<div dir="ltr">Pavol,<div><br></div><div>We've chosen to restrain from implementing org hierarchy until we're in conditions to migrate to 3.6.</div><div>I'll tell you how it goes when that happens!</div><div><br></div><div>Thanks for your insights and concern.<br></div><div>Regards,</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><br></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><b>Rodrigo Yanis.</b><br><img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br></font>Jorge Newbery 3226<br>Tel: +54 (11) 4552-3050<font face="arial, helvetica, sans-serif"><br><a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br><a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">2017-04-03 14:37 GMT-03:00 Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hello Rodrigo,</p>
<p>I have looked at the source code for 3.5. Your observations
correlate well with the sources:</p>
<p><a href="https://github.com/Evolveum/midpoint/blob/support-3.5/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentEvaluator.java#L758" target="_blank">https://github.com/Evolveum/<wbr>midpoint/blob/support-3.5/<wbr>model/model-impl/src/main/<wbr>java/com/evolveum/midpoint/<wbr>model/impl/lens/<wbr>AssignmentEvaluator.java#L758</a></p>
<p>In order to authorizations be applied, summary evaluation order
should be 1. So now I see why unbounded max order does not work. <br>
</p>
<p>Unfortunately, I don't see an easy fix, other than setting
<authorization> on each org struct element, or inducing a
role carrying this <authorization> from each org struct
element. As far as I know, this could be achieved automatically
using an object template - not very elegant solution, but it might
work. <br>
</p>
<p>Or, maybe someone else has a nicer workaround for this.</p>
<p>(I briefly thought of fixing this in support branch in 3.5 but -
honestly - I'm afraid of making any significant changes into
non-refactored AssignmentEvaluator. In 3.6 this will certainly
work.)<br>
</p>
<p>Best regards,<br>
</p><span class="">
<pre class="m_5258961181874473473moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span><div><div class="h5"><div class="m_5258961181874473473moz-cite-prefix">On 03.04.2017 18:40, Rodrigo Yanis
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Pavol,
<div><br>
</div>
<div>That is exactly the case I was describing, yes. Thanks for
you thorough explanation. I tried your recommendation by
configuring the inducement to the role with an unbounded max
order, as well as the minimum order with 1 - unfortunately
this didn't work. We are currently running under midpoint 3.5.</div>
<div>I've been trying a few other scenarios too, and I was able
to successfully propagate authorizations inheritance under the
following model:</div>
<div><br>
</div>
<div>OrgA (Root Org)</div>
|
<div>[A]<br>
|
<div>OrgB-----[I]----->OrgA<span style="font-family:monospace;font-size:10.4px"><br>
</span></div>
|<br>
[A]<br>
|
<div>User</div>
</div>
<br>
Only by inducing OrgA into OrgB the inheritance worked. I also
tried adding a new OrgC as a child to OrgB, and authorizations
would work only after inducing OrgB into OrgC.
<div><br>
</div>
<div>Thanks again<br>
<div><br>
</div>
</div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_5258961181874473473gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><b>Rodrigo Yanis.</b><br>
<img src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font face="arial,
helvetica, sans-serif"><br>
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2017-03-31 18:01 GMT-03:00 Pavol
Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Hello Rodrigo,</p>
<p>so you have something like this</p>
<p><tt>OrgA -----[I]-----> RoleA<br>
^<br>
|<br>
|</tt><tt><br>
</tt><tt>OrgB</tt><tt><br>
^<br>
|<br>
|<br>
</tt><tt>user</tt></p>
<p>"I" means inducement. Unlabeled edges are assignments.
Although it may seem strange to you, imagine the same
situation, but this time dealing with roles and
metaroles:</p>
<p><tt>MetaroleA -----[I]-----> MetaroleB ....
"level 2"<br>
^<br>
|<br>
|</tt><tt><br>
Pirate <wbr> ....
