<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi!</p>
<p>Yes, but if the user have 2 or more accounts on this resource,
all accounts will receive the entitlement. I have to avoid this.<br>
The entitlements must be given indepedently for each account.</p>
<p>I see some workarounds:</p>
<p>1) Manually create the roles for account intents other than
default and update them when needed.<span id="result_box"
class="short_text" lang="en"><span class=""><br>
-</span></span><span id="result_box" class="short_text"
lang="en"><span class=""> disadvantages: A lot of roles and a
lot of changes. There is 100 resources of this kind, some of
them contains more than 1 account intent (1,5 average) and 3
entitlement types, every type contains 20 entitlements
average. This makes 100 x 1,5 x 3 x 20 = 9000 roles for
manual handling. Terrifying...</span></span></p>
<p><span id="result_box" class="short_text" lang="en"><span class="">That's
why I want to use synchronization tasks for importing and
updating the roles automatically.<br>
</span></span></p>
<span id="result_box" class="short_text" lang="en"><span class="">2)
Create another resource pointing to the same database for
another intent, so each account intent is handled by separate
(fake) resource.<br>
In this case I can set synchronization tasks for importing and
updating the same entitlements for every account intent.<br>
- </span></span><span id="result_box" class="short_text"
lang="en"><span class=""><span id="result_box" class="short_text"
lang="en"><span class="">disadvantages: User changes
laboratory, so the account changes intent. It happens. On
the resource side this is a simple task: edit user, pick lab
from drop-down list, save. How midPoint will see this? The
user disappears from one resource and appears on another.
With full enforcement policy midPoint will try to fix this
situation and create an account for him in old intent. On
the second resource new account will be deleted.<br>
Ok, so let's do it on midPoint side: Assign account and
entitlements on the second resource and unassign the first
one. MidPoint will delete an account on the first and create
new one on the second, as for midPoint there are 2
independent resources. This is wrong way.<br>
<br>
3) This is ScriptedSQL resource. So </span></span></span></span><span
id="result_box" class="short_text" lang="en"><span class=""><span
id="result_box" class="short_text" lang="en"><span class=""><span
id="result_box" class="short_text" lang="en"><span
class=""><span id="result_box" class="short_text"
lang="en"><span class="">in the Groovy scripts </span></span></span></span>I
can make multiple ObjectClasses for the entitlements
pointing to the same database objects. In midPoint I will
see the same entitlements multiple times, each with
different ObjectClass. So I can use it to import and
synchronize roles for different account intents. When the
entitlement in resource database is changed, synchronization
wil work for every objectClass.<br>
</span></span></span></span><span id="result_box"
class="short_text" lang="en"><span class=""><span id="result_box"
class="short_text" lang="en"><span class=""><span
id="result_box" class="short_text" lang="en"><span
class="">- </span></span><span id="result_box"
class="short_text" lang="en"><span class=""><span
id="result_box" class="short_text" lang="en"><span
class="">disadvantages: I have to think a little
bit, as I invented it just a moment ago.<br>
<br>
Best regards!<br>
Wojciech Staszewski<br>
<br>
</span></span></span></span></span></span></span></span>
<div class="moz-cite-prefix">W dniu 29.12.2017 o 19:36, Alcides
Carlos de Moraes Neto pisze:<br>
</div>
<blockquote type="cite"
cite="mid:CAMLLNmnAke3EOLNZZ0CP9e1zrfa+QQcf400OajZT2_KW4RF4Bw@mail.gmail.com">
<div dir="ltr">
<div>If you assign a Role that gives Entitlement X to User Y
with weak strength, only the existing account(s) for User Y
will receive the entitlement.</div>
<div>Having multiple weak inducements will work I think.<br>
</div>
<div><br>
</div>
<div>I have a similar setup, but it's the other way around -
multiple intents for entitlements induced from Org, only one
for account intent associated to User.</div>
<div>I have multiple inducements in a Meta-role that I assign to
Orgs.<br>
</div>
<div><br>
</div>
You can also using Condition expression to further filter them.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-12-29 13:40 GMT-02:00 Wojciech
Staszewski <span dir="ltr"><<a
href="mailto:wojciech.staszewski@diagnostyka.pl"
target="_blank" moz-do-not-send="true">wojciech.staszewski@diagnostyka.pl</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi!</p>
<p>I thought about adding multiple first order inducements
for each account intent with weak strength to the
"associationFromLink" metarole,<br>
but what if the accounts (of one user in multiple
intents) must have different privileges (entilements)?<br>
When I assign a role that gives entitlement X, it will
be applied to every user account on this resource, i
think.</p>
<p>Another way I tried is to assign the
"associationFromLink" metarole to the role that
provisions account creation,<br>
and the role with linkRef pointing to the entitlement
shadow as separate user assignment, but it don't work.<br>
I think (but I don't know exactly) that
"associationFromLink" is limited to one assignment chain
so the linkRef and associationFromLink<br>
must be in the same chain. But maybe I'm wrong...?<br>
</p>
<p>I'm stuck here and see no good solution for now.</p>
<p>Best regards!<br>
WS<br>
</p>
<br>
<div class="m_-4524291109522537451moz-cite-prefix">W dniu
29.12.2017 o 15:08, Alcides Carlos de Moraes Neto pisze:<br>
</div>
<div>
<div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div>Hi WS,<br>
<br>
</div>
In your role template, have you tried adding
multiple inducements with an association for each
entitlement? I don't see why that wouldn't work.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2017-12-28 13:54
GMT-02:00 Wojciech Staszewski <span dir="ltr"><<a
href="mailto:wojciech.staszewski@diagnostyka.pl" target="_blank"
moz-do-not-send="true">wojciech.staszewski@<wbr>diagnostyka.pl</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">Hello!<br>
<br>
I'm looking for correct way how to correctly
import resource entitlements into midPoint
roles.<br>
<br>
For now I'm doing this as follows:<br>
1) create schema handling for entitlement.<br>
2) create synchronization.<br>
3) At the "unmatched->addFocus"
synchronization step I connect a role
template. The template assigns metaroles to
the imported roles for:<br>
a) association from link (as the imported
roles are just linkRef only),<br>
b) approval schema,<br>
c) and assigns correct OrgUnit in the role
catalog, based on resource, role type and
other "things".<br>
<br>
That works just perfect, but for one account
intent only. The account intent is statically
specified in "association from link" metarole
in the first order inducement.<br>
If is not, the metarole works for "default"
account intent.<br>
But I have 8 account intents in this resource,
and every account must be associated with the
entitlements regardless of the intent.<br>
<br>
I tried to make more than one
"unmatched->addFocus" synchronization
reaction with different role templates<br>
with hope for importing 8 roles from one
entitlement for different account intents but
midPoint warns me: "Duplicated reactions
[...]".<br>
I cannot just add multiple "actions" to one
reaction because I can apply only one template
to one reaction.<br>
<br>
And I don't know how to do it.<br>
Any ideas?<br>
Beer is on me for the help!<br>
<br>
Happy NY!<br>
WS<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset
class="m_-4524291109522537451mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-4524291109522537451moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="m_-4524291109522537451moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
<span class="HOEnZb"><font color="#888888">
<pre class="m_-4524291109522537451moz-signature" cols="72">--
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
<a class="m_-4524291109522537451moz-txt-link-abbreviated" href="http://www.diagnostyka.pl" target="_blank" moz-do-not-send="true">www.diagnostyka.pl</a>
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.
Pomyśl o środowisku zanim wydrukujesz ten e-mail.</pre>
</font></span></div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com"
moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body>
</html>