<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi guys, we made some progress on this but we still have some doubts. We defined a "dummy" property on the user schema and we mapped an assignment parameter to this property:</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-size:small;color:rgb(68,68,68)"><font face="monospace, monospace"><role></font></div><div class="gmail_default" style="font-size:small;color:rgb(68,68,68)"><font face="monospace, monospace">...</font></div><div class="gmail_default" style="font-size:small"><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> <inducement></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> <construction></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> <resourceRef oid="702ecc89-deba-4542-9618-5b9c8ba94abe" type="ResourceType"/></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> <kind>account</kind></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> <attribute></font></div><div class="gmail_default"><font face="monospace, monospace"><font color="#444444"> <ref></font><b><font color="#0000ff">ri:dummy</font></b><font color="#444444"></ref></font></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> <outbound></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> <source></font></div><div class="gmail_default"><font face="monospace, monospace"><font color="#444444"> <path></font><b><font color="#0000ff">$assignment/description</font></b><font color="#444444"></path></font></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> </source></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> </outbound></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> </attribute></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> </construction></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> </inducement></font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace">...</font></div><div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"></role></font></div></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">When the role is assigned to the user the connector receives an AddAttributeValue operation on the "roles" attribute and then an Update operation on the "dummy" attribute with the value defined on the assignment. It works fine but It doesn't meet our requirements because we need the parameter value on the context of the AddAttributeValue operation. </div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br></div><div class="gmail_default"><font color="#444444" face="arial, helvetica, sans-serif" size="2">In the past we had a similar issue with the </font><a href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/googleapps/googleapps-resource.xml" style="color:rgb(68,68,68);font-family:arial,helvetica,sans-serif;font-size:small">Google Apps connector</a><font color="#444444" face="arial, helvetica, sans-serif" size="2"> because the groups membership also has an additional field to represent the relationship type (e.g. OWNER, MEMBER). Do you know where we can find some working examples of this configuration ? I mean a complex association between AccountObjectClass, GroupObjectClass and CustomMemberObjectClass.</font></div><div class="gmail_default"><font color="#444444" face="arial, helvetica, sans-serif" size="2"><br></font></div><div class="gmail_default">Thanks in advance,</div><div class="gmail_default"><font color="#444444" face="arial, helvetica, sans-serif" size="2"><br></font></div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jun 29, 2018 at 2:09 PM Nicolas Rossi <<a href="mailto:nrossi@identicum.com">nrossi@identicum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi Ivan, we found the assignment properties and we also extended the AssignmentType for other project but we don't know how to specify in a role definition that a property on the assignment is mandatory. Is there any way to do that ?</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">On the other hand we are working on a Rest Connector and I couldn't find any example to access the assignment parameters when provisioning the role to the resource.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regarding the issue at Jira, what does Evolveum need to continue the development? Maybe we can find some support from our customers to achieve that. </div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Kind regards,</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div><div dir="ltr" class="m_-2508070504232116415gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jun 29, 2018 at 4:03 AM Ivan Noris <<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi Nicolas,</p>
<p>when I was working with parametric roles, I was using an approach
which I described here:
<a class="m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext" href="https://evolveum.com/blog/working-multi-tenant-roles/" target="_blank">https://evolveum.com/blog/working-multi-tenant-roles/</a></p>
<p>(The screenshots are from old midpoint :-) but you should get the
message.)</p>
<p>By default you can assign roles with parameters: orgRef or
tenantRef:</p>
<p>- orgRef: you select (probably any) of the organizations in
midPoint to be the parameter</p>
<p>- tenantRef: you select any organization marked as tenant in
midPoint to be the parameter</p>
<p>This might help you as it is (we were / are using this in
multiple deployments).<br>
</p>
<p>What we definitely want is to make this more configurable and
extensible. But I'm sure Radovan will prove more on this topic.<br>
</p>
<p>I believe the feature is tracked here:
<a class="m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-3515" target="_blank">https://jira.evolveum.com/browse/MID-3515</a><br>
</p>
Best regards,<br>
Ivan<br>
<br>
<div class="m_-2508070504232116415m_4974245802337387919moz-cite-prefix">On 29.06.2018 00:11, Nicolas Rossi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">We
are working on a customer who needs to define some roles with
parameters to prevent role explosion scenario. I have found
lot of references to this issue on the wiki (<a href="https://wiki.evolveum.com/display/midPoint/Role+Explosion" target="_blank">here</a>, <a href="https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC#AdvancedHybridRBAC-ParametricRoles" target="_blank">here</a> and <a href="https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-ParametricAssignments" target="_blank">here</a>). There were also <a href="https://lists.evolveum.com/pipermail/midpoint/2013-July/000096.html" target="_blank">similar question</a>s on the mailing
list few years ago where Radovan explains that is was designed
but not implemented.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Regarding
the Radovan explanation I am not sure if we should extend the
AssociationType to add custom parameters or if we should
define role parameters (couldn't find any example on the
documentation).</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">On
the UI when and end-user request a new role, he can define
properties on the assignment (parameters) for each role,
but... is there any way to define that some properties /
parameters are required so the user can't request the role
without specifying some value for that parameter ?</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
apologize in advance for the lengthy e-mail</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Thanks,</div>
<div>
<div dir="ltr" class="m_-2508070504232116415m_4974245802337387919gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_-2508070504232116415m_4974245802337387919mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a class="m_-2508070504232116415m_4974245802337387919moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_-2508070504232116415m_4974245802337387919moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>
</blockquote></div>