<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi Ivan, thank you for the information but I think this is not the same scenario here. You evaluate the assignment parameters to find a role / group on the target system and the resource always receives an entitlement, no matter how it was requested. On that way you prevent the role explosion in midPoint but you have the cartesian product on the resource. </div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Our customer has lot of applications that use few roles but with several parameters and we have to provide that context when providing the entitlement. </div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">It looks like the assignment configuration does not apply to our requirement and we need parametric roles. The customer has a deployment subscription not a platform one. We have to explore the sponsoring model to this feature. Should I contact Martina for that ?</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Kind regards, </div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Jul 2, 2018 at 4:13 AM Ivan Noris <<a href="mailto:ivan.noris@evolveum.com">ivan.noris@evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi Nicolas,</p>
<p>hmm, in my example (in blog and in real customer deployment) I
was constructing the "group membership" (using associations) and
the group was searched in the target system using
associationTargetSearch, where the group name was parametrized.</p>
<p>I have simplified the association part (this was the .NET AD
connector originally) and emphasized the <b>tenantRef</b>
parameter. As in my case, I was constructing the group name as
icfs:name="cn=Readonly_<tenant_name>,..." I needed to get
the organization (tenant) object and get its name first.</p>
<p><br>
</p>
<div class="m_-528169057880250456line m_-528169057880250456number13 m_-528169057880250456index12 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces">. .
.<br>
</code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">association</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number14 m_-528169057880250456index13 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><font color="#009900"><b><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code></b><b><code class="m_-528169057880250456xml m_-528169057880250456keyword">ref</code></b><b><code class="m_-528169057880250456xml m_-528169057880250456plain">>ri:adGroups</</code></b><b><code class="m_-528169057880250456xml m_-528169057880250456keyword">ref</code></b><b><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></b></font></div>
<div class="m_-528169057880250456line m_-528169057880250456number15 m_-528169057880250456index14 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">outbound</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number16 m_-528169057880250456index15 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">source</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">path</code><code class="m_-528169057880250456xml m_-528169057880250456plain">>$assignment/<b>tenantRef</b></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">path</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code>
<div class="m_-528169057880250456line m_-528169057880250456number19 m_-528169057880250456index18 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">source</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number20 m_-528169057880250456index19 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">expression</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number21 m_-528169057880250456index20 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">associationTargetSearch</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number22 m_-528169057880250456index21 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">filter</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number23 m_-528169057880250456index22 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">q:equal</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number28 m_-528169057880250456index27 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">q:path</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code><code class="m_-528169057880250456xml m_-528169057880250456plain">attributes/icfs:name</code><code class="m_-528169057880250456xml m_-528169057880250456plain"></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">q:path</code><code class="m_-528169057880250456xml m_-528169057880250456plain">> <!-- icfs:name because .NET AD
connector --><br>
</code></div>
<div class="m_-528169057880250456line m_-528169057880250456number29 m_-528169057880250456index28 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">expression</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number30 m_-528169057880250456index29 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">script</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number31 m_-528169057880250456index30 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"><</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">code</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number32 m_-528169057880250456index31 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456plain">if
(!basic.isEmpty(<b>tenantRef</b>)) {</code></div>
<div class="m_-528169057880250456line m_-528169057880250456number33 m_-528169057880250456index32 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain">org = midpoint.getOrgByOid(<b>tenantRef</b>?.getOid())</code></div>
<div class="m_-528169057880250456line m_-528169057880250456number34 m_-528169057880250456index33 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain">if (org != null) return <font color="#ff6600"><b>'cn=ReadOnly_'
+ </b><b>org?.getName()</b><b> +
',ou=portal-groups,dc=example,</b><b>dc=com'</b></font><font color="#3366ff"><b><br>
</b></font></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number35 m_-528169057880250456index34 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456plain">}</code></div>
