<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Nicolas,</p>
<p>as I said, this was the customer scenario and you are right that
the number of groups was still high - but that was because the
underlying systems usign that groups were not directly
"tenant-oriented". This was the way which was (is) possible usign
standard means, standard connectors.</p>
<p>In the described scenario customer was also creating the
entitlements (groups) for e.g. AD. But there were other
applications, where the roles were created in the application
automatically and they were just returned by the connectors using
the search, so for each found tenant entitlement a shadow was
created in midPoint. Maybe the roles were not actually created -
but connector was programmed to return a shadow so that it can be
used.</p>
<p>I will think of more possibilities, or some of my coleagues mat
fill the gaps in this tenant-oriented scenario; but some of the
coleagues are certainly on their vacations. If I come with
something, I will share.<br>
</p>
<p>Regarding sponsorship/subscription: feel free to contact Martina,
she will be certainly more capable in answering this aspect.</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<br>
<div class="moz-cite-prefix">On 02.07.2018 15:01, Nicolas Rossi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAAxX8cgAzej+HComWj-yheg-PU5PchKBNiJmUSgMcuunzZiTxQ@mail.gmail.com">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
Ivan, thank you for the information but I think this is not
the same scenario here. You evaluate the assignment parameters
to find a role / group on the target system and the resource
always receives an entitlement, no matter how it was
requested. On that way you prevent the role explosion in
midPoint but you have the cartesian product on the resource. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Our
customer has lot of applications that use few roles but with
several parameters and we have to provide that context when
providing the entitlement. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">It
looks like the assignment configuration does not apply to our
requirement and we need parametric roles. The customer has a
deployment subscription not a platform one. We have to explore
the sponsoring model to this feature. Should I contact Martina
for that ?</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Kind
regards, </div>
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a
href="http://www.identicum.com"
target="_blank"
moz-do-not-send="true">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Mon, Jul 2, 2018 at 4:13 AM Ivan Noris <<a
href="mailto:ivan.noris@evolveum.com" moz-do-not-send="true">ivan.noris@evolveum.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi Nicolas,</p>
<p>hmm, in my example (in blog and in real customer
deployment) I was constructing the "group membership"
(using associations) and the group was searched in the
target system using associationTargetSearch, where the
group name was parametrized.</p>
<p>I have simplified the association part (this was the .NET
AD connector originally) and emphasized the <b>tenantRef</b>
parameter. As in my case, I was constructing the group
name as icfs:name="cn=Readonly_<tenant_name>,..." I
needed to get the organization (tenant) object and get its
name first.</p>
<p><br>
</p>
<div class="m_-528169057880250456line
m_-528169057880250456number13 m_-528169057880250456index12
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces">. . .<br>
</code><code class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">association</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number14 m_-528169057880250456index13
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><font
color="#009900"><b><code class="m_-528169057880250456xml
m_-528169057880250456plain"><</code></b><b><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">ref</code></b><b><code
class="m_-528169057880250456xml
m_-528169057880250456plain">>ri:adGroups</</code></b><b><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">ref</code></b><b><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></b></font></div>
<div class="m_-528169057880250456line
m_-528169057880250456number15 m_-528169057880250456index14
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">outbound</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number16 m_-528169057880250456index15
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">source</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<code class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">path</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">>$assignment/<b>tenantRef</b></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">path</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code>
<div class="m_-528169057880250456line
m_-528169057880250456number19 m_-528169057880250456index18
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">source</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number20 m_-528169057880250456index19
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">expression</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number21 m_-528169057880250456index20
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">associationTargetSearch</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number22 m_-528169057880250456index21
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">filter</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number23 m_-528169057880250456index22
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">q:equal</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number28 m_-528169057880250456index27
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">q:path</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">attributes/icfs:name</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">q:path</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">> <!-- icfs:name
because .NET AD connector --><br>
</code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number29 m_-528169057880250456index28
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">expression</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number30 m_-528169057880250456index29
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">script</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number31 m_-528169057880250456index30
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">code</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number32 m_-528169057880250456index31
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456plain">if (!basic.isEmpty(<b>tenantRef</b>))
{</code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number33 m_-528169057880250456index32
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">org = midpoint.getOrgByOid(<b>tenantRef</b>?.getOid())</code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number34 m_-528169057880250456index33
