<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 12pt; color: #000000"><div>Hi Martin,<br></div><div><br></div><div>that's a surprise for me, because I'm not using master but 3.4-based branch... and the main logic is similar to what I'm using, even in older versions...<br></div><div><br></div><div>It just didn't work or there were some errors displayed/logged? Maybe the developers would know according to that behaviour.<br></div><div><br></div><div>Regards,<br></div><div>Ivan<br></div><div><br></div><hr id="zwchr"><blockquote style="border-left:2px solid #1010FF;margin-left:5px;padding-left:5px;color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;" data-mce-style="border-left: 2px solid #1010FF; margin-left: 5px; padding-left: 5px; color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><b>From: </b>"Martin Marchese" <mmarchese@identicum.com><br><b>To: </b>"midPoint General Discussion" <midpoint@lists.evolveum.com><br><b>Sent: </b>Friday, November 18, 2016 11:20:18 PM<br><b>Subject: </b>Re: [midPoint] UserTemplate - Role Assignment based on Org Assignment Property<br><div><br></div><div dir="ltr">Thanks Ivan that worked like charm! And it's a very nice solution!<div><br></div><div>However, just to let you know, it worked only on MidPoint 3.5 snapshot, we tested that in 3.4.1 with no luck.</div><div><br></div><div>Regards</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span></span><span></span>Ing. Martín Marchese</b><br><img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>Jorge Newbery 3226<br>Tel: +54 (11) 4552-3050<br><a href="mailto:mmarchese@identicum.com" target="_blank" data-mce-href="mailto:mmarchese@identicum.com">mmarchese@identicum.com</a><br><a href="http://www.identicum.com" target="_blank" data-mce-href="http://www.identicum.com">www.identicum.com</a><br data-mce-bogus="1"></div></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote">On Fri, Nov 18, 2016 at 4:19 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank" data-mce-href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" data-mce-style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><div><p>Hi,</p><p>there might be a way how to do this in object template, but it could be complicated.<br></p><p>I would probably try metarole instead:</p><p>1. all organizations should have a metarole assigned (not induced)<br></p><p>2. roles STUDENT and TEACHER will be defined by you to do whatever needed for users<br></p><p>3. the metarole would have two order=2 inducements for users which have the organization assigned. One of the inducement would induce the STUDENT role if the assignment parameter metaRelation for "this" organization is STUDENT. The other would assign the TEACHER role if the assignment parameter for "this" organization is TEACHER. The inducements would be indirect, i.e. you would not see the STUDENT/TEACHER role assigned in user's Assignments tab <b>(this may or may not be a problem for you)</b>.<br></p><p>Technically it would mean that one person with 20 organizations assigned as TEACHER would end with 20 assignments of the same role TEACHER, but I believe that midPoint will "normalize" this and only one role TEACHER would be assigned in real.</p><p>The metarole should look similar to this (untested):</p><p><role ...></p><p> <name>Teacher/Student Org Metarole</name></p><p> <inducement><br> <targetRef oid="00000000-dc00-dc00-0004-000000000078" type="c:RoleType"><!-- STUDENT --></targetRef></p><p> <condition><br> <source><br> <path>$focusAssignment/xyz:metaRelation</path><!-- xyz is your namespace --><br> </source><br> <expression><br> <script><br> <code>metaRelation == 'STUDENT'</code><br> </script><br> </expression><br> </condition></p><p> <focusType>c:UserType</focusType><!-- to apply only to users even if organization is assigned to another organization --><br></p><p> <order>2</order><!-- to apply to users which have the organization assigned --><br></p><p> </inducement><br></p><p> <inducement><br> <targetRef oid="00000000-dc00-dc00-0004-000000000111" type="c:RoleType"><!-- TEACHER --></targetRef></p><p> <condition><br> <source><br> <path>$focusAssignment/xyz:metaRelation</path><!-- xyz your namespace --><br> </source><br> <expression><br> <script><br> <code>metaRelation == 'TEACHER'</code><br> </script><br> </expression><br> </condition></p><p> <focusType>c:UserType</focusType></p><p> <order>2</order><br></p><p> </inducement><br> </role></p><p>I hope I'm correct. I have done similar stuff, but not this specific one.</p><p>Regards,</p><p>Ivan<br></p><div><div class="h5"><div class="m_8006541839308906901moz-cite-prefix">On 11/18/2016 06:44 PM, Martin Marchese wrote:<br></div><blockquote><div dir="ltr">Hi Ivan thanks for your answer,<div><br></div><div>Yes that's correct, they should be assigned without any parameters based on the org assignment types.