<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Mappings in roles. Kind of. I'm not
sure if there would be full mapping in a role or rather just a
simple condition. Probably just a condition. But the important
thing is that it does not make much difference from implementation
perspective whether there are thousands of mappings in object
template or there are mappings/conditions distributed in roles.
But I understand that putting that to roles makes a big
improvement of flexibility and usability.<br>
<br>
My preliminary idea is like this: put a mapping or condition into
roles. Then the code that now evaluates object template can simply
search for all the roles with assignment conditions, compile a
list of all the conditions and evaluate them. We will not need
assignmentTargetSearch in that case, because each role knows about
itself. So in case that there is only a condition in the role the
midPoint can automatically construct assignment with proper
targetRef. It does not need to be determined by
assignmentTargetSearch.<br>
<br>
The problem are assignment parameters. But firstly, we can leave
that for later. And secondly, there may be additional mappings for
them. The critical part is to evaluate all the conditions
efficiently (because there may be thousands of them). Once we have
the assignment targets, we can afford to evaluate more
mappings/expressions, because there will be only handful of roles
left to evaluate.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
On 03/17/2016 11:12 AM, Дорофеев Илья wrote:<br>
</div>
<blockquote
cite="mid:F82253638486D44DABA51EC404D48AF3293EAA73@EX-MB1.solar.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"Стандартный HTML Знак";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTML
{mso-style-name:"Стандартный HTML Знак";
mso-style-priority:99;
mso-style-link:"Стандартный HTML";
font-family:Consolas;
color:black;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:2.0cm 42.5pt 2.0cm 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">Sorry, I didn’t catch what exactly would be
feasible? Hundreds of mappings in object template or
mappings in roles? In the latter case is there going to be a
mapping inside a role or anything else? What about dynamic
assignment target search based on attribute value in object
templates? However, there will be a problem: how do we
determine when an object (user) fulfils a condition and when
he doesn’t. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Segoe
UI",sans-serif;color:#1F497D" lang="EN-US">Ilya
Dorofeev<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:windowtext">
midPoint [<a class="moz-txt-link-freetext" href="mailto:midpoint-bounces@lists.evolveum.com">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>On Behalf Of </b>Radovan Semancik<br>
<b>Sent:</b> Thursday, March 17, 2016 11:34 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Subject:</b> Re: [midPoint] Dynamic Role Assignment<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">That's right.<br>
<br>
Our conclusion is that this would be feasible. There is
probably very slight performance hit, but it is more than
justified by the benefits in manageability and flexibility.
I like this idea.<br>
<br>
However, the part of midPoint roadmap that Evolveum is
sponsoring is currently full. Therefore the only practical
way how to get this feature in a near future is to sponsor
it or develop it yourself.<br>
<br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Radovan Semancik<o:p></o:p></pre>
<pre>Software Architect<o:p></o:p></pre>
<pre>evolveum.com<o:p></o:p></pre>
<p class="MsoNormal"><br>
<br>
<br>
On 03/16/2016 05:37 PM, Ivan Noris wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">I have not found the issue in JIRA, but I
remember we were discussing it at the start of December
2015.<br>
Anyway I've created <a moz-do-not-send="true"
href="https://jira.evolveum.com/browse/MID-2840">https://jira.evolveum.com/browse/MID-2840</a>
to track the feature.<br>
<br>
To increase the priority of the implementation, the usual
options are: <a moz-do-not-send="true"
href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature">
https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a> <o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
Best regards,<br>
Ivan<br>
<br>
On 03/16/2016 04:19 PM, Дорофеев Илья wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">Hi Ivan,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US">What if I have plenty of employee types
(say, 100) in my trusted identity source? Do I have to
create a hundred of mappings in object template in order
to assign a corresponding role for each employeeType? I
anticipate the performance of clockwork will suffer in
such a case.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"
lang="EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt">__________________________</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:10.0pt"
lang="EN-US">Ilya Dorofeev</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
midPoint [<a moz-do-not-send="true"
href="mailto:midpoint-bounces@lists.evolveum.com">mailto:midpoint-bounces@lists.evolveum.com</a>]
<b>On Behalf Of </b>Ivan Noris<br>
