<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Hello Rodrigo,</p>
    <p>so you have something like this</p>
    <p><tt>OrgA -----[I]-----> RoleA<br>
          ^<br>
          |<br>
          |</tt><tt><br>
      </tt><tt>OrgB</tt><tt><br>
          ^<br>
          |<br>
          |<br>
      </tt><tt>user</tt></p>
    <p>"I" means inducement. Unlabeled edges are assignments. Although
      it may seem strange to you, imagine the same situation, but this
      time dealing with roles and metaroles:</p>
    <p><tt>MetaroleA -----[I]-----> MetaroleB        .... "level 2"<br>
           ^<br>
           |<br>
           |</tt><tt><br>
         Pirate                                   .... "level 1"<br>
           ^<br>
           |<br>
           |<br>
         </tt><tt>jack                                     .... "level 0"<br>
      </tt></p>
    <p>Now it's quite clear that the content (constructions, focus
      mappings, ...) attached to MetaroleB via simple inducements should
      not be applied to jack, but to the Pirate role. The reason is: <br>
    </p>
    <ol>
      <li>They reside at the level of "evaluation order 2".</li>
      <li>The inducement itself is a standard one (with the order=1).</li>
      <li>So the content of the inducement (constructions, focus
        mappings, ...) applies to level 2-1 = 1, i.e. role Pirate.</li>
    </ol>
    <p>In the second case you'd need to use <order>2</order>
      for inducements to apply them to level 0, i.e. jack.</p>
    <p>But what about your original case with organizations?</p>
    <p>Here the situation is more complex, because you don't know the
      resulting level of RoleA: it depends on the number of
      organizational levels. However, for such cases midPoint provides
      "orderConstraint" element for inducements. In 3.5, you could
      specify your RoleA inducement with:</p>
    <p><tt><orderConstraint></tt><tt><br>
      </tt><tt>  <minOrder>1</minOrder></tt><tt><br>
      </tt><tt>  <maxOrder>unbounded</maxOrder></tt><tt><br>
      </tt><tt></orderConstraint></tt><tt><br>
      </tt><tt><focusType>UserType</focusType>           
        <!-- to disallow applying Role1 to organizations --></tt><br>
    </p>
    <p>As far as I know, this should work.</p>
    <p>In 3.6 there are some changes, fixes, and clarifications for this
      mechanism, so minor changes would be needed.</p>
    <p>If you'd want more technical description (relevant to 3.6), here
      it is: <a
href="https://github.com/Evolveum/midpoint/blob/master/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java#L72">https://github.com/Evolveum/midpoint/blob/master/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java#L72</a><br>
    </p>
    <p>Hope this helps,<br>
    </p>
    <pre class="moz-signature" cols="72">Pavol Mederly
Software developer
evolveum.com
</pre>
    <div class="moz-cite-prefix">On 31.03.2017 22:41, Rodrigo Yanis
      wrote:<br>
    </div>
    <blockquote
cite="mid:CADu-59EBZAu7=6bzDgWAimMiUOcxXb39RVRFMaXBd3iPrZD=rw@mail.gmail.com"
      type="cite">
      <div dir="ltr">Hello Pavol,
        <div><br>
        </div>
        <div>Furthering on this issue - while removing <b
            style="font-size:12.8px"><focusType>UserType</<wbr>focusType>
          </b><span style="font-size:12.8px">from the inducement
            definition solves authorization inheritance for when the
            user is assigned to the Org in which the inducement is
            defined, this doesn't seem to apply to assignment of Orgs
            that are child of this Org.</span></div>
        <div><span style="font-size:12.8px"><br>
          </span></div>
        <div><span style="font-size:12.8px">For example, Org A defines
            inducement to role A with </span><span
            style="font-size:12.8px">authorization definitions, Org B is
            then set to be child of Org A, Org B is then assigned to
            user. User is indirectly assigned to role A, but
            authorization does not work.</span></div>
        <div><span style="font-size:12.8px"><br>
          </span></div>
        <div><span style="font-size:12.8px">Furthermore, if we define
            authorizations directly into Org A, and then assign Org B
            (child of A) to user, authorizations are not inherited.</span></div>
        <div><span style="font-size:12.8px"><br>
          </span></div>
        <div><span style="font-size:12.8px">Do you think of any
            workaround for this scenario?</span></div>
        <div><span style="font-size:12.8px"><br>
          </span></div>
        <div><span style="font-size:12.8px">Thanks,</span></div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div class="gmail_signature" data-smartmail="gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <div dir="ltr">
                            <div dir="ltr"><br>
                            </div>
                            <div dir="ltr"><font face="arial, helvetica,
                                sans-serif"><b>Rodrigo Yanis.</b><br>
                                <img moz-do-not-send="true"
                                  src="http://www.identicum.com/img/favicon.ico">Identicum
                                S.A.<br>
                              </font>Jorge Newbery 3226<br>
                              Tel: +54 (11) 4824-9971<font face="arial,
                                helvetica, sans-serif"><br>
                                <a moz-do-not-send="true"
                                  href="mailto:ryanis@identicum.com"
                                  target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
                                <a moz-do-not-send="true"
                                  href="http://www.identicum.com/"
                                  target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">2017-01-10 10:08 GMT-03:00 Martin
          Marchese <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">Thanks Pavol for your answer. I just created
              a JIRA for this.</div>
            <div class="gmail_extra"><span class=""><br clear="all">
                <div>
                  <div class="m_-5603245889074287488gmail_signature"
                    data-smartmail="gmail_signature">
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <div>
                            <div dir="ltr">
                              <div>
                                <div dir="ltr">
                                  <div>
                                    <div dir="ltr"><b><span></span><span></span>Ing.