</div><div><br></div><div>Regards</div></div><div class="gmail_extra"><br clear="all"><div><div class="m_8006541839308906901gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span></span><span></span>Ing. Martín Marchese</b><br> <img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br> Jorge Newbery 3226<br> Tel: +54 (11) 4552-3050<br> <a href="mailto:mmarchese@identicum.com" target="_blank" data-mce-href="mailto:mmarchese@identicum.com">mmarchese@identicum.com</a><br> <a href="http://www.identicum.com" target="_blank" data-mce-href="http://www.identicum.com">www.identicum.com</a><br data-mce-bogus="1"></div></div></div></div></div></div></div></div></div></div></div><br><div class="gmail_quote">On Fri, Nov 18, 2016 at 12:34 PM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank" data-mce-href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" data-mce-style="margin: 0 0 0 .8ex; border-left: 1px #ccc solid; padding-left: 1ex;"><div><p>Hi Martin,</p><p>the STUDENT and TEACHER roles are "static" in means of assignment parameters? They are (should be) just assigned without any parameters whenever used has any org with STUDENT-type assignment or any role with TEACHER-type assignment?</p><p><br></p>Ivan<div><div class="m_8006541839308906901h5"><br> <br><div class="m_8006541839308906901m_-3711948596778577785moz-cite-prefix">On 11/16/2016 08:37 PM, Martin Marchese wrote:<br></div></div></div><blockquote><div><div class="m_8006541839308906901h5"><div dir="ltr">Hi All,<div><br></div><div>We had our AssignmentType extended with a "metaRelation" extension property.</div><div><br></div><div>Users are assigned to an OrgType</div><div><br></div><div>Our OrgType represent schools and within this "metaRelation" property, we store wether the assigned user is a STUDENT or a TEACHER.</div><div><br></div><div>Besides, we have 2 Roles (STUDENT and TEACHER roles).</div><div><br></div><div>We would like to use our user template to assign the corresponding role to the user based on shich "metaRelation" it has within the Org.</div><div><br></div><div>Users could be STUDENT and/or TEACHER on more than one Org, so while the user has at least one of this assignments, it needs to have the corresponding role assigned.</div><div><br></div><div>We are thinking if there's a way to query the user Org assignments within the template and use it as source for the target role assignment.</div><div><br></div><div>Is this the best/correct way to do it? Do you recommend any other way?</div><div><br></div><div>Thanks in Advance</div><div>Regards,</div><div><br clear="all"><div><div class="m_8006541839308906901m_-3711948596778577785gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span></span><span></span>Ing. Martín Marchese</b><br> <img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br> Jorge Newbery 3226<br> Tel: +54 (11) 4552-3050<br> <a href="mailto:mmarchese@identicum.com" target="_blank" data-mce-href="mailto:mmarchese@identicum.com">mmarchese@identicum.com</a><br> <a href="http://www.identicum.com" target="_blank" data-mce-href="http://www.identicum.com">www.identicum.com</a><br data-mce-bogus="1"></div></div></div></div></div></div></div></div></div></div></div></div></div><br><fieldset class="m_8006541839308906901m_-3711948596778577785mimeAttachmentHeader"></fieldset><br></div></div><pre>_______________________________________________
midPoint mailing list
<a class="m_8006541839308906901m_-3711948596778577785moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" data-mce-href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="m_8006541839308906901m_-3711948596778577785moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" data-mce-href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><span class="m_8006541839308906901HOEnZb"><span data-mce-style="color: #888888;" style="color: #888888;">
</span></span></pre><span class="m_8006541839308906901HOEnZb"><span data-mce-style="color: #888888;" style="color: #888888;"> </span></span></blockquote><pre class="m_8006541839308906901m_-3711948596778577785moz-signature">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank" data-mce-href="http://evolveum.com">evolveum.com</a>
</pre></div>_______________________________________________ midPoint mailing list <a href="mailto:midPoint@lists.evolveum.com" target="_blank" data-mce-href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank" data-mce-href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br data-mce-bogus="1"></blockquote></div></div><fieldset class="m_8006541839308906901mimeAttachmentHeader"></fieldset><pre>_______________________________________________
midPoint mailing list
<a class="m_8006541839308906901moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" data-mce-href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="m_8006541839308906901moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" data-mce-href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre></blockquote><pre class="m_8006541839308906901moz-signature">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank" data-mce-href="http://evolveum.com">evolveum.com</a>
</pre></div></div></div><br>_______________________________________________<br> midPoint mailing list<br> <a href="mailto:midPoint@lists.evolveum.com" target="_blank" data-mce-href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank" data-mce-href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br> <br></blockquote></div><br></div><br>_______________________________________________<br>midPoint mailing list<br>midPoint@lists.evolveum.com<br>http://lists.evolveum.com/mailman/listinfo/midpoint<br></blockquote><div><br><br></div><div><br></div><div>-- <br></div><div><span name="x"></span>Ivan Noris<br>Senior Identity Engineer<br>evolveum.com<span name="x"></span><br></div></div></body></html>