<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Jens,<br>
      <br>
      you're right - activation (e.g.
      validFrom/validTo/administrativeStatus) is another source of
      troubles. <br>
      <br>
      As for conditions, they cannot be setup in GUI (yet), but only
      directly in objects' XML representation, e.g. via "Repository
      Objects" section.<br>
      I mean something like this (see <a
href="https://github.com/Evolveum/midpoint/blob/master/model/model-intest/src/test/resources/rbac/role-wannabe.xml">role-wannabe.xml</a>):<br>
      <pre style="background-color:#ffffff;color:#000000;font-family:'Courier New';font-size:9,0pt;"><small><small><span style="background-color:#efefef;"><</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">inducement </span><span style="color:#0000ff;background-color:#efefef;font-weight:bold;">id</span><span style="color:#008000;background-color:#efefef;font-weight:bold;">="1112"</span><span style="background-color:#efefef;">></span>
   <span style="color:#808080;font-style:italic;"><!-- Honorable Wannabe -->
</span><span style="color:#808080;font-style:italic;">   </span><span style="background-color:#efefef;"><</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">targetRef </span><span style="color:#0000ff;background-color:#efefef;font-weight:bold;">oid</span><span style="color:#008000;background-color:#efefef;font-weight:bold;">="12345678-d34d-b33f-f00d-555555557704" </span><span style="color:#0000ff;background-color:#efefef;font-weight:bold;">type</span><span style="color:#008000;background-color:#efefef;font-weight:bold;">="RoleType"</span><span style="background-color:#efefef;">/></span>
   <span style="background-color:#efefef;"><</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">condition</span><span style="background-color:#efefef;">></span>
      <span style="background-color:#efefef;"><</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">source</span><span style="background-color:#efefef;">></span>
         <span style="background-color:#efefef;"><</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">path</span><span style="background-color:#efefef;">></span>$user/honorificSuffix<span style="background-color:#efefef;"></</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">path</span><span style="background-color:#efefef;">></span>
      <span style="background-color:#efefef;"></</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">source</span><span style="background-color:#efefef;">></span>
      <span style="background-color:#efefef;"><</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">expression</span><span style="background-color:#efefef;">></span>
         <span style="background-color:#efefef;"><</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">script</span><span style="background-color:#efefef;">></span>
            <span style="background-color:#efefef;"><</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">code</span><span style="background-color:#efefef;">></span>(Boolean)honorificSuffix?.trim()<span style="background-color:#efefef;"></</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">code</span><span style="background-color:#efefef;">></span>
         <span style="background-color:#efefef;"></</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">script</span><span style="background-color:#efefef;">></span>
      <span style="background-color:#efefef;"></</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">expression</span><span style="background-color:#efefef;">></span>
   <span style="background-color:#efefef;"></</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">condition</span><span style="background-color:#efefef;">></span>
<span style="background-color:#efefef;"></</span><span style="color:#000080;background-color:#efefef;font-weight:bold;">inducement</span><span style="background-color:#efefef;">></span></small></small></pre>
      This role induces another role with OID
      12345678-d34d-b33f-f00d-555555557704, but only if a user has
      honorificSuffix set.<br>
      <br>
      As a note, conditions are frequently used also in object
      templates. But templates themselves are only partially interesting
      from your point of view (if at all).<br>
      <br>
      <blockquote type="cite">Do you think it's worth to try out the
        java connector to gather the info I need?</blockquote>
      I don't quite understand ... what Java connector do you mean?<br>
      <br>
      Regards,<br>
      Pavol<br>
      <br>
       <br>
    </div>
    <blockquote cite="mid:559D4008.4090702@j-b-s.de" type="cite">
      <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
      Hi Pavol, <br>
      <br>
      thanks for the fast response. I am validating the activation
      section on my own, but I didn't see any conditional settings in
      the Admin-UI (yet :-)<br>
      Would be nice if you can give me a hint what exactly you have in
      mind. Do you think it's worth to try out the java connector to
      gather the info I need?<br>
      <br>
      <br>
      CU<br>
      <br>
      Jens<br>
      <br>
      <br>
      <br>
      <div class="moz-cite-prefix">Am 08/07/15 um 15:15 schrieb Pavol
        Mederly:<br>
      </div>
      <blockquote cite="mid:559D2289.3020600@evolveum.com" type="cite">
        <meta content="text/html; charset=utf-8"
          http-equiv="Content-Type">
        <div class="moz-cite-prefix">Hello Jens,<br>
          <br>
          I'm afraid that getting the entire set of valid roles defined
          for a particular user (like "Show all assignments" in GUI) is
          a bit trickier than simply traversing all role inducements.<br>
          <br>
          The reason is that some assignments or inducements can be
          conditional; i.e. you would have to evaluate these conditions
          to see whether they apply or not.<br>
          <br>
          Fortunately, there is a method called previewChanges (in
          ModelController) that is used to do that in GUI and that could
          be published via REST/WS interface. However, I don't know
          if/when something like that is planned. (<a
            moz-do-not-send="true"
            href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a>).<br>
          <br>
          Best regards,<br>
          Pavol<br>
          <br>
          PS: As a partial workaround, I originally thought about using
          the "
          <meta http-equiv="content-type" content="text/html;
            charset=utf-8">
          resolve" option in GetOperationOptions structure. However,
          this is not recursive and moreover, seems to be not working
          for multi-segment paths, like assignment/targetRef (<a
            moz-do-not-send="true"
            href="https://jira.evolveum.com/browse/MID-2435">MID-2435</a>).<br>
          <br>
          <br>
          On 8. 7. 2015 14:18, Jens Breitenstein wrote:<br>
        </div>
        <blockquote cite="mid:559D150B.9090501@j-b-s.de" type="cite">Hi
          midpoint experts, <br>
          <br>
          we are fairly new to midpoint but we already have a running
          instance now, we added some organisational data and added
          users and roles using the admin interface. <br>
          While investigating the REST connector we are now able to
          retrieve all information for a particular user, but it's
          somehow cumbersome to "manually" parse / traverse all
          parentOrgs, collecting all single roles and again traversing
          all role inducements to gather the overall role set. <br>
          <br>
          Is there any chance to retrieve the entire set of valid roles
          defined for a particular user in "one go" without executing
          multiple REST calls? <br>
          <br>
          <br>
          Thanks in advance <br>
          <br>
          Jens <br>
          <br>
          <br>
          _______________________________________________ <br>
          midPoint mailing list <br>
          <a moz-do-not-send="true" class="moz-txt-link-abbreviated"
            href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
          <br>
          <a moz-do-not-send="true" class="moz-txt-link-freetext"
            href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
          <br>
        </blockquote>
        <br>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>