"level 1"<br>
^<br>
|<br>
|<br>
</tt><tt>jack <wbr>
.... "level 0"<br>
</tt></p>
<p>Now it's quite clear that the content (constructions,
focus mappings, ...) attached to MetaroleB via simple
inducements should not be applied to jack, but to the
Pirate role. The reason is: <br>
</p>
<ol>
<li>They reside at the level of "evaluation order 2".</li>
<li>The inducement itself is a standard one (with the
order=1).</li>
<li>So the content of the inducement (constructions,
focus mappings, ...) applies to level 2-1 = 1, i.e.
role Pirate.</li>
</ol>
<p>In the second case you'd need to use
<order>2</order> for inducements to apply
them to level 0, i.e. jack.</p>
<p>But what about your original case with organizations?</p>
<p>Here the situation is more complex, because you don't
know the resulting level of RoleA: it depends on the
number of organizational levels. However, for such cases
midPoint provides "orderConstraint" element for
inducements. In 3.5, you could specify your RoleA
inducement with:</p>
<p><tt><orderConstraint></tt><tt><br>
</tt><tt> <minOrder>1</minOrder></tt><tt><br>
</tt><tt> <maxOrder>unbounded</maxOrder></tt><tt><br>
</tt><tt></orderConstraint></tt><tt><br>
</tt><tt><focusType>UserType</focusType<wbr>>
<!-- to disallow applying Role1 to
organizations --></tt><br>
</p>
<p>As far as I know, this should work.</p>
<p>In 3.6 there are some changes, fixes, and
clarifications for this mechanism, so minor changes
would be needed.</p>
<p>If you'd want more technical description (relevant to
3.6), here it is: <a href="https://github.com/Evolveum/midpoint/blob/master/model/model-impl/src/main/java/com/evolveum/midpoint/model/impl/lens/AssignmentPathSegmentImpl.java#L72" target="_blank">https://github.com/Evolveum/mi<wbr>dpoint/blob/master/model/model<wbr>-impl/src/main/java/com/evolve<wbr>um/midpoint/model/impl/lens/As<wbr>signmentPathSegmentImpl.java#<wbr>L72</a><br>
</p>
<p>Hope this helps,<br>
</p>
<span>
<pre class="m_5258961181874473473m_3654158347829956826moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span>
<div>
<div class="m_5258961181874473473h5">
<div class="m_5258961181874473473m_3654158347829956826moz-cite-prefix">On
31.03.2017 22:41, Rodrigo Yanis wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello Pavol,
<div><br>
</div>
<div>Furthering on this issue - while removing <b style="font-size:12.8px"><focusType>UserType</<wbr>focusType>
</b><span style="font-size:12.8px">from the
inducement definition solves authorization
inheritance for when the user is assigned to
the Org in which the inducement is defined,
this doesn't seem to apply to assignment of
Orgs that are child of this Org.</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">For example,
Org A defines inducement to role A with </span><span style="font-size:12.8px">authorization
definitions, Org B is then set to be child of
Org A, Org B is then assigned to user. User is
indirectly assigned to role A, but
authorization does not work.</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">Furthermore,
if we define authorizations directly into Org
A, and then assign Org B (child of A) to user,
authorizations are not inherited.</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">Do you think
of any workaround for this scenario?</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">Thanks,</span></div>
</div>
<div class="gmail_extra"><br clear="all">
<div>
<div class="m_5258961181874473473m_3654158347829956826gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div dir="ltr"><br>
</div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><b>Rodrigo
Yanis.</b><br>
<img src="http://www.identicum.com/img/favicon.ico">Identicum
S.A.<br>
</font>Jorge Newbery 3226<br>
Tel: +54 (11) 4824-9971<font face="arial, helvetica,
sans-serif"><br>
<a href="mailto:ryanis@identicum.com" target="_blank"><font color="#0b5394">ryanis@identicum.com</font></a><br>
<a href="http://www.identicum.com/" target="_blank"><font color="#0b5394">www.identicum.com</font></a></font></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">2017-01-10 10:08
GMT-03:00 Martin Marchese <span dir="ltr"><<a href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thanks Pavol for your answer. I
just created a JIRA for this.</div>
<div class="gmail_extra"><span><br clear="all">
<div>
<div class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><b><span></span><span></span>Ing.