<div class="m_-528169057880250456line m_-528169057880250456number36 m_-528169057880250456index35 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456plain"></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">code</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number37 m_-528169057880250456index36 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">script</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number38 m_-528169057880250456index37 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">expression</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number39 m_-528169057880250456index38 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">q:equal</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number40 m_-528169057880250456index39 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">filter</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number41 m_-528169057880250456index40 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces">
</code><code class="m_-528169057880250456xml m_-528169057880250456plain"><searchStrategy>onResourceIfNeeded</searchStrategy></code><code class="m_-528169057880250456xml m_-528169057880250456plain"></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number42 m_-528169057880250456index41 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">associationTargetSearch</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number43 m_-528169057880250456index42 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">expression</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number44 m_-528169057880250456index43 m_-528169057880250456alt1"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">outbound</code><code class="m_-528169057880250456xml m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line m_-528169057880250456number45 m_-528169057880250456index44 m_-528169057880250456alt2"><code class="m_-528169057880250456xml m_-528169057880250456spaces"> </code><code class="m_-528169057880250456xml m_-528169057880250456plain"></</code><code class="m_-528169057880250456xml m_-528169057880250456keyword">association</code><code class="m_-528169057880250456xml m_-528169057880250456plain">><br>
. . .<br>
</code></div>
<br>
The <searchStrategy> will only look up the group name if the
shadow for it does not exist in repository, so it will be quite fast
for all except the very first time.<br>
<br>
In the example you refer to, you are setting resource attribute
"dummy" to the assignment description (which is of course one of the
assignment's parameters, too). It's not setting anything related to
roles. You need to combine in the association outbound mapping.<br>
<br>
The outbound in association should return group DN or other
searchable attribute so that repository or provisioning can search
for the shadow object. And the group is identifier by whatever +
assignment parameter of your choice. In my previous example, the
resource configuration for association is (simplified) - again this
is the old .NET AD connector, so the attribute names might differ:<br>
<br>
<tt> <association></tt><tt><br>
</tt><b><tt> </tt></b><b><tt><font color="#009900"><ref>ri:adGroups</ref></font></tt></b><tt><br>
</tt><tt> <tolerant>true</tolerant></tt><tt><br>
</tt><tt>
<matchingRule>mr:stringIgnoreCase</matchingRule></tt><tt><br>
</tt><tt> <kind>entitlement</kind></tt><tt><br>
</tt><tt>
<intent>group-portal-users</intent></tt><tt><br>
</tt><tt>
<direction>objectToSubject</direction></tt><tt><br>
</tt><tt>
<associationAttribute>ri:member</associationAttribute></tt><tt><br>
</tt><tt>
<valueAttribute>icfs:name</valueAttribute></tt><tt><br>
</tt><tt>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity></tt><tt><br>
</tt><tt>
<shortcutAssociationAttribute>icfs:groups</shortcutAssociationAttribute></tt><tt><br>
</tt><tt>
<shortcutValueAttribute>icfs:name</shortcutValueAttribute></tt><tt><br>
</tt><tt> </association></tt><br>
<br>
Of course I'm also constructing the groups, in this case, intent
group-portal, in the same resource.<br>
<br>
Best regards,<br>
Ivan<br>
<br>
<div class="m_-528169057880250456moz-cite-prefix">On 29.06.2018 23:20, Nicolas Rossi
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, we made some progress on this but we still have some
doubts. We defined a "dummy" property on the user schema and
we mapped an assignment parameter to this property:</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-size:small;color:rgb(68,68,68)"><font face="monospace, monospace"><role></font></div>
<div class="gmail_default" style="font-size:small;color:rgb(68,68,68)"><font face="monospace, monospace">...</font></div>
<div class="gmail_default" style="font-size:small">
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> <inducement></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> <construction></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> <resourceRef
oid="702ecc89-deba-4542-9618-5b9c8ba94abe"
type="ResourceType"/></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace">
<kind>account</kind></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> <attribute></font></div>
<div class="gmail_default"><font face="monospace, monospace"><font color="#444444"> <ref></font><b><font color="#0000ff">ri:dummy</font></b><font color="#444444"></ref></font></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace">
<outbound></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace">
<source></font></div>
<div class="gmail_default"><font face="monospace, monospace"><font color="#444444"> <path></font><b><font color="#0000ff">$assignment/description</font></b><font color="#444444"></path></font></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace">
</source></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace">
</outbound></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> </attribute></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> </construction></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"> </inducement></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace">...</font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font face="monospace, monospace"></role></font></div>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">When
