<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Martin,<br>
<br>
if you create the role, it can be assigned as a role assignment, so
all the end user knows is a name of the role. The role may just
construct the account, set attribute values (similar/additional to
schema handling mappings) and associate the account with
entitlements. That's all encapsulated in the role.<br>
<br>
But the role with the association must be defined and imported from
XML file - at least for now.<br>
<br>
Regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 06/29/2016 08:23 PM, Martin Marchese
wrote:<br>
</div>
<blockquote
cite="mid:CAG3rmdqfqY=-qSV0w42t-5bSHwec=40GiLtfjL=YZMKQpg6hqg@mail.gmail.com"
type="cite">
<div dir="ltr">Thanks Ivan, I'll try this.
<div><br>
</div>
<div>Is there a way to do this assignment from the <span
class="" id=":1x2.1" tabindex="-1">MidPoint</span> <span
class="" id=":1x2.2" tabindex="-1">UI</span>? The end-user
is not tech, so it will be great if they can do this kind of
assignment from the <span class="" id=":1x2.3" tabindex="-1">UI</span>.</div>
<div><br>
</div>
<div>Regards,</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr"><b><span></span><span></span>Ing. Martín
Marchese</b><br>
<img moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
Anchorena 1357 PB<br>
Tel: +54 (11) 3526.5509<br>
<a moz-do-not-send="true"
href="mailto:mmarchese@identicum.com"
target="_blank">mmarchese@identicum.com</a><br>
<a moz-do-not-send="true"
href="http://www.identicum.com" target="_blank">www.identicum.com</a></div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">On Wed, Jun 29, 2016 at 12:06 PM, Ivan
Noris <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hi Martin,<br>
<br>
you can use associationTargetSearch in role:<br>
<br>
. . .<br>
<inducement><br>
<construction><br>
<resourceRef
oid="00000000-dc00-dc00-0001-100000000002"
type="c:ResourceType"/><span class=""><br>
<kind>account</kind><br>
<association><br>
<ref>ri:group</ref><br>
<outbound><br>
</span>
<strength>strong</strength><br>
<expression><br>
<associationTargetSearch><br>
<filter><br>
<q:equal><br>
<q:path>attributes/ri:dn</q:path><br>
<q:value>cn=group1,ou=foo,ou=bar,dc=example,dc=com</q:value><br>
</q:equal><br>
</filter><br>
<searchStrategy>onResourceIfNeeded</searchStrategy><br>
</associationTargetSearch><br>
</expression><br>
</outbound><br>
</association> <br>
</construction><br>
</inducement><br>
...<br>
<br>
The above example tries to construct an account (intent is
not specified, thus default) and associate with an
entitlement, which has "ri:dn" attribute equal to
"cn=group1,ou=foo,ou=bar,dc=example,dc=com". This will
search the group on the resource.<br>
The shadow will be created after the group is found.
Further associations will use the shadow instead of
looking up (searching) on resource.<br>
<br>
Regards,<br>
Ivan
<div>
<div class="h5"><br>
<br>
<div>On 06/29/2016 04:56 PM, Martin Marchese wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">Hi All!,
<div><br>
</div>
<div>I have a question on Role-Entitlement
assignment:</div>
<div><br>
</div>
<div>I have an Entitlement representing LDAP
groups (it does not exist in midpoint, just in
the resource, so it does not have a shadow).</div>
<div><br>
</div>
<div>I found the following example:<br>
<table border="0" cellpadding="0"
cellspacing="0">
<tbody
style="border-radius:0px!important;border:0px!important;float:none!important;height:auto!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;background:none!important">
<tr
style="border-radius:0px!important;border:0px!important;float:none!important;height:auto!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;background:none!important">
<td style="width:987px;border:0px
dashed!important;overflow:visible!important;border-radius:0px!important;float:none!important;height:auto!important;outline:0px!important;padding:0px
0px 0px
15px!important;vertical-align:baseline!important;min-height:auto!important;background-image:none!important;background-repeat:initial!important">
<div title="Hint: double-click to select
code" style="margin:15px 0px
0px!important;padding:0px 0px
15px!important;border-radius:0px!important;border:0px!important;float:none!important;min-height:auto!important;outline:0px!important;overflow:visible!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;background-image:none!important;background-color:initial!important;background-position:initial!important;background-repeat:initial!important">
<div><code><</code><code>assignment</code><code>></code></div>
<div><code> </code><code><</code><code>construction</code><code>></code></div>
<div><code> </code><code><</code><code>resourceRef</code> <code>oid</code><code>=</code><code>"10000000-0000-0000-0000-000000000004"</code> <code>type</code><code>=</code><code>"c:ResourceType"</code><code>/></code></div>
<div><code> </code><code><</code><code>kind</code><code>>account</</code><code>kind</code><code>></code></div>
<div><code> </code><code><</code><code>association</code><code>></code></div>
<div><code> </code><code><</code><code>ref</code><code>>ri:group</</code><code>ref</code><code>></code></div>
<div><code> </code><code><</code><code>outbound</code><code>></code></div>
<div><code> </code><code><</code><code>expression</code><code>></code></div>
