<div dir="ltr">Thanks Ivan that worked like charm! And it's a very nice solution!<div><br></div><div>However, just to let you know, it worked only on MidPoint 3.5 snapshot, we tested that in 3.4.1 with no luck.</div><div><br></div><div>Regards</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span></span><span></span>Ing. Martín Marchese</b><br><img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>Jorge Newbery 3226<br>Tel: +54 (11) 4552-3050<br><a href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a><br><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Nov 18, 2016 at 4:19 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <p>Hi,</p>
    <p>there might be a way how to do this in object template, but it
      could be complicated.<br>
    </p>
    <p>I would probably try metarole instead:</p>
    <p>1. all organizations should have a metarole assigned (not
      induced)<br>
    </p>
    <p>2. roles STUDENT and TEACHER will be defined by you to do
      whatever needed for users<br>
    </p>
    <p>3. the metarole would have two order=2 inducements for users
      which have the organization assigned. One of the inducement would
      induce the STUDENT role if the assignment parameter metaRelation
      for "this" organization is STUDENT. The other would assign the
      TEACHER role if the assignment parameter for "this" organization
      is TEACHER. The inducements would be indirect, i.e. you would not
      see the STUDENT/TEACHER role assigned in user's Assignments tab <b>(this
        may or may not be a problem for you)</b>.<br>
    </p>
    <p>Technically it would mean that one person with 20 organizations
      assigned as TEACHER would end with 20 assignments of the same role
      TEACHER, but I believe that midPoint will "normalize" this and
      only one role TEACHER would be assigned in real.</p>
    <p>The metarole should look similar to this (untested):</p>
    <p><role ...></p>
    <p>  <name>Teacher/Student Org Metarole</name></p>
    <p>    <inducement><br>
            <targetRef oid="00000000-dc00-dc00-0004-<wbr>000000000078"
      type="c:RoleType"><!-- STUDENT --></targetRef></p>
    <p>        <condition><br>
                  <source><br>
                     
      <path>$focusAssignment/xyz:<wbr>metaRelation</path><!--
      xyz is your namespace --><br>
                  </source><br>
                  <expression><br>
                      <script><br>
                          <code>metaRelation ==
      'STUDENT'</code><br>
                      </script><br>
                  </expression><br>
              </condition></p>
    <p>       <focusType>c:UserType</<wbr>focusType><!-- to
      apply only to users even if organization is assigned to another
      organization --><br>
    </p>
    <p>        <order>2</order><!-- to apply to users
      which have the organization assigned --><br>
    </p>
    <p>   </inducement><br>
    </p>
    <p>    <inducement><br>
            <targetRef oid="00000000-dc00-dc00-0004-<wbr>000000000111"
      type="c:RoleType"><!-- TEACHER --></targetRef></p>
    <p>        <condition><br>
                  <source><br>
                     