the role is assigned to the user the connector receives an
AddAttributeValue operation on the "roles" attribute and then
an Update operation on the "dummy" attribute with the value
defined on the assignment. It works fine but It doesn't meet
our requirements because we need the parameter value on the
context of the AddAttributeValue operation. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"><font size="2" face="arial,
helvetica, sans-serif" color="#444444">In the past we had a
similar issue with the </font><a href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/googleapps/googleapps-resource.xml" style="color:rgb(68,68,68);font-family:arial,helvetica,sans-serif;font-size:small" target="_blank">Google Apps connector</a><font size="2" face="arial, helvetica, sans-serif" color="#444444">
because the groups membership also has an additional field
to represent the relationship type (e.g. OWNER, MEMBER). Do
you know where we can find some working examples of this
configuration ? I mean a complex association between
AccountObjectClass, GroupObjectClass
and CustomMemberObjectClass.</font></div>
<div class="gmail_default"><font size="2" face="arial,
helvetica, sans-serif" color="#444444"><br>
</font></div>
<div class="gmail_default">Thanks in advance,</div>
<div class="gmail_default"><font size="2" face="arial,
helvetica, sans-serif" color="#444444"><br>
</font></div>
<div>
<div dir="ltr" class="m_-528169057880250456gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Fri, Jun 29, 2018 at 2:09 PM Nicolas Rossi
<<a href="mailto:nrossi@identicum.com" target="_blank">nrossi@identicum.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
Ivan, we found the assignment properties and we also
extended the AssignmentType for other project but we don't
know how to specify in a role definition that a property
on the assignment is mandatory. Is there any way to do
that ?</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">On
the other hand we are working on a Rest Connector and I
couldn't find any example to access the assignment
parameters when provisioning the role to the resource.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regarding
the issue at Jira, what does Evolveum need to continue the
development? Maybe we can find some support from our
customers to achieve that. </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Kind
regards,</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div>
<div dir="ltr" class="m_-528169057880250456m_-2508070504232116415gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Fri, Jun 29, 2018 at 4:03 AM Ivan Noris
<<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi Nicolas,</p>
<p>when I was working with parametric roles, I was using
an approach which I described here: <a class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext" href="https://evolveum.com/blog/working-multi-tenant-roles/" target="_blank">https://evolveum.com/blog/working-multi-tenant-roles/</a></p>
<p>(The screenshots are from old midpoint :-) but you
should get the message.)</p>
<p>By default you can assign roles with parameters:
orgRef or tenantRef:</p>
<p>- orgRef: you select (probably any) of the
organizations in midPoint to be the parameter</p>
<p>- tenantRef: you select any organization marked as
tenant in midPoint to be the parameter</p>
<p>This might help you as it is (we were / are using
this in multiple deployments).<br>
</p>
<p>What we definitely want is to make this more
configurable and extensible. But I'm sure Radovan will
prove more on this topic.<br>
</p>
<p>I believe the feature is tracked here: <a class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-3515" target="_blank">https://jira.evolveum.com/browse/MID-3515</a><br>
</p>
Best regards,<br>
Ivan<br>
<br>
<div class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-cite-prefix">On
29.06.2018 00:11, Nicolas Rossi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, </div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">We
are working on a customer who needs to define some
roles with parameters to prevent role explosion
scenario. I have found lot of references to this
issue on the wiki (<a href="https://wiki.evolveum.com/display/midPoint/Role+Explosion" target="_blank">here</a>,
<a href="https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC#AdvancedHybridRBAC-ParametricRoles" target="_blank">here</a>
and <a href="https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-ParametricAssignments" target="_blank">here</a>).
There were also <a href="https://lists.evolveum.com/pipermail/midpoint/2013-July/000096.html" target="_blank">similar
question</a>s on the mailing list few years ago
where Radovan explains that is was designed but
not implemented.</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Regarding
the Radovan explanation I am not sure if we should
extend the AssociationType to add custom
parameters or if we should define role parameters
(couldn't find any example on the documentation).</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">On
the UI when and end-user request a new role, he
can define properties on the assignment
(parameters) for each role, but... is there any
way to define that some properties / parameters
are required so the user can't request the role
without specifying some value for that parameter ?</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
apologize in advance for the lengthy e-mail</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Thanks,</div>
<div>
<div dir="ltr" class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font face="arial,
helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset class="m_-528169057880250456mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a class="m_-528169057880250456moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-528169057880250456moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_-528169057880250456moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>