                                        Martín Marchese</b><br>
                                      <img moz-do-not-send="true"
                                        src="http://www.identicum.com/img/favicon.ico">Identicum
                                      S.A.<br>
                                      Jorge Newbery 3226<br>
                                      Tel: +54 (11) 4552-3050<br>
                                      <a moz-do-not-send="true"
                                        href="mailto:mmarchese@identicum.com"
                                        target="_blank">mmarchese@identicum.com</a><br>
                                      <a moz-do-not-send="true"
                                        href="http://www.identicum.com"
                                        target="_blank">www.identicum.com</a></div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
                <br>
              </span>
              <div>
                <div class="h5">
                  <div class="gmail_quote">On Mon, Jan 9, 2017 at 10:45
                    AM, Pavol Mederly <span dir="ltr"><<a
                        moz-do-not-send="true"
                        href="mailto:mederly@evolveum.com"
                        target="_blank">mederly@evolveum.com</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000">
                        <p>Well... to be more precise: focusType check
                          at that line expects that the focus type is
                          present in LensContext. But, for the purpose
                          of evaluation of user assignments during
                          login, the focus type in LensContext is not
                          filled-in.</p>
                        <p>Please write the JIRA and we'll fix that.<br>
                        </p>
                        <span>
                          <pre class="m_-5603245889074287488m_-5101288925844589496moz-signature" cols="72">Pavol Mederly
Software developer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
                        </span>
                        <div>
                          <div class="m_-5603245889074287488h5">
                            <div
                              class="m_-5603245889074287488m_-5101288925844589496moz-cite-prefix">On
                              09.01.2017 14:41, Pavol Mederly wrote:<br>
                            </div>
                            <blockquote type="cite">
                              <p>Martin,</p>
                              <p>I've played with your case for a while
                                and it seems that <b><focusType>UserType</focusType<wbr>></b>
                                is the problem. After removing it, the
                                authorizations are propagated correctly.<br>
                              </p>
                              <p>I'm not sure why it is so; as it should
                                work, as far as I know. I suspect a bug
                                at AssignmentEvaluator:682, but I'm not
                                sure.<br>
                              </p>
                              <p>Maybe you could file a JIRA for this.<br>
                              </p>
                              <pre class="m_-5603245889074287488m_-5101288925844589496moz-signature" cols="72">Pavol Mederly
Software developer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
                              <div
                                class="m_-5603245889074287488m_-5101288925844589496moz-cite-prefix">On
                                03.01.2017 19:10, Martin Marchese wrote:<br>
                              </div>
                              <blockquote type="cite">
                                <div dir="ltr">
                                  <div>Hi All,</div>
                                  <div><br>
                                  </div>
                                  <div>Within our MidPoint 3.5
                                    deployment, we have created an Org
                                    Structure which induces a role to
                                    users.</div>
                                  <div><br>
                                  </div>
                                  <div>This role, contains all kind of
                                    authorizations for users (REST
                                    acccess, GUI access, etc).</div>
                                  <div><br>
                                  </div>
                                  <div>Once the organization is assigned
                                    to a user, it gets the role assigned
                                    but not the authorizations. However,
                                    if we assign the role directly to
                                    the user, all the authorizations are
                                    assigned OK.</div>
                                  <div><br>
                                  </div>
                                  <div>I was wondering if there is not
                                    any kind of order for authorizations
                                    (as it is for inducements). Or
                                    anything that we might be missing in
                                    our objects?</div>
                                  <div><br>
                                  </div>
                                  <div>Below, I send the examples of how
                                    our Org and Role look like:</div>
                                  <div><br>
                                  </div>
                                  <div><br>
                                  </div>
                                  <div>Org:</div>
                                  <div>-----</div>
                                  <div>
                                    <div><org
                                      oid="00000000-0000-1de4-0009-0<wbr>00000000001"></div>
                                    <div> 
                                       <name>MEGC</name></div>
                                    <div>...</div>
                                    <div>    <inducement id="6"></div>
                                    <div>      <targetRef
                                      oid="00000000-0000-1de4-0003-0<wbr>00000000001"
type="RoleType"></targetRef></div>