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">if (org != null) return <font
color="#ff6600"><b>'cn=ReadOnly_' + </b><b>org?.getName()</b><b>
+ ',ou=portal-groups,dc=example,</b><b>dc=com'</b></font><font
color="#3366ff"><b><br>
</b></font></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number35 m_-528169057880250456index34
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456plain">}</code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number36 m_-528169057880250456index35
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">code</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number37 m_-528169057880250456index36
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">script</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number38 m_-528169057880250456index37
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">expression</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number39 m_-528169057880250456index38
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">q:equal</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number40 m_-528169057880250456index39
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">filter</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number41 m_-528169057880250456index40
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"><searchStrategy>onResourceIfNeeded</searchStrategy></code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number42 m_-528169057880250456index41
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">associationTargetSearch</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number43 m_-528169057880250456index42
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">expression</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number44 m_-528169057880250456index43
m_-528169057880250456alt1"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">outbound</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">></code></div>
<div class="m_-528169057880250456line
m_-528169057880250456number45 m_-528169057880250456index44
m_-528169057880250456alt2"><code
class="m_-528169057880250456xml
m_-528169057880250456spaces"> </code><code
class="m_-528169057880250456xml
m_-528169057880250456plain"></</code><code
class="m_-528169057880250456xml
m_-528169057880250456keyword">association</code><code
class="m_-528169057880250456xml
m_-528169057880250456plain">><br>
. . .<br>
</code></div>
<br>
The <searchStrategy> will only look up the group name
if the shadow for it does not exist in repository, so it
will be quite fast for all except the very first time.<br>
<br>
In the example you refer to, you are setting resource
attribute "dummy" to the assignment description (which is of
course one of the assignment's parameters, too). It's not
setting anything related to roles. You need to combine in
the association outbound mapping.<br>
<br>
The outbound in association should return group DN or other
searchable attribute so that repository or provisioning can
search for the shadow object. And the group is identifier by
whatever + assignment parameter of your choice. In my
previous example, the resource configuration for association
is (simplified) - again this is the old .NET AD connector,
so the attribute names might differ:<br>
<br>
<tt> <association></tt><tt><br>
</tt><b><tt> </tt></b><b><tt><font
color="#009900"><ref>ri:adGroups</ref></font></tt></b><tt><br>
</tt><tt>
<tolerant>true</tolerant></tt><tt><br>
</tt><tt>
<matchingRule>mr:stringIgnoreCase</matchingRule></tt><tt><br>
</tt><tt>
<kind>entitlement</kind></tt><tt><br>
</tt><tt>
<intent>group-portal-users</intent></tt><tt><br>
</tt><tt>
<direction>objectToSubject</direction></tt><tt><br>
</tt><tt>
<associationAttribute>ri:member</associationAttribute></tt><tt><br>
</tt><tt>
<valueAttribute>icfs:name</valueAttribute></tt><tt><br>
</tt><tt>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity></tt><tt><br>
</tt><tt>
<shortcutAssociationAttribute>icfs:groups</shortcutAssociationAttribute></tt><tt><br>
</tt><tt>
<shortcutValueAttribute>icfs:name</shortcutValueAttribute></tt><tt><br>
</tt><tt> </association></tt><br>
<br>
Of course I'm also constructing the groups, in this case,
intent group-portal, in the same resource.<br>
<br>
Best regards,<br>
Ivan<br>
<br>
<div class="m_-528169057880250456moz-cite-prefix">On
29.06.2018 23:20, Nicolas Rossi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, we made some progress on this but we still have
some doubts. We defined a "dummy" property on the user
schema and we mapped an assignment parameter to this
property:</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-size:small;color:rgb(68,68,68)"><font
face="monospace, monospace"><role></font></div>
<div class="gmail_default"
style="font-size:small;color:rgb(68,68,68)"><font
face="monospace, monospace">...</font></div>
<div class="gmail_default" style="font-size:small">
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace"> <inducement></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
<construction></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
<resourceRef
oid="702ecc89-deba-4542-9618-5b9c8ba94abe"
type="ResourceType"/></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
<kind>account</kind></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
<attribute></font></div>
<div class="gmail_default"><font face="monospace,
monospace"><font color="#444444">
<ref></font><b><font color="#0000ff">ri:dummy</font></b><font
color="#444444"></ref></font></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
<outbound></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
<source></font></div>
<div class="gmail_default"><font face="monospace,
monospace"><font color="#444444">
<path></font><b><font
color="#0000ff">$assignment/description</font></b><font
color="#444444"></path></font></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
</source></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
</outbound></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
</attribute></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
</construction></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
</inducement></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">...</font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace"></role></font></div>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">When
the role is assigned to the user the connector
receives an AddAttributeValue operation on the "roles"
attribute and then an Update operation on the "dummy"
attribute with the value defined on the assignment. It
works fine but It doesn't meet our requirements
because we need the parameter value on the context of
the AddAttributeValue operation. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"><font size="2" face="arial,
helvetica, sans-serif" color="#444444">In the past
we had a similar issue with the </font><a
href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/googleapps/googleapps-resource.xml"