<div><code> </code><code><</code><code>value</code><code>></code></div>
<div><code> </code><code><</code><code>shadowRef</code> <code>oid</code><code>=</code><code>"20000000-0000-0000-3333-000000000001"</code><code>/></code></div>
<div><code> </code><code></</code><code>value</code><code>></code></div>
<div><code> </code><code></</code><code>expression</code><code>></code></div>
<div><code> </code><code></</code><code>outbound</code><code>></code></div>
<div><code> </code><code></</code><code>association</code><code>></code></div>
<div><code> </code><code></</code><code>construction</code><code>></code></div>
<div><code></</code><code>assignment</code><code>></code></div>
<div><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;background-color:initial"><br>
</span></div>
<div><span
style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;line-height:normal;background-color:initial">However,
as I don't have the shadow created
in MidPoint, I can't add the
shadow OID for reference. Is there
a way to achieve this and not
creating the object within
MidPoint?</span><br>
</div>
<div
style="margin:0px!important;padding:0px
1em 0px
0px!important;border-radius:0px!important;border:0px!important;float:none!important;min-height:auto!important;outline:0px!important;overflow:visible!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;background-image:none!important;background-repeat:initial!important"><code
style="border-radius:0px!important;border:0px!important;float:none!important;min-height:auto!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;background-image:none!important;background-color:initial!important;background-position:initial!important;background-repeat:initial!important;line-height:normal"><font
face="arial, sans-serif"
color="#222222" size="2"><br>
</font></code></div>
<div
style="margin:0px!important;padding:0px
1em 0px
0px!important;border-radius:0px!important;border:0px!important;float:none!important;min-height:auto!important;outline:0px!important;overflow:visible!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;background-image:none!important;background-repeat:initial!important"><code
style="border-radius:0px!important;border:0px!important;float:none!important;min-height:auto!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;background-image:none!important;background-color:initial!important;background-position:initial!important;background-repeat:initial!important;line-height:normal"><font
face="arial, sans-serif"
color="#222222" size="2">Another
question, as this assignment
will probably be done a non-tech
customer, is there a way to do
this assignment thru the UI?</font></code></div>
<div
style="margin:0px!important;padding:0px
1em 0px
0px!important;border-radius:0px!important;border:0px!important;float:none!important;min-height:auto!important;outline:0px!important;overflow:visible!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;background-image:none!important;background-repeat:initial!important"><code
style="border-radius:0px!important;border:0px!important;float:none!important;min-height:auto!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;background-image:none!important;background-color:initial!important;background-position:initial!important;background-repeat:initial!important;line-height:normal"><font
face="arial, sans-serif"
color="#222222" size="2"><br>
</font></code></div>
<div
style="margin:0px!important;padding:0px
1em 0px
0px!important;border-radius:0px!important;border:0px!important;float:none!important;min-height:auto!important;outline:0px!important;overflow:visible!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;background-image:none!important;background-repeat:initial!important"><code
style="border-radius:0px!important;border:0px!important;float:none!important;min-height:auto!important;margin:0px!important;outline:0px!important;overflow:visible!important;padding:0px!important;vertical-align:baseline!important;width:auto!important;min-height:auto!important;background-image:none!important;background-color:initial!important;background-position:initial!important;background-repeat:initial!important;line-height:normal"><font
face="arial, sans-serif"
color="#222222" size="2">Thanks
in advance</font></code></div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<div><br clear="all">
<div>
<div data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr"><b><span></span><span></span>Ing.
Martín Marchese</b><br>
<img moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
Anchorena 1357 PB<br>
Tel: +54 (11) 3526.5509<br>
<a moz-do-not-send="true"
href="mailto:mmarchese@identicum.com"
target="_blank">mmarchese@identicum.com</a><br>
<a moz-do-not-send="true"
href="http://www.identicum.com"
target="_blank">www.identicum.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
</div>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span class="HOEnZb"><font color="#888888">
</font></span></pre>
<span class="HOEnZb"><font color="#888888"> </font></span></blockquote>
<span class="HOEnZb"><font color="#888888"> <br>
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer & IDM Architect
evolveum.com evolveum.com/blog/
___________________________________________________
"Semper ID(e)M Vix."
</pre>
</body>
</html>