<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello Rodrigo,</p>
<p>so you have something like this</p>
<p><tt>OrgA -----[I]-----> RoleA<br>
^<br>
|<br>
|</tt><tt><br>
</tt><tt>OrgB</tt><tt><br>
^<br>
|<br>
|<br>
</tt><tt>user</tt></p>
<p>"I" means inducement. Unlabeled edges are assignments. Although
it may seem strange to you, imagine the same situation, but this
time dealing with roles and metaroles:</p>
<p><tt>MetaroleA -----[I]-----> MetaroleB .... "level 2"<br>
^<br>
|<br>
|</tt><tt><br>
Pirate .... "level 1"<br>
^<br>
|<br>
|<br>
</tt><tt>jack .... "level 0"<br>
</tt></p>
<p>Now it's quite clear that the content (constructions, focus
mappings, ...) attached to MetaroleB via simple inducements should
not be applied to jack, but to the Pirate role. The reason is: <br>
</p>
<ol>
<li>They reside at the level of "evaluation order 2".</li>
<li>The inducement itself is a standard one (with the order=1).</li>
<li>So the content of the inducement (constructions, focus
mappings, ...) applies to level 2-1 = 1, i.e. role Pirate.</li>
</ol>
<p>In the second case you'd need to use <order>2</order>
for inducements to apply them to level 0, i.e. jack.</p>
<p>But what about your original case with organizations?</p>
<p>Here the situation is more complex, because you don't know the
resulting level of RoleA: it depends on the number of
organizational levels. However, for such cases midPoint provides
"orderConstraint" element for inducements. In 3.5, you could
specify your RoleA inducement with:</p>
<p><tt><orderConstraint></tt><tt><br>
</tt><tt> <minOrder>1</minOrder></tt><tt><br>
</tt><tt> <maxOrder>unbounded</maxOrder></tt><tt><br>
</tt><tt></orderConstraint></tt><tt><br>
</tt><tt><focusType>UserType</focusType>
<!-- to disallow applying Role1 to organizations --></tt><br>
</p>
<p>As far as I know, this should work.</p>
<p>In 3.6 there are some changes, fixes, and clarifications for this
mechanism, so minor changes would be needed.</p>
<p>If you'd want more technical description (relevant to 3.6), here
it is: <a
href="https://github.com/Evolveum/midpoint/blob/master/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java#L72">https://github.com/Evolveum/midpoint/blob/master/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java#L72</a><br>
</p>
<p>Hope this helps,<br>
</p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
<div class="moz-cite-prefix">On 31.03.2017 22:41, Rodrigo Yanis
wrote:<br>
</div>
<blockquote
cite="mid:CADu-59EBZAu7=6bzDgWAimMiUOcxXb39RVRFMaXBd3iPrZD=rw@mail.gmail.com"
type="cite">
<div dir="ltr">Hello Pavol,
<div><br>
</div>
<div>Furthering on this issue - while removing <b
style="font-size:12.8px"><focusType>UserType</<wbr>focusType>
</b><span style="font-size:12.8px">from the inducement
definition solves authorization inheritance for when the
user is assigned to the Org in which the inducement is
defined, this doesn't seem to apply to assignment of Orgs
that are child of this Org.</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">For example, Org A defines
inducement to role A with </span><span
style="font-size:12.8px">authorization definitions, Org B is
then set to be child of Org A, Org B is then assigned to
user. User is indirectly assigned to role A, but
authorization does not work.</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">Furthermore, if we define
authorizations directly into Org A, and then assign Org B
(child of A) to user, authorizations are not inherited.</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">Do you think of any
workaround for this scenario?</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">Thanks,</span></div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><b>Rodrigo Yanis.</b><br>
<img moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font face="arial,
helvetica, sans-serif"><br>
<a moz-do-not-send="true"
href="mailto:ryanis@identicum.com"
target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a moz-do-not-send="true"
href="http://www.identicum.com/"
target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2017-01-10 10:08 GMT-03:00 Martin
Marchese <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thanks Pavol for your answer. I just created
a JIRA for this.</div>
<div class="gmail_extra"><span class=""><br clear="all">
<div>
<div class="m_-5603245889074287488gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><b><span></span><span></span>Ing.