style="color:rgb(68,68,68);font-family:arial,helvetica,sans-serif;font-size:small"
target="_blank" moz-do-not-send="true">Google Apps
connector</a><font size="2" face="arial, helvetica,
sans-serif" color="#444444"> because the groups
membership also has an additional field to represent
the relationship type (e.g. OWNER, MEMBER). Do you
know where we can find some working examples of this
configuration ? I mean a complex association between
AccountObjectClass, GroupObjectClass
and CustomMemberObjectClass.</font></div>
<div class="gmail_default"><font size="2" face="arial,
helvetica, sans-serif" color="#444444"><br>
</font></div>
<div class="gmail_default">Thanks in advance,</div>
<div class="gmail_default"><font size="2" face="arial,
helvetica, sans-serif" color="#444444"><br>
</font></div>
<div>
<div dir="ltr"
class="m_-528169057880250456gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><br>
<br>
<font
color="#444444">Ing
Nicolás Rossi</font><br>
<font
color="#999999">Identicum
S.A.</font><br>
<font
color="#999999">Jorge
Newbery 3226</font><br>
<font
color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font
color="#999999"><a
href="http://www.identicum.com" target="_blank" moz-do-not-send="true">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Fri, Jun 29, 2018 at 2:09 PM Nicolas
Rossi <<a href="mailto:nrossi@identicum.com"
target="_blank" moz-do-not-send="true">nrossi@identicum.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
Ivan, we found the assignment properties and we
also extended the AssignmentType for other project
but we don't know how to specify in a role
definition that a property on the assignment is
mandatory. Is there any way to do that ?</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">On
the other hand we are working on a Rest Connector
and I couldn't find any example to access the
assignment parameters when provisioning the role
to the resource.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regarding
the issue at Jira, what does Evolveum need to
continue the development? Maybe we can find some
support from our customers to achieve that. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Kind
regards,</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div>
<div dir="ltr"
class="m_-528169057880250456m_-2508070504232116415gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><br>
<br>
<font
color="#444444">Ing
Nicolás Rossi</font><br>
<font
color="#999999">Identicum
S.A.</font><br>
<font
color="#999999">Jorge
Newbery 3226</font><br>
<font
color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font
color="#999999"><a
href="http://www.identicum.com" target="_blank" moz-do-not-send="true">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Fri, Jun 29, 2018 at 4:03 AM Ivan
Noris <<a href="mailto:ivan.noris@evolveum.com"
target="_blank" moz-do-not-send="true">ivan.noris@evolveum.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi Nicolas,</p>
<p>when I was working with parametric roles, I
was using an approach which I described here:
<a
class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext"
href="https://evolveum.com/blog/working-multi-tenant-roles/"
target="_blank" moz-do-not-send="true">https://evolveum.com/blog/working-multi-tenant-roles/</a></p>
<p>(The screenshots are from old midpoint :-)
but you should get the message.)</p>
<p>By default you can assign roles with
parameters: orgRef or tenantRef:</p>
<p>- orgRef: you select (probably any) of the
organizations in midPoint to be the parameter</p>
<p>- tenantRef: you select any organization
marked as tenant in midPoint to be the
parameter</p>
<p>This might help you as it is (we were / are
using this in multiple deployments).<br>
</p>
<p>What we definitely want is to make this more
configurable and extensible. But I'm sure
Radovan will prove more on this topic.<br>
</p>
<p>I believe the feature is tracked here: <a
class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext"
href="https://jira.evolveum.com/browse/MID-3515" target="_blank"
moz-do-not-send="true">https://jira.evolveum.com/browse/MID-3515</a><br>
</p>
Best regards,<br>
Ivan<br>
<br>
<div
class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-cite-prefix">On
29.06.2018 00:11, Nicolas Rossi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">We
are working on a customer who needs to
define some roles with parameters to
prevent role explosion scenario. I have
found lot of references to this issue on
the wiki (<a
href="https://wiki.evolveum.com/display/midPoint/Role+Explosion"
target="_blank" moz-do-not-send="true">here</a>,
<a
href="https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC#AdvancedHybridRBAC-ParametricRoles"
target="_blank" moz-do-not-send="true">here</a>
and <a
href="https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-ParametricAssignments"
target="_blank" moz-do-not-send="true">here</a>).
There were also <a
href="https://lists.evolveum.com/pipermail/midpoint/2013-July/000096.html"
target="_blank" moz-do-not-send="true">similar
question</a>s on the mailing list few
years ago where Radovan explains that is
was designed but not implemented.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Regarding
the Radovan explanation I am not sure if
we should extend the AssociationType to
add custom parameters or if we should
define role parameters (couldn't find any
example on the documentation).</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">On
the UI when and end-user request a new
role, he can define properties on the
assignment (parameters) for each role,
but... is there any way to define that
some properties / parameters are required
so the user can't request the role without
specifying some value for that parameter ?</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
apologize in advance for the lengthy
e-mail</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Thanks,</div>
<div>
<div dir="ltr"
class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><br>
<br>
<font
color="#444444">Ing
Nicolás Rossi</font><br>
<font
color="#999999">Identicum
S.A.</font><br>
<font
color="#999999">Jorge
Newbery 3226</font><br>
<font
color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font
color="#999999"><a
href="http://www.identicum.com" target="_blank" moz-do-not-send="true">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset
class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_-528169057880250456m_-2508070504232116415m_4974245802337387919moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank"
moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset
class="m_-528169057880250456mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a class="m_-528169057880250456moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="m_-528169057880250456moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_-528169057880250456moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank"
moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>