<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi,<br>
<br>
<div class="moz-cite-prefix">On 10/06/2016 03:18 PM,
<a class="moz-txt-link-abbreviated" href="mailto:Daniel.Sommer@itconcepts.net">Daniel.Sommer@itconcepts.net</a> wrote:<br>
</div>
<blockquote
cite="mid:OF4F16BAC6.BB69F923-ONC1258044.00491316-C1258044.0049131A@itconcepts.net"
type="cite"><font face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif" size="2">Are we right,
that the creation on the resource (account or group) is always
associated with the act of the assignment in midpoint (and
therefor creating the<br>
projection at the concerned focus object)? </font></blockquote>
<br>
Yes. Account or groups are the "real side" of the projection.
Therefore if you want to create account or group you have to create
a projection in midPoint.<br>
<br>
This also goes with midPoint philosophy: we want every object to be
accountable. In ideal state every object (projection) must have an
owner. Therefore the projection is always created in a "linked"
state to some midPoint (focal) object (user, role, org, service).
This applies to accounts, but it also applies to groups, privileges,
organizational units ... and every resource-side object that
midpoint creates.<br>
<br>
<blockquote
cite="mid:OF4F16BAC6.BB69F923-ONC1258044.00491316-C1258044.0049131A@itconcepts.net"
type="cite"><font face="Default Sans
Serif,Verdana,Arial,Helvetica,sans-serif" size="2">So what could
be the solution? I would think of create such a role
construction that on assignment to the user two projections are
created for him:<br>
first one creates (ensures the presence of) the group and
second creates the account and associates. But how will be
defined the assignment (or inducement)<br>
for the group creation, since the name of the group should (of
course) not be the name of the user... ?<br>
</font></blockquote>
<br>
I'm not sure that I understand that. <br>
<br>
Do you want to create a group that is "personal" for each user? E.g.
user "foo" will have group "foo-group", user "bar" will have group
"bar-group", etc. If that is the case then simply create a new
projection for the user on the same resource. Add new construction
to the role/metarole that gives the account to the user. A user can
have any number of projections on one resource as long as each
projection has different kind+intent combination.<br>
<br>
Or are you trying to create a group that is not "personal" to user?
A group that is shared by several users, but it is created "on
demand" when the first user is assigned to that group? If that is
the case you need to have an object in midPoint that has the same
lifecycle as the group. This can be role, org or service (let's
assume it is a role). And instead of trying to create the group
directly create the midPoint role instead. One elegant way to do
this is the use of assignmentTargetSearch expression with "create on
demand" feature. See here:<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Expression#Expression-AssignmentTargetSearch">https://wiki.evolveum.com/display/midPoint/Expression#Expression-AssignmentTargetSearch</a><br>
... and it is used in a full example here:<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test">https://wiki.evolveum.com/display/midPoint/OrgSync+Story+Test</a><br>
Once that on-demand role is created you can easily create the group
as a projection of this role. And you can use associationFromLink
expression to add users to that group.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
</body>
</html>