<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Pertti,</p>
<p>use (provisioning) dependencies to create objects in order. Then
assure that you assign the roles and also set the assignment
parameter at the same time.</p>
<p><br>
</p>
<p>I'm using something like this for AD: each organization has
assigned a (meta)role which will create a part of organization
hierarchy. Something like this:</p>
<p>- ou=something</p>
<p> - ou=municipalityname (kind: generic, intent: ou-municipality)<br>
</p>
<p> - ou=computers (kind: generic, intent:
ou-municipality-computers)<br>
</p>
<p> - cn=group1municipalityname</p>
<p> - cn=group2municipalityname</p>
<p>...</p>
<p><br>
</p>
<p>So in order to create groups or ou=computers, the upstream
organization ou=municipalityname must exist. The objects that must
be created together are configured as inducements in the
(meta)role, the objectType definitions for them are in
schemaHandling in AD resource. If an object must be created only
after different object is created, <dependency>.. can be
used to specify the object (kind, intent, even resourceRef - not
used here).<br>
</p>
<p><br>
</p>
<p>Resource schema handling (fragments):</p>
<p>...</p>
<p> <objectType><br>
<kind>generic</kind><br>
<b> <intent>ou-municipality</intent></b><br>
<displayName>Organizational
Unit</displayName><br>
<description>Organizational unit for
obec</description><br>
<objectClass>ri:CustomorganizationalUnitObjectClass</objectClass><br>
<attribute><br>
<ref>icfs:name</ref> <!-- required
attribute on AD --><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
<source><br>
<path>$focus/name</path><br>
</source><br>
<expression><br>
<script><br>
<code><br>
tmpSuffix =
basic.getResourceIcfConfigurationPropertyValue(resource,
'Container')<br>
'OU=' + name + ',' + tmpSuffix<br>
</code><br>
</script><br>
</expression><br>
</outbound><br>
</attribute><br>
...</p>
<p> </objectType><br>
</p>
<p><br>
</p>
<p> <objectType><br>
<kind>generic</kind><br>
<b>
<intent>ou-municipality-computers</intent></b><br>
<displayName>Organizational Unit -
Computers</displayName><br>
<description>Organizational unit for
municipality - computers</description><br>
<default>false</default><br>
<objectClass>ri:CustomorganizationalUnitObjectClass</objectClass><br>
<attribute><br>
<ref>icfs:name</ref> <!-- required
attribute on AD --><br>
<matchingRule>mr:stringIgnoreCase</matchingRule><br>
<outbound><br>
<source><br>
<path>$focus/name</path><br>
</source><br>
<expression><br>
<script><br>
<code><br>
tmpSuffix =
basic.getResourceIcfConfigurationPropertyValue(resource,
'Container')<br>
'OU=Computers,OU=' + name + ',' + tmpSuffix<br>
</code><br>
</script><br>
</expression><br>
</outbound><br>
</attribute><br>
...</p>
<p><b> <dependency></b><b><br>
</b><b> <kind>generic</kind></b><b><br>
</b><b>
<intent>ou-municipality</intent></b><b><br>
</b><b>
<strictness>relaxed</strictness></b><b><br>
</b><b> </dependency></b><b><br>
</b> </objectType><br>
...</p>
<p><br>
</p>
<p>Role:</p>
<p><br>
</p>
<p><role ...></p>
<p> <name>Org metarole</name></p>
<p> <inducement><br>
<construction><br>
<!-- AD resource --><br>
<resourceRef
oid="00000000-dc00-dc00-0001-100000000002"
type="c:ResourceType"/><br>
<kind>generic</kind><br>
<intent>ou-municipality-computers</intent><br>
</construction><br>
</inducement><br>
</p>
<p> <inducement><br>
<construction><br>
<!-- AD resource --><br>
<resourceRef
oid="00000000-dc00-dc00-0001-100000000002"
type="c:ResourceType"/><br>
<kind>generic</kind><br>
<intent>ou-municipality</intent><br>
</construction><br>
</inducement><br>
...</p>
<p></role><br>
</p>
<p><br>
</p>
<p>The role itself does not specify anything about ordering, it just
says that the objects should be provisioned together. Resource
schemaHandling contains the dependency ordering. "relaxed" means
that if the objects should be created in the same operation (via
my role), they should be provisioned in order. $focus/name
correspond to the organization name which is assigned the
(meta)role and for which is provisioning running.<br>
</p>
<p><br>
</p>
<p>You can chain the objects as you wish, just do not create
circular dependency. I'm using this setup to create 20-25
projections for an organization using multiple subtrees.<br>
</p>
<p><br>
</p>
<p>In your case I assume that you will have two inducements in the
role - one for creating ou=org,... and one for creating a group in
the org. So you will need at least two objectType definitions in
schemaHandling. If the object name is constructed from the
assignment parameter, icfs:name/ri:dn should be probably
constructed in the mapping in the role itself.<br>
</p>
<p><br>
</p>
<p>Reverse order is used for deleting objects.</p>
<p><br>
</p>
<p>Hope this helps,</p>
<p>Ivan<br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 11/21/2016 07:00 PM, Pertti
Kellomäki wrote:<br>
</div>
<blockquote cite="mid:1479751243151.30222@datactica.fi" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>
<p>Hi,</p>
<p><br>
</p>
<p>I am creating ldap groups based on midPoint roles. The name of
the group is based on the name of the role, and the
organizational unit given in the assignment when the role is
assigned to a user. So something like this:<br>
</p>
<p><br>
</p>
<p> cn=role1,ou=org1,ou=Groups</p>
<p> cn=role1,ou=org2,ou=Groups</p>
<p><br>
</p>
<p>At some point I need to create the ou's org1 and org2 in ldap.
Do I run into ordering problems if I put both the creation of
the ou in ldap, and the creation of the ldap group as
inducements in the same role? Or should the creation of the
organizational units in midPoint already trigger creation of the
ou's in ldap so that the ou is guaranteed to exist in ldap when
the role is assigned?</p>
<p><br>
</p>
<p>Pertti<br>
</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>