<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi Ivan, we found the assignment properties and we also extended the AssignmentType for other project but we don't know how to specify in a role definition that a property on the assignment is mandatory. Is there any way to do that ?</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">On the other hand we are working on a Rest Connector and I couldn't find any example to access the assignment parameters when provisioning the role to the resource.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regarding the issue at Jira, what does Evolveum need to continue the development? Maybe we can find some support from our customers to achieve that. </div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Kind regards,</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr">On Fri, Jun 29, 2018 at 4:03 AM Ivan Noris <<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    <p>Hi Nicolas,</p>
    <p>when I was working with parametric roles, I was using an approach
      which I described here:
      <a class="m_4974245802337387919moz-txt-link-freetext" href="https://evolveum.com/blog/working-multi-tenant-roles/" target="_blank">https://evolveum.com/blog/working-multi-tenant-roles/</a></p>
    <p>(The screenshots are from old midpoint :-) but you should get the
      message.)</p>
    <p>By default you can assign roles with parameters: orgRef or
      tenantRef:</p>
    <p>- orgRef: you select (probably any) of the organizations in
      midPoint to be the parameter</p>
    <p>- tenantRef: you select any organization marked as tenant in
      midPoint to be the parameter</p>
    <p>This might help you as it is (we were / are using this in
      multiple deployments).<br>
    </p>
    <p>What we definitely want is to make this more configurable and
      extensible. But I'm sure Radovan will prove more on this topic.<br>
    </p>
    <p>I believe the feature is tracked here:
      <a class="m_4974245802337387919moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-3515" target="_blank">https://jira.evolveum.com/browse/MID-3515</a><br>
    </p>
    Best regards,<br>
    Ivan<br>
    <br>
    <div class="m_4974245802337387919moz-cite-prefix">On 29.06.2018 00:11, Nicolas Rossi
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
          guys, </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
        </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">We
          are working on a customer who needs to define some roles with
          parameters to prevent role explosion scenario. I have found
          lot of references to this issue on the wiki (<a href="https://wiki.evolveum.com/display/midPoint/Role+Explosion" target="_blank">here</a>, <a href="https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC#AdvancedHybridRBAC-ParametricRoles" target="_blank">here</a> and <a href="https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-ParametricAssignments" target="_blank">here</a>). There were also <a href="https://lists.evolveum.com/pipermail/midpoint/2013-July/000096.html" target="_blank">similar question</a>s on the mailing
          list few years ago where Radovan explains that is was designed
          but not implemented.</div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
        </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Regarding
          the Radovan explanation I am not sure if we should extend the
          AssociationType to add custom parameters or if we should
          define role parameters (couldn't find any example on the
          documentation).</div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
        </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">On
          the UI when and end-user request a new role, he can define
          properties on the assignment (parameters) for each role,
          but... is there any way to define that some properties /
          parameters are required so the user can't request the role
          without specifying some value for that parameter ?</div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
        </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
          apologize in advance for the lengthy e-mail</div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
        </div>
        <div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Thanks,</div>
        <div>
          <div dir="ltr" class="m_4974245802337387919gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <div>
                            <div dir="ltr">
                              <div>
                                <div dir="ltr">
                                  <div>
                                    <div dir="ltr">
                                      <div>
                                        <div dir="ltr"><font face="arial, helvetica,
                                            sans-serif"><br>
                                            <br>
                                            <font color="#444444">Ing
                                              Nicolás Rossi</font><br>
                                            <font color="#999999">Identicum
                                              S.A.</font><br>
                                            <font color="#999999">Jorge
                                              Newbery 3226</font><br>
                                            <font color="#999999">Tel:
                                              +54 (11) 4552-3050</font><br>
                                            <font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </div>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="m_4974245802337387919mimeAttachmentHeader"></fieldset>
      <br>
      <pre>_______________________________________________
midPoint mailing list
<a class="m_4974245802337387919moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_4974245802337387919moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    <pre class="m_4974245802337387919moz-signature" cols="72">-- 
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
  </div>

_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>