Martín Marchese</b><br>
<img moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
Jorge Newbery 3226<br>
Tel: +54 (11) 4552-3050<br>
<a moz-do-not-send="true"
href="mailto:mmarchese@identicum.com"
target="_blank">mmarchese@identicum.com</a><br>
<a moz-do-not-send="true"
href="http://www.identicum.com"
target="_blank">www.identicum.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</span>
<div>
<div class="h5">
<div class="gmail_quote">On Mon, Jan 9, 2017 at 10:45
AM, Pavol Mederly <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:mederly@evolveum.com"
target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Well... to be more precise: focusType check
at that line expects that the focus type is
present in LensContext. But, for the purpose
of evaluation of user assignments during
login, the focus type in LensContext is not
filled-in.</p>
<p>Please write the JIRA and we'll fix that.<br>
</p>
<span>
<pre class="m_-5603245889074287488m_-5101288925844589496moz-signature" cols="72">Pavol Mederly
Software developer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span>
<div>
<div class="m_-5603245889074287488h5">
<div
class="m_-5603245889074287488m_-5101288925844589496moz-cite-prefix">On
09.01.2017 14:41, Pavol Mederly wrote:<br>
</div>
<blockquote type="cite">
<p>Martin,</p>
<p>I've played with your case for a while
and it seems that <b><focusType>UserType</focusType<wbr>></b>
is the problem. After removing it, the
authorizations are propagated correctly.<br>
</p>
<p>I'm not sure why it is so; as it should
work, as far as I know. I suspect a bug
at AssignmentEvaluator:682, but I'm not
sure.<br>
</p>
<p>Maybe you could file a JIRA for this.<br>
</p>
<pre class="m_-5603245889074287488m_-5101288925844589496moz-signature" cols="72">Pavol Mederly
Software developer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div
class="m_-5603245889074287488m_-5101288925844589496moz-cite-prefix">On
03.01.2017 19:10, Martin Marchese wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi All,</div>
<div><br>
</div>
<div>Within our MidPoint 3.5
deployment, we have created an Org
Structure which induces a role to
users.</div>
<div><br>
</div>
<div>This role, contains all kind of
authorizations for users (REST
acccess, GUI access, etc).</div>
<div><br>
</div>
<div>Once the organization is assigned
to a user, it gets the role assigned
but not the authorizations. However,
if we assign the role directly to
the user, all the authorizations are
assigned OK.</div>
<div><br>
</div>
<div>I was wondering if there is not
any kind of order for authorizations
(as it is for inducements). Or
anything that we might be missing in
our objects?</div>
<div><br>
</div>
<div>Below, I send the examples of how
our Org and Role look like:</div>
<div><br>
</div>
<div><br>
</div>
<div>Org:</div>
<div>-----</div>
<div>
<div><org
oid="00000000-0000-1de4-0009-0<wbr>00000000001"></div>
<div>
<name>MEGC</name></div>
<div>...</div>
<div> <inducement id="6"></div>
<div> <targetRef
oid="00000000-0000-1de4-0003-0<wbr>00000000001"
type="RoleType"></targetRef></div>
<div> <orderConstraint></div>
<div>
<orderMax>unbounded</orderMax></div>
<div> </orderConstraint></div>
<div>
<focusType>UserType</focusType<wbr>></div>
<div> </inducement></div>
<div>...</div>
<div></org></div>
</div>
<div><br>
</div>
<div>Role:</div>
<div>-------</div>
<div><br>
</div>
<div>
<div><role
oid="00000000-0000-1de4-0003-0<wbr>00000000001"<br>
</div>
<div> xmlns:c="<a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
target="_blank">http://midpoint.evolv<wbr>eum.com/xml/ns/public/common/<wbr>common-3</a>">
<name>MidPoint Custom
User</name></div>
<div>
<roleType>APPLICATION</roleTyp<wbr>e></div>
<div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><authorization></div>
<div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><description>Permisos
GUI</description></div>
<div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><action><a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfDashboard"
target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-ui-3#selfDashboa<wbr>rd</a></action></div>
<div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><action><a
moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials"
target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-ui-3#selfCredent<wbr>ials</a></action></div>
<div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span></authorization></div>
<div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>...</div>
<div></role></div>
</div>
<div><br>
</div>
<div>Thanks in Advance</div>
<div><br>
</div>
<div>
<div
class="m_-5603245889074287488m_-5101288925844589496gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><b><span></span><span></span>Ing.
Martín
Marchese</b><br>
<img
moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
Jorge Newbery
3226<br>
Tel: +54 (11)
4552-3050<br>
<a
moz-do-not-send="true"
href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a><br>
<a
moz-do-not-send="true"
href="http://www.identicum.com" target="_blank">www.identicum.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset
class="m_-5603245889074287488m_-5101288925844589496mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<fieldset class="m_-5603245889074287488m_-5101288925844589496mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body></html>