<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hello Anton,<br>
<br>
<blockquote type="cite">I was already using attribute assignment
to employeeType from my HR feed to assign roles<br>
and didn't want to introduce values that will not be populated
from the feed.<br>
</blockquote>
<br>
I see. Of course, you can use any other attribute (even in
extension) to do the same.<br>
<br>
<blockquote type="cite">I elected a solution based on Pavol's
first example below; it seems I was on the right direction,<br>
but was missing 2 crucial parts; e.g. getting the target ref and
the relativityMode. What does<br>
"<relativityMode>absolute</relativityMode>" do?</blockquote>
<br>
MidPoint uses scripts as value transformers. So, given a list of
input values (for multivalued items; assignment is among them, as
it can - and typically does - have more values), it takes values
one by one and transforms each of them. This is the default
execution mode, called "relative". But in our case, this would
yield multiple DNs if there would be more than one relevant
assignment. So I chose to use the other execution mode, called
"absolute", where the script gets all the values of multivalued
item at once. <br>
<br>
The whole picture is a bit more complex, but for this situation I
think this is what is relevant.<br>
<br>
Here is a description: <a
href="https://wiki.evolveum.com/display/midPoint/Mapping+Relativity">https://wiki.evolveum.com/display/midPoint/Mapping+Relativity</a>.
Unfortunately, it is missing crucial parts on relative vs.
absolute evaluation. Until it is fixed, you can get some overview
from the source code <a
href="https://github.com/Evolveum/midpoint/blob/master/model/model-common/src/main/java/com/evolveum/midpoint/model/common/expression/evaluator/AbstractValueTransformationExpressionEvaluator.java">here</a>.
See
<meta http-equiv="content-type" content="text/html; charset=utf-8">
evaluateAbsoluteExpression vs. evaluateRelativeExpression.<br>
<br>
<blockquote type="cite">The main addition I made to the example
was to do a check for assignment != null; doesn't<br>
like getting values if there was no assignment.<br>
</blockquote>
<br>
Yes, you're right.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
<br>
On 2. 7. 2015 12:28, <a class="moz-txt-link-abbreviated" href="mailto:midpoint@mybtinternet.com">midpoint@mybtinternet.com</a> wrote:<br>
</div>
<blockquote
cite="mid:13653295.21558.1435832912099.JavaMail.defaultUser@defaultHost"
type="cite">Thx Pavol and Jason for your helpful examples!<br>
<br>
I was already using attribute assignment to employeeType from my
HR feed to assign roles<br>
and didn't want to introduce values that will not be populated
from the feed.<br>
<br>
I elected a solution based on Pavol's first example below; it
seems I was on the right direction,<br>
but was missing 2 crucial parts; e.g. getting the target ref and
the relativityMode. What does<br>
"<relativityMode>absolute</relativityMode>" do?<br>
<br>
The main addition I made to the example was to do a check for
assignment != null; doesn't<br>
like getting values if there was no assignment.<br>
<br>
Regards,<br>
Anton<br>
<br>
<br>
<blockquote style="margin-right: 0px; margin-left:15px;">----Original
message----<br>
From : <a class="moz-txt-link-abbreviated" href="mailto:mederly@evolveum.com">mederly@evolveum.com</a><br>
Date : 26/06/2015 - 18:41 (BST)<br>
To : <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
Subject : Re: [midPoint] Construct DN based on role<br>
<br>
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Hello Anton,<br>
<br>
one of options is to get a list of all the user assignments,
and act on it. In a similar way that I wrote Roman today
morning, i.e.<br>
