<div dir="ltr">Hello Pavol,<div><br></div><div>Furthering on this issue - while removing <b style="font-size:12.8px"><focusType>UserType</<wbr>focusType> </b><span style="font-size:12.8px">from the inducement definition solves authorization inheritance for when the user is assigned to the Org in which the inducement is defined, this doesn't seem to apply to assignment of Orgs that are child of this Org.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">For example, Org A defines inducement to role A with </span><span style="font-size:12.8px">authorization definitions, Org B is then set to be child of Org A, Org B is then assigned to user. User is indirectly assigned to role A, but authorization does not work.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Furthermore, if we define authorizations directly into Org A, and then assign Org B (child of A) to user, authorizations are not inherited.</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Do you think of any workaround for this scenario?</span></div><div><span style="font-size:12.8px"><br></span></div><div><span style="font-size:12.8px">Thanks,</span></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><b>Rodrigo Yanis.</b><br><img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br></font>Jorge Newbery 3226<br>Tel: +54 (11) 4824-9971<font face="arial, helvetica, sans-serif"><br><a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br><a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">2017-01-10 10:08 GMT-03:00 Martin Marchese <span dir="ltr"><<a href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Pavol for your answer. I just created a JIRA for this.</div><div class="gmail_extra"><span class=""><br clear="all"><div><div class="m_-5603245889074287488gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b><span></span><span></span>Ing. Martín Marchese</b><br><img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>Jorge Newbery 3226<br>Tel: +54 (11) 4552-3050<br><a href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a><br><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></div></div></div></div></div></div></div></div></div></div></div>
<br></span><div><div class="h5"><div class="gmail_quote">On Mon, Jan 9, 2017 at 10:45 AM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    <p>Well... to be more precise: focusType check at that line expects
      that the focus type is present in LensContext. But, for the
      purpose of evaluation of user assignments during login, the focus
      type in LensContext is not filled-in.</p>
    <p>Please write the JIRA and we'll fix that.<br>
    </p><span>
    <pre class="m_-5603245889074287488m_-5101288925844589496moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
    </span><div><div class="m_-5603245889074287488h5"><div class="m_-5603245889074287488m_-5101288925844589496moz-cite-prefix">On 09.01.2017 14:41, Pavol Mederly
      wrote:<br>
    </div>
    <blockquote type="cite">
      
      <p>Martin,</p>
      <p>I've played with your case for a while and it seems that <b><focusType>UserType</focusType<wbr>></b>
        is the problem. After removing it, the authorizations are
        propagated correctly.<br>
      </p>
      <p>I'm not sure why it is so; as it should work, as far as I know.
        I suspect a bug at AssignmentEvaluator:682, but I'm not sure.<br>
      </p>
      <p>Maybe you could file a JIRA for this.<br>
      </p>
      <pre class="m_-5603245889074287488m_-5101288925844589496moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
      <div class="m_-5603245889074287488m_-5101288925844589496moz-cite-prefix">On 03.01.2017 19:10, Martin Marchese
        wrote:<br>
      </div>
      <blockquote type="cite">
        <div dir="ltr">
          <div>Hi All,</div>
          <div><br>
          </div>
          <div>Within our MidPoint 3.5 deployment, we have created an
            Org Structure which induces a role to users.</div>
          <div><br>
          </div>
          <div>This role, contains all kind of authorizations for users
            (REST acccess, GUI access, etc).</div>
          <div><br>
          </div>
          <div>Once the organization is assigned to a user, it gets the
            role assigned but not the authorizations. However, if we
            assign the role directly to the user, all the authorizations
            are assigned OK.</div>
          <div><br>
          </div>
          <div>I was wondering if there is not any kind of order for
            authorizations (as it is for inducements). Or anything that
            we might be missing in our objects?</div>
          <div><br>
          </div>
          <div>Below, I send the examples of how our Org and Role look
            like:</div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div>Org:</div>
          <div>-----</div>
          <div>
            <div><org oid="00000000-0000-1de4-0009-0<wbr>00000000001"></div>
            <div>   <name>MEGC</name></div>
            <div>...</div>
            <div>    <inducement id="6"></div>
            <div>      <targetRef
              oid="00000000-0000-1de4-0003-0<wbr>00000000001"
              type="RoleType"></targetRef></div>
            <div>      <orderConstraint></div>
            <div>        <orderMax>unbounded</orderMax></div>
            <div>      </orderConstraint></div>
            <div>      <focusType>UserType</focusType<wbr>></div>
            <div>     </inducement></div>
            <div>...</div>
            <div></org></div>
          </div>
          <div><br>
          </div>
          <div>Role:</div>
          <div>-------</div>
          <div><br>
          </div>
          <div>
            <div><role oid="00000000-0000-1de4-0003-0<wbr>00000000001"<br>
            </div>
            <div>      xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolv<wbr>eum.com/xml/ns/public/common/<wbr>common-3</a>">
                <name>MidPoint Custom User</name></div>
            <div>  <roleType>APPLICATION</roleTyp<wbr>e></div>
            <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">   </span><authorization></div>
            <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">           </span><description>Permisos
              GUI</description></div>
            <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">           </span><action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfDashboard" target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-ui-3#selfDashboa<wbr>rd</a></action></div>
            <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">           </span><action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials" target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-ui-3#selfCredent<wbr>ials</a></action></div>
            <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">   </span></authorization></div>
            <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">   </span>...</div>
            <div></role></div>
          </div>
          <div><br>
          </div>
          <div>Thanks in Advance</div>
          <div><br>
          </div>
          <div>
            <div class="m_-5603245889074287488m_-5101288925844589496gmail_signature">
              <div dir="ltr">
                <div>
                  <div dir="ltr">
                    <div>
                      <div dir="ltr">
                        <div>
                          <div dir="ltr">
                            <div>
                              <div dir="ltr"><b><span></span><span></span>Ing.
                                  Martín Marchese</b><br>
                                <img src="http://www.identicum.com/img/favicon.ico">Identicum
                                S.A.<br>
                                Jorge Newbery 3226<br>
                                Tel: +54 (11) 4552-3050<br>
                                <a href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a><br>
                                <a href="http://www.identicum.com" target="_blank">www.identicum.com</a></div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <fieldset class="m_-5603245889074287488m_-5101288925844589496mimeAttachmentHeader"></fieldset>
        <br>
        <pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="m_-5603245889074287488m_-5101288925844589496mimeAttachmentHeader"></fieldset>
      <br>
      <pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </div></div></div>

<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br></blockquote></div><br></div></div></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>