Martín Marchese</b><br>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
Jorge Newbery 3226<br>
Tel: +54 (11)
4552-3050<br>
<a href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a><br>
<a href="http://www.identicum.com" target="_blank">www.identicum.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</span>
<div>
<div class="m_5258961181874473473m_3654158347829956826h5">
<div class="gmail_quote">On Mon, Jan 9,
2017 at 10:45 AM, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>Well... to be more precise:
focusType check at that line
expects that the focus type is
present in LensContext. But, for
the purpose of evaluation of
user assignments during login,
the focus type in LensContext is
not filled-in.</p>
<p>Please write the JIRA and we'll
fix that.<br>
</p>
<span>
<pre class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span>
<div>
<div class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488h5">
<div class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496moz-cite-prefix">On
09.01.2017 14:41, Pavol
Mederly wrote:<br>
</div>
<blockquote type="cite">
<p>Martin,</p>
<p>I've played with your
case for a while and it
seems that <b><focusType>UserType</focusType<wbr>></b>
is the problem. After
removing it, the
authorizations are
propagated correctly.<br>
</p>
<p>I'm not sure why it is
so; as it should work, as
far as I know. I suspect a
bug at
AssignmentEvaluator:682,
but I'm not sure.<br>
</p>
<p>Maybe you could file a
JIRA for this.<br>
</p>
<pre class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496moz-cite-prefix">On
03.01.2017 19:10, Martin
Marchese wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Hi All,</div>
<div><br>
</div>
<div>Within our MidPoint
3.5 deployment, we
have created an Org
Structure which
induces a role to
users.</div>
<div><br>
</div>
<div>This role, contains
all kind of
authorizations for
users (REST acccess,
GUI access, etc).</div>
<div><br>
</div>
<div>Once the
organization is
assigned to a user, it
gets the role assigned
but not the
authorizations.
However, if we assign
the role directly to
the user, all the
authorizations are
assigned OK.</div>
<div><br>
</div>
<div>I was wondering if
there is not any kind
of order for
authorizations (as it
is for inducements).
Or anything that we
might be missing in
our objects?</div>
<div><br>
</div>
<div>Below, I send the
examples of how our
Org and Role look
like:</div>
<div><br>
</div>
<div><br>
</div>
<div>Org:</div>
<div>-----</div>
<div>
<div><org
oid="00000000-0000-1de4-0009-0<wbr>00000000001"></div>
<div>
<name>MEGC</name></div>
<div>...</div>
<div>
<inducement
id="6"></div>
<div>
<targetRef
oid="00000000-0000-1de4-0003-0<wbr>00000000001"
type="RoleType"></targetRef></div>
<div>
<orderConstraint></div>
<div>
<orderMax>unbounded</orderMax></div>
<div>
</orderConstraint></div>
<div>
<focusType>UserType</focusType<wbr>></div>
<div>
</inducement></div>
<div>...</div>
<div></org></div>
</div>
<div><br>
</div>
<div>Role:</div>
<div>-------</div>
<div><br>
</div>
<div>
<div><role
oid="00000000-0000-1de4-0003-0<wbr>00000000001"<br>
</div>
<div> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">http://midpoint.evolv<wbr>eum.com/xml/ns/public/common/c<wbr>ommon-3</a>">
<name>MidPoint
Custom
User</name></div>
<div>
<roleType>APPLICATION</roleTyp<wbr>e></div>
<div><span class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><authorization></div>
<div><span class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><description>Permisos
GUI</description></div>
<div><span class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfDashboard" target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-ui-3#selfDashboa<wbr>rd</a></action></div>
<div><span class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span><action><a href="http://midpoint.evolveum.com/xml/ns/public/security/authorization-ui-3#selfCredentials" target="_blank">http://midpoint.evolve<wbr>um.com/xml/ns/public/security/<wbr>authorization-ui-3#selfCredent<wbr>ials</a></action></div>
<div><span class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span></authorization></div>
<div><span class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496gmail-Apple-tab-span" style="white-space:pre-wrap"> </span>...</div>
<div></role></div>
</div>
<div><br>
</div>
<div>Thanks in Advance</div>
<div><br>
</div>
<div>
<div class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><b><span></span><span></span>Ing.
Martín
Marchese</b><br>
<img src="http://www.identicum.com/img/favicon.ico">Identicum S.A.<br>
Jorge Newbery
3226<br>
Tel: +54 (11)
4552-3050<br>
<a href="mailto:mmarchese@identicum.com" target="_blank">mmarchese@identicum.com</a><br>
<a href="http://www.identicum.com" target="_blank">www.identicum.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<fieldset class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_5258961181874473473m_3654158347829956826m_-5603245889074287488m_-5101288925844589496moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_5258961181874473473m_3654158347829956826mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_5258961181874473473m_3654158347829956826moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_5258961181874473473m_3654158347829956826moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div>
______________________________<wbr>_________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</blockquote></div>
</div>
<fieldset class="m_5258961181874473473mimeAttachmentHeader"></fieldset>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_5258961181874473473moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_5258961181874473473moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div></div></div><br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>