                                    <div>      <orderConstraint></div>
                                    <div>       
                                      <orderMax>unbounded</orderMax></div>
                                    <div>      </orderConstraint></div>
                                    <div>     
                                      <focusType>UserType</focusType<wbr>></div>
                                    <div>     </inducement></div>
                                    <div>...</div>
                                    <div></org></div>
                                  </div>
                                  <div><br>
                                  </div>
                                  <div>Role:</div>
                                  <div>-------</div>
                                  <div><br>
                                  </div>
                                  <div>
                                    <div><role
                                      oid="00000000-0000-1de4-0003-0<wbr>00000000001"<br>
                                    </div>
                                    <div>      xmlns:c="<a
                                        moz-do-not-send="true"
                                        href="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
                                        target="_blank">http://midpoint.evolv<wbr>eum.com/xml/ns/public/common/<wbr>common-3</a>">
                                        <name>MidPoint Custom
                                      User</name></div>
                                    <div> 
                                      <roleType>APPLICATION</roleTyp<wbr>e></div>
                                    <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">   </span><authorization></div>
                                    <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">           </span><description>Permisos
                                      GUI</description></div>
                                    <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">           </span><action><a
                                        moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfDashboard"
                                        target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-ui-3#selfDashboa<wbr>rd</a></action></div>
                                    <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">           </span><action><a
                                        moz-do-not-send="true"
href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials"
                                        target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-ui-3#selfCredent<wbr>ials</a></action></div>
                                    <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">   </span></authorization></div>
                                    <div><span class="m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap">   </span>...</div>
                                    <div></role></div>
                                  </div>
                                  <div><br>
                                  </div>
                                  <div>Thanks in Advance</div>
                                  <div><br>
                                  </div>
                                  <div>
                                    <div
                                      class="m_-5603245889074287488m_-5101288925844589496gmail_signature">
                                      <div dir="ltr">
                                        <div>
                                          <div dir="ltr">
                                            <div>
                                              <div dir="ltr">
                                                <div>
                                                  <div dir="ltr">
                                                    <div>
                                                      <div dir="ltr"><b><span></span><span></span>Ing.
                                                          Martín
                                                          Marchese</b><br>
                                                        <img
                                                          moz-do-not-send="true"
src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
                                                        Jorge Newbery
                                                        3226<br>
                                                        Tel: +54 (11)
                                                        4552-3050<br>
                                                        <a
                                                          moz-do-not-send="true"
href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a><br>
                                                        <a
                                                          moz-do-not-send="true"
href="http://www.identicum.com" target="_blank">www.identicum.com</a></div>
                                                    </div>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                                <br>
                                <fieldset
                                  class="m_-5603245889074287488m_-5101288925844589496mimeAttachmentHeader"></fieldset>
                                <br>
                                <pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
      </blockquote>
      

      

      <fieldset class="m_-5603245889074287488m_-5101288925844589496mimeAttachmentHeader"></fieldset>
      

      <pre>______________________________<wbr>_________________
midPoint mailing list
<a moz-do-not-send="true" class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="m_-5603245889074287488m_-5101288925844589496moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
    </blockquote>
    

  </div></div></div>


______________________________<wbr>_________________

midPoint mailing list

<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>


</blockquote></div>
</div></div></div>

______________________________<wbr>_________________

midPoint mailing list

<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>

<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>


</blockquote></div>
</div>


<fieldset class="mimeAttachmentHeader"></fieldset>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>

</blockquote>
</body></html>