<br>
<tt> <outbound></tt><tt><br>
</tt><tt> <strength>strong</strength></tt><tt><br>
</tt><tt> <source></tt><tt><br>
</tt><tt> <c:path>assignment</c:path></tt><tt><br>
</tt><tt> </source><br>
<source> ....... any other sources, e.g. name,
... </source><br>
</tt><tt> </tt><tt> <expression></tt><tt><br>
</tt><tt> <script><br>
</tt><tt><tt>
<relativityMode>absolute</relativityMode></tt><tt><br>
</tt> <code><br>
isStaff = false<br>
isAdmin = false<br>
...<br>
</tt><tt><tt> log.info('assignment = {}',
assignment) // assignment is a PrismContainer</tt><tt><br>
</tt><tt> for (assignmentValue in
assignment.getValues()) {</tt><tt><br>
</tt><tt> log.info('checking {}',
assignmentValue)</tt><tt><br>
</tt><tt> targetRef =
assignmentValue.asContainerable().getTargetRef()</tt><tt><br>
</tt><tt> if (targetRef?.getOid()?.equals("<font
color="#cc0000">....staff role OID.....</font>")) {</tt><tt><br>
isStaff = true<br>
</tt><tt> }</tt><tt> </tt></tt><tt><tt><tt><tt>else
if (targetRef?.getOid()?.equals("<font color="#cc0000">....admin
role OID.....</font>")) {</tt><tt><br>
isAdmin = true<br>
</tt><tt> }<br>
...<br>
}<br>
<br>
... and now construct the DN based on
isStaff, isAdmin etc.<br>
</tt><tt> </tt></tt> </tt><tt> </tt><tt><br>
</tt> </code><br>
</script><br>
</tt><tt> </tt><tt> </expression></tt><br>
<tt> </outbound></tt><tt><br>
</tt><br>
I haven't actually tried it; but it could work.<br>
<br>
Another, and perhaps more elegant, way is to induce some user
properties in the roles. E.g. admin role could put value of
"Admin" to "employeeType" property. It would look like this:<br>
<br>
<tt><role></tt><tt><br>
</tt><tt> <name>admin</name></tt><tt><br>
</tt><tt> <displayName>admin</displayName></tt><tt><br>
</tt><tt> <inducement></tt><tt><br>
</tt><tt> <focusMappings></tt><tt><br>
</tt><tt> <mapping></tt><tt><br>
</tt><tt> <expression></tt><tt><br>
</tt><tt> <value>Admin</value></tt><tt><br>
</tt><tt> </expression></tt><tt><br>
</tt><tt> <target></tt><tt><br>
</tt><tt>
<path>employeeType</path></tt><tt><br>
</tt><tt> </target></tt><tt><br>
</tt><tt> </mapping></tt><tt><br>
</tt><tt> </focusMappings></tt><tt><br>
</tt><tt> </inducement></tt><tt><br>
</tt><tt></role></tt><tt><br>
</tt><br>
And then you can use employeeType as just another source when
constructing the user DN. Beware of situations when there
would be more than one employeeType value (e.g. user would be
both admin and let's say manager). Naive implementation of the
mapping would yield to two DN's for the user.<br>
<br>
Maybe someone with more experiences in midPoint deployment
(Ivan?) would improve these options a bit.<br>
<br>
Best regards,<br>
Pavol<br>
<br>
On 26. 6. 2015 19:08, <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:midpoint@mybtinternet.com">midpoint@mybtinternet.com</a>
wrote:<br>
</div>
<blockquote
cite="mid:33446303.48704.1435338488969.JavaMail.defaultUser@defaultHost"
type="cite">Hi,<br>
<br>
I have a role defined with an inducement for an Active
Directory account and am able to successfully<br>
provision a basic account. However, I need the target
container to be variable based on the user's<br>
role; e.g. staff goes to ou=staff,<directory-suffix>
and admin users to ou=admin,<directory-suffix>.<br>
<br>
I was hoping to use ad_container in the role's inducement of
the Active Directory account. The<br>
attempted provisioning fails with "Cannot represent
container value without a parent as containerable".<br>
<br>
Also tried to find, unsuccessfully, references on how to
programatically get the the user's role/s or<br>
assignments and then construct the DN based on values.<br>
<br>
Any suggestions?<br>
<br>
Thx,<br>
Anton<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>