<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>To correct my own answer ... maybe there's yet another
possibility:</p>
<p><br>
</p>
<p>Let's imagine you have an org O that should induce assigning role
R on all users that are in O and all of its sub-orgs.</p>
<p><br>
</p>
<p>You could implement this by creating inducements of R on O with
orders of 1, ..., N where N is to estimated maximum depth of the
org tree. Something like this (for N = 4):</p>
<p><br>
</p>
<p><tt><org
xmlns=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a></tt><tt><br>
</tt><tt>
xmlns:c=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a></tt><tt><br>
</tt><tt> oid="6e0ad2bc-1d74-48bd-b7b3-793a33d70cce"</tt><tt>></tt><tt><br>
</tt><tt> <name>O</name></tt><tt><br>
</tt><tt> <displayName>...</displayName></tt><tt><br>
</tt><tt> <inducement id="1"></tt><tt><br>
</tt><tt> <targetRef
oid="190c7097-d18a-4cfe-935f-bf1bcf7ef3eb"
type="c:RoleType"><!-- X --></targetRef></tt><tt><br>
</tt><tt> </inducement></tt><tt><br>
</tt><tt> <inducement id="2"></tt><tt><br>
</tt><tt> <targetRef
oid="190c7097-d18a-4cfe-935f-bf1bcf7ef3eb"
type="c:RoleType"><!-- X --></targetRef></tt><tt><br>
</tt><tt> <order>2</order></tt><tt><br>
</tt><tt> </inducement></tt><tt><br>
</tt></p>
<p><tt> <inducement id="3"></tt><tt><br>
</tt><tt> <targetRef
oid="190c7097-d18a-4cfe-935f-bf1bcf7ef3eb"
type="c:RoleType"><!-- X --></targetRef></tt><tt><br>
</tt><tt> <order>3</order></tt><tt><br>
</tt><tt> </inducement></tt><tt><br>
</tt></p>
<p><tt> <inducement id="4"></tt><tt><br>
</tt><tt> <targetRef
oid="190c7097-d18a-4cfe-935f-bf1bcf7ef3eb"
type="c:RoleType"><!-- X --></targetRef></tt><tt><br>
</tt><tt> <order>4</order></tt><tt><br>
</tt><tt> </inducement></tt><tt><br>
</tt></p>
<p><tt></org></tt></p>
<p><tt></tt><br>
</p>
If a user U has assigned org O3 which is a child of O2 (i.e. has an
assignment of O2), where O2 is a child of O (i.e. has an assignment
of O), it will have the following roles added:<br>
- inducements of O3 defined with order=1 (the default)<br>
- inducements of O2 defined with order=2<br>
- inducements of O defined with order=3<br>
<br>
I've verified that it basically works. Please note that the roles
are not shown when user is edited; but they are effectively present.
They can be displayed by clicking on "Show all assignments" button
when editing the user:<br>
<br>
<img src="cid:part1.2E21A956.00598945@evolveum.com" alt=""
height="362" width="734"><br>
<br>
Best regards,<br>
Pavol<br>
<br>
<div class="moz-cite-prefix">On 14.06.2016 13:53, Pavol Mederly
wrote:<br>
</div>
<blockquote
cite="mid:647d3883-2b21-dcae-5685-09c6f37b3998@evolveum.com"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<p>Hello Aivo,</p>
<p><br>
</p>
<p>it's probably possible. <br>
</p>
<p><br>
</p>
<p>If there would not be point #4 (hierarchical aspect), your
configuration could be implemented by inducements defined at
various points in the org tree.</p>
<p><br>
</p>
<p>But point #4 requires more elaborate solution. I would suggest
trying something like this:</p>
<p><br>
</p>
<p>- create a user template containing the following mapping:</p>
<p> - source: parentOrgRef<br>
</p>
<p> - target: assignment</p>
<p> - code: something like: <br>
</p>
<p> - take all parentOrgRefs</p>
<p> - iteratively compute a transitive closure, adding their
parents, grand-parents, etc, up to the root(s) of the hierarchy</p>
<p> - collect all inducements of these orgs, and use them as
the result of this mapping</p>
<p> (mapping should be declared as 'absolute', not 'relative' one)</p>
<p><br>
</p>
<p>Actually I'm not convinced it will work, but ... it's worth a
try, maybe (giving it ~ 60% chance...)<br>
</p>
<p><br>
</p>
<p>Inherent limitation of this solution is that it's not able to
distinguish which assignments are 'manual' and which are
'automatic'. I.e. in case that something goes really wrong, we
are not able to run something like 'total recomputation' which
would delete all automatic asssignments that are no longer
appropriate. This would need to be hacked by running a bulk
action that would first eliminate all 'automatic' assignments
from a given user, and then run a recomputation to provide valid
ones.<br>
</p>
<p><br>
</p>
<p>Another caveat is the order of evaluation of these mappings and
existing assignments. This would need to be experimented as
well.</p>
<p><br>
</p>
<p>And, as for #3, in both scenarios (hierarchical or
non-hierarchical), user recomputation would be needed.</p>
<p><br>
</p>
<p>Maybe someone could propose a better solution...<br>
</p>
<p><br>
</p>
<p>Best regards,<br>
</p>
<p>Pavol<br>
</p>
<br>
<div class="moz-cite-prefix">On 14.06.2016 13:36, Aivo Kuhlberg
wrote:<br>
</div>
<blockquote cite="mid:1465904177477.66673@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>
<p>Hi,<br>
I would like to create automatic role assignments for users
based on the organization unit where each user belongs to. The
mechanism should have following functionality:<br>
</p>
<ol>
<li>When user is added to midPoint s/he will get automatic
roles assigned based on the org unit where s/he belongs.<br>
</li>
<li>When user moves to another organization unit then the
automatic roles should be reassigned (old org unit automatic
roles removed and new org unit automatic roles assigned).</li>
<li>When existing automatic role is added/changed/deleted the
change should be reflected in all users' automatic roles.</li>
<li>Automatic role assignments should be related with
organization hierarchy - eg. top-level org automatic role A
will be assigned to all users who belong to top-level and
its child organizations. Child org automatic role B should
be assigned to only child org users.<br>
</li>
</ol>
<p>Is it possible to implement this setup or at last part of it
in midPoint 3.3.1 (or 3.4)? What is the suggested way to
implement this?</p>
<p><br>
Thanks,<br>
</p>
<p>Aivo Kuhlberg<br>
</p>
<br>
<hr> <font face="Arial" color="Gray" size="2">Käesolev e-kiri
võib sisaldada asutusesiseseks kasutamiseks tunnistatud
teavet.<br>
This e-mail may contain information which is classified for
official use.</font> <br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>