<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>I was happy untimely...<br>
      The entitlement assignment from this role works only with intent
      marked as "default".</p>
    <p>Can I use expression to calculate the intent?<br>
      In the documentation, in every example intent is statically
      declared only.</p>
    <p>I tried to create an intent filter expression but I got errors:</p>
    <p><i>Internal object inconsistence, probably a parser bug: Neither
        value, expression nor raw element specified in property value
        PPV(null) (inducement/[2]/construction/intent in role: *******)</i></p>
    Regards!<br>
    WS<br>
    <br>
    <div class="moz-cite-prefix">W dniu 02.12.2017 o 18:48, Wojciech
      Staszewski pisze:<br>
    </div>
    <blockquote type="cite"
      cite="mid:18b53786-984b-0f3b-f2b8-3afd8956cfe8@diagnostyka.pl">
      <pre wrap="">Unfortunately the expression with "getExtensionReferenceValue()" doesn't
work, I don't know why.

But this is working:

<resourceRef relation="org:default" type="c:ResourceType">
            <filter>
               <q:inOid>
                  <expression>
                     <script>
                        <code>
                            val = basic.getPropertyValue(immediateRole,
"extension/resourceRef");
                            return val;
                        </code>
                     </script>
                  </expression>
               </q:inOid>
            </filter>
            <resolutionTime>run</resolutionTime>
</resourceRef>

So I'm happy.
This was the biggest obstacle at the moment to finish the most important
resource.

Best regards,
WS

W dniu 28.11.2017 o 13:01, Pavol Mederly pisze:
</pre>
      <blockquote type="cite">
        <pre wrap="">Hello Wojciech,

while it is true that query API was changed in 3.4, your code i.e.

<resourceRef type="c:ResourceType">
            <filter>
               <q:inOid>
                  <expression>
                     <script>
                        <code>
                                val =
basic.getExtensionReferenceValue(immediateRole,
<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/custom/roleext">"http://midpoint.evolveum.com/xml/ns/custom/roleext"</a>, "resourceRef")
                        return val?.getOid()
                            </code>
                     </script>
                  </expression>
               </q:inOid>
            </filter>
            <resolutionTime>run</resolutionTime>
</resourceRef>

should not be affected by it. It should work as before.

Maybe you could try to log the value of variable "val" to see if it is
filled-in correctly.

Pavol Mederly
Software developer
evolveum.com

On 28.11.2017 11:14, Wojciech Staszewski wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">I noticed, that since v 3.4 the query API was changed. Maybe this is
a problem because the example provided by Katka Valalikova was taken
from older version?
I assume that "filter:NONE" is the key and I have to construct
correct ObjectFilter in the new manner using QueryBuilder? Am I right?

W dniu 27.11.2017 o 19:14, Wojciech Staszewski pisze:
</pre>
          <blockquote type="cite">
            <pre wrap="">Hello!

I'm just trying this solution and got some trouble.

I have created role, lets call it "Master", this role have an extension
attribute "resourceRef", and it induces basic resource account.
Value of this attribute is my resource OID.

Then I've created metarole with provided expression:

<resourceRef type="c:ResourceType">
             <filter>
                <q:inOid>
                   <expression>
                      <script>
                         <code>
                                 val =
basic.getExtensionReferenceValue(focus,
<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/custom/roleext">"http://midpoint.evolveum.com/xml/ns/custom/roleext"</a>, "resourceRef")
                         return val?.getOid()
                             </code>
                      </script>
                   </expression>
                </q:inOid>
             </filter>
             <resolutionTime>run</resolutionTime>
</resourceRef>

This metarole is assigned to "Master". Master role creates an account
with required basic attributes, and metarole gives the entitlements.
But the metarole resourceRef expression does not resolve the resource
OID from master role, the errors appear:

Got no target from repository, filter:NONE, class:class
com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType in
resolving resource.

I want this single metarole assign to any of dozens "master" roles
which
are assigning resource accounts in dozens identical systems and it must
give entitlement with the same icfs:name in each resource (this is
working already).

Am I missing something? Thanks!
WS


W dniu 16.02.2017 o 09:16, Wojciech Staszewski pisze:
</pre>
            <blockquote type="cite">
              <pre wrap="">Thank you very much!
I'll try it. I can't promise that I'll try it today because I have
to use snapshots due to translation process.
And because of that I have some stability issues (stack overflow
error when applying changes on user and in reconciliation also),
but I'll check it if only these issues are fixed.

Best regards!
WS

W dniu 16.02.2017 o 08:53, Katka Valalikova pisze:
</pre>
              <blockquote type="cite">
                <pre wrap="">Hi Wojciech,

in one of my environment I have a similar situation (if I
understood your problem correctly). I have hundreds of Unix
systems where I manage groups, users and their memberships in
groups. I use following configuration.

