staff goes to ou=staff,<directory-suffix> and
      admin users to ou=admin,<directory-suffix>.<br>
      <br>
        I was hoping to use ad_container in the role's inducement of the
      Active Directory account. The<br>
        attempted provisioning fails with "Cannot represent container
      value without a parent as containerable".<br>
      <br>
        Also tried to find, unsuccessfully, references on how to
      programatically get the the user's role/s or<br>
        assignments and then construct the DN based on values.<br>
      <br>
        Any suggestions?<br>
      <br>
      Thx,<br>
        Anton<br>
      <br>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>