      <path>$focusAssignment/xyz:<wbr>metaRelation</path><!--
      xyz your namespace --><br>
                  </source><br>
                  <expression><br>
                      <script><br>
                          <code>metaRelation ==
      'TEACHER'</code><br>
                      </script><br>
                  </expression><br>
              </condition></p>
    <p>       <focusType>c:UserType</<wbr>focusType></p>
    <p>        <order>2</order><br>
    </p>
    <p>   </inducement><br>
      </role></p>
    <p>I hope I'm correct. I have done similar stuff, but not this
      specific one.</p>
    <p>Regards,</p>
    <p>Ivan<br>
    </p><div><div class="h5">
    <div class="m_8006541839308906901moz-cite-prefix">On 11/18/2016 06:44 PM, Martin Marchese
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">Hi Ivan thanks for your answer,
        <div><br>
        </div>
        <div>Yes that's correct, they should be assigned without any
          parameters based on the org assignment types.</div>
        <div><br>
        </div>
        <div>Regards</div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div class="m_8006541839308906901gmail_signature" data-smartmail="gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <div>
                            <div dir="ltr"><b><span></span><span></span>Ing.
                                Martín Marchese</b><br>
                              <img src="http://www.identicum.com/img/favicon.ico">Identicum
                              S.A.<br>
                              Jorge Newbery 3226<br>
                              Tel: +54 (11) 4552-3050<br>
                              <a href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a><br>
                              <a href="http://www.identicum.com" target="_blank">www.identicum.com</a></div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">On Fri, Nov 18, 2016 at 12:34 PM, Ivan
          Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <p>Hi Martin,</p>
              <p>the STUDENT and TEACHER roles are "static" in means of
                assignment parameters? They are (should be) just
                assigned without any parameters whenever used has any
                org with STUDENT-type assignment or any role with
                TEACHER-type assignment?</p>
              <p><br>
              </p>
              Ivan
              <div>
                <div class="m_8006541839308906901h5"><br>
                  <br>
                  <div class="m_8006541839308906901m_-3711948596778577785moz-cite-prefix">On
                    11/16/2016 08:37 PM, Martin Marchese wrote:<br>
                  </div>
                </div>
              </div>
              <blockquote type="cite">
                <div>
                  <div class="m_8006541839308906901h5">
                    <div dir="ltr">Hi All,
                      <div><br>
                      </div>
                      <div>We had our AssignmentType extended with a
                        "metaRelation" extension property.</div>
                      <div><br>
                      </div>
                      <div>Users are assigned to an OrgType</div>
                      <div><br>
                      </div>
                      <div>Our OrgType represent schools and within this
                        "metaRelation" property, we store wether the
                        assigned user is a STUDENT or a TEACHER.</div>
                      <div><br>
                      </div>
                      <div>Besides, we have 2 Roles (STUDENT and TEACHER
                        roles).</div>
                      <div><br>
                      </div>
                      <div>We would like to use our user template to
                        assign the corresponding role to the user based
                        on shich "metaRelation" it has within the Org.</div>
                      <div><br>
                      </div>
                      <div>Users could be STUDENT and/or TEACHER on more
                        than one Org, so while the user has at least one
                        of this assignments, it needs to have the
                        corresponding role assigned.</div>
                      <div><br>
                      </div>
                      <div>We are thinking if there's a way to query the
                        user Org assignments within the template and use
                        it as source for the target role assignment.</div>
                      <div><br>
                      </div>
                      <div>Is this the best/correct way to do it? Do you
                        recommend any other way?</div>
                      <div><br>
                      </div>
                      <div>Thanks in Advance</div>
                      <div>Regards,</div>
                      <div><br clear="all">
                        <div>
                          <div class="m_8006541839308906901m_-3711948596778577785gmail_signature" data-smartmail="gmail_signature">
                            <div dir="ltr">
                              <div>
                                <div dir="ltr">
                                  <div>
                                    <div dir="ltr">
                                      <div>
                                        <div dir="ltr">
                                          <div>
                                            <div dir="ltr"><b><span></span><span></span>Ing.
                                                Martín Marchese</b><br>
                                              <img src="http://www.identicum.com/img/favicon.ico">Identicum
                                              S.A.<br>
                                              Jorge Newbery 3226<br>
                                              Tel: +54 (11) 4552-3050<br>
                                              <a href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a><br>
                                              <a href="http://www.identicum.com" target="_blank">www.identicum.com</a></div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                    <br>
                    <fieldset class="m_8006541839308906901m_-3711948596778577785mimeAttachmentHeader"></fieldset>
                    <br>
                  </div>
                </div>
                <pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_8006541839308906901m_-3711948596778577785moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_8006541839308906901m_-3711948596778577785moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><span class="m_8006541839308906901HOEnZb"><font color="#888888">
</font></span></pre><span class="m_8006541839308906901HOEnZb"><font color="#888888">
    </font></span></blockquote><span class="m_8006541839308906901HOEnZb"><font color="#888888">
    

    <pre class="m_8006541839308906901m_-3711948596778577785moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
  </font></span></div>


______________________________<wbr>_________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div>


<fieldset class="m_8006541839308906901mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_8006541839308906901moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_8006541839308906901moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>

</blockquote>
<pre class="m_8006541839308906901moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre></div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>