1. I have midPoint Role A - this role has assigned metarole M(x)
which create a group (G) on target linux and after this Role A is
assigned to the user, it adds this user as a member of unix group
(G) created by the metarole M(x). In the Role A I have extension
attribute which contains reference to the resource where all of
this should happen.
2. The configuration for the "dynamically" resolved resource ref
looks like following:


  <inducement id="1">    <!-- create an unix group on the target
system referenced from the val.getOid() with the name from
extension/ext:commonName-->
       <construction>
          <resourceRef type="c:ResourceType">
             <filter>
                <q:inOid>
                   <expression>
                      <script>
                         <code>
                                 val =
basic.getExtensionReferenceValue(focus,
<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/custom/roleext">"http://midpoint.evolveum.com/xml/ns/custom/roleext"</a>, "resourceRef")
                         return val?.getOid()
                             </code>
                      </script>
                   </expression>
                </q:inOid>
             </filter>
             <resolutionTime>run</resolutionTime>
          </resourceRef>
          <kind>entitlement</kind>
          <intent>unixGroup</intent>
          <attribute>
             <c:ref>icfs:name</c:ref>
             <matchingRule
xmlns:mr=<a class="moz-txt-link-rfc2396E" href="http://prism.evolveum.com/xml/ns/public/matching-rule-3">"http://prism.evolveum.com/xml/ns/public/matching-rule-3"</a>>mr:stringIgnoreCase</matchingRule>
             <outbound>
                <source>
                   <name>commonName</name>
                   <c:path
xmlns:ext=<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/custom/roleext">"http://midpoint.evolveum.com/xml/ns/custom/roleext"</a>>extension/ext:commonName</c:path>
                </source>
             </outbound>
          </attribute>
       </construction>
    </inducement>
    <inducement id="2">   <!-- assign user to the group on the
target system referenced from the val.getOid() -->
       <construction>
          <resourceRef type="c:ResourceType">
             <filter>
                <q:inOid>
                   <expression>
                      <script>
                         <code>
                                 val =
basic.getExtensionReferenceValue(immediateRole,
<a class="moz-txt-link-rfc2396E" href="http://midpoint.evolveum.com/xml/ns/custom/roleext">"http://midpoint.evolveum.com/xml/ns/custom/roleext"</a>, "resourceRef")
                                 return val?.getOid()
                             </code>
                      </script>
                   </expression>
                </q:inOid>
             </filter>
             <resolutionTime>run</resolutionTime>
          </resourceRef>
          <kind>account</kind>
          <intent>default</intent>
          <association>
             <c:ref>ri:unixGroup</c:ref>
             <outbound>
                <strength>strong</strength>
                <expression>
                   <associationFromLink>
                      <projectionDiscriminator>
                         <kind>entitlement</kind>
                         <intent>unixGroup</intent>
                      </projectionDiscriminator>
                   </associationFromLink>
                </expression>
             </outbound>
          </association>
       </construction>
       <order>2</order>
       <focusType>UserType</focusType>
    </inducement>

You can maybe use something like this. In general, there is a
support for resolving references to the resource (even roles,
services, orgs) dynamically using filter (and expression) instead
of static reference (resourceRef, ...). Your expression can be
modified according to your needs. However, keep in mind that this
configuration can be used only if the target systems are the same
and have the same schema. In my case, all of target systems are
Linux distribution with the same configuration.

Best regards,

Katarina Valalikova
Java Developer
evolveum.com

----- Original Message -----
From: "Wojciech Staszewski" <a class="moz-txt-link-rfc2396E" href="mailto:wojciech.staszewski@diagnostyka.pl"><wojciech.staszewski@diagnostyka.pl></a>
To: "midPoint General Discussion" <a class="moz-txt-link-rfc2396E" href="mailto:midpoint@lists.evolveum.com"><midpoint@lists.evolveum.com></a>
Sent: Tuesday, February 14, 2017 10:26:33 AM
Subject: [midPoint]  Metarole and resourceRef inheritance

Hello all!

I have a question, maybe stupid or maybe not:

- Why metarole must have "ResourceRef"? Can't it be inherited from
"master" role?
   (I know the answer: "metarole is also a normal role..." etc.).

This would be useful with large number of identical systems. I'd
like to have 30 metaroles that I could assign to any of 200
systems than have to maintain 30x200 metaroles.
Access rights (roles, groups, privileges, "entitlements" in
general) are identical in each system, they are replicated from
central server.
Any change causing necessity to edit 30x200 roles, it will be a
nightmare to maintain.

Best regards,
Wojciech Staszewski
_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>
              </blockquote>
              <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
            </blockquote>
            <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>
          </blockquote>
          <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
        </blockquote>
        <pre wrap="">
_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
      </blockquote>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
  </body>
</html>