<b>Sent:</b> Saturday, March 12, 2016 8:31 PM<br>
<b>To:</b> midPoint General Discussion <a
moz-do-not-send="true"
href="mailto:midpoint@lists.evolveum.com">
<a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a></a><br>
<b>Subject:</b> Re: [midPoint] Dynamic Role
Assignment</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">Hi Gauri,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">this is easily possible using
Object Templates.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Please refer to one or our samples
for example:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a moz-do-not-send="true"
href="https://github.com/Evolveum/midpoint/blob/master/samples/objects/user-template-complex.xml">https://github.com/Evolveum/midpoint/blob/master/samples/objects/user-template-complex.xml</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">
<!-- RB-RBAC functionality. The Pirate role is
automatically assigned based on the value of
employeeType property
<span lang="EN-US">--><br>
<mapping><br>
<source><br>
<path>employeeType</path><br>
</source><br>
<expression><br>
<value><br>
<assignment><br>
<targetRef
oid="12345678-d34d-b33f-f00d-987987987988"
type="RoleType"/><br>
</assignment><br>
</value> <br>
</expression><br>
<target><br>
<path>assignment</path><br>
</target><br>
<condition><br>
<script><br>
<language></span><a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy%3C/language"><span
lang="EN-US"><a class="moz-txt-link-freetext" href="http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy">http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy</a></language</span></a><span
lang="EN-US">><br>
<code>employeeType ==
'PIRATE'</code><br>
</script><br>
</condition><br>
</mapping></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Ivan<o:p></o:p></p>
</div>
<div class="MsoNormal" style="text-align:center"
align="center">
<hr align="center" size="2" width="100%">
</div>
<blockquote style="border:none;border-left:solid #1010FF
1.5pt;padding:0cm 0cm 0cm
4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><b><span
style="font-family:"Helvetica",sans-serif"
lang="EN-US">From:
</span></b><span
style="font-family:"Helvetica",sans-serif"
lang="EN-US">"GAURI SHIRSATH" <</span><span
style="font-family:"Helvetica",sans-serif"><a
moz-do-not-send="true"
href="mailto:gauri15.shirsath@gmail.com"><a class="moz-txt-link-abbreviated" href="mailto:gauri15.shirsath@gmail.com">gauri15.shirsath@gmail.com</a></a></span><span
style="font-family:"Helvetica",sans-serif"
lang="EN-US">><br>
<b>To: </b></span><span
style="font-family:"Helvetica",sans-serif"><a
moz-do-not-send="true"
href="mailto:midpoint@lists.evolveum.com"><a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a></a></span><span
style="font-family:"Helvetica",sans-serif"
lang="EN-US"><br>
<b>Sent: </b>Saturday, March 12, 2016 8:14:01 AM<br>
<b>Subject: </b>[midPoint] Dynamic Role Assignment</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-family:"Helvetica",sans-serif"
lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Helvetica",sans-serif">Hi,</span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Helvetica",sans-serif">Can
you please guide me for how to assign a role to
user dynamically based on some attribute value?</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Helvetica",sans-serif">Like,
if my data is coming in to midpoint from CSV
file and I want to assign a user role based on
some attribute value.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Helvetica",sans-serif"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Helvetica",sans-serif">Thank
you,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:9.5pt;font-family:"Helvetica",sans-serif">Gauri</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-family:"Helvetica",sans-serif"><br>
</span><span
style="font-family:"Helvetica",sans-serif"
lang="EN-US">_______________________________________________<br>
midPoint mailing list<br>
</span><span
style="font-family:"Helvetica",sans-serif"><a
moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"><a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a></a></span><span
style="font-family:"Helvetica",sans-serif"
lang="EN-US"><br>
</span><span
style="font-family:"Helvetica",sans-serif"><a
moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"><a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a></a></span><o:p></o:p></p>
</blockquote>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">-- <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> Ing. Ivan Noris<br>
Senior Identity Management Engineer & IDM
Architect<br>
evolveum.com evolveum.com/blog/<br>
___________________________________________________<br>
"Semper ID(e)M Vix."<br>
<br>
<br>
<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre> Ing. Ivan Noris<o:p></o:p></pre>
<pre> Senior Identity Management Engineer & IDM Architect<o:p></o:p></pre>
<pre> evolveum.com evolveum.com/blog/<o:p></o:p></pre>
<pre> ___________________________________________________<o:p></o:p></pre>
<pre> "Semper ID(e)M Vix."<o:p></o:p></pre>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>midPoint mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>