<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Nicolas,</p>
<p>hmm, in my example (in blog and in real customer deployment) I
was constructing the "group membership" (using associations) and
the group was searched in the target system using
associationTargetSearch, where the group name was parametrized.</p>
<p>I have simplified the association part (this was the .NET AD
connector originally) and emphasized the <b>tenantRef</b>
parameter. As in my case, I was constructing the group name as
icfs:name="cn=Readonly_<tenant_name>,..." I needed to get
the organization (tenant) object and get its name first.</p>
<p><br>
</p>
<div class="line number13 index12 alt2"><code class="xml spaces">. .
.<br>
</code><code class="xml plain"><</code><code
class="xml keyword">association</code><code class="xml plain">></code></div>
<div class="line number14 index13 alt1"><code class="xml spaces"> </code><font
color="#009900"><b><code class="xml plain"><</code></b><b><code
class="xml keyword">ref</code></b><b><code class="xml plain">>ri:adGroups</</code></b><b><code
class="xml keyword">ref</code></b><b><code class="xml plain">></code></b></font></div>
<div class="line number15 index14 alt2"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">outbound</code><code
class="xml plain">></code></div>
<div class="line number16 index15 alt1"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">source</code><code
class="xml plain">></code></div>
<code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">path</code><code
class="xml plain">>$assignment/<b>tenantRef</b></</code><code
class="xml keyword">path</code><code class="xml plain">></code>
<div class="line number19 index18 alt2"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">source</code><code
class="xml plain">></code></div>
<div class="line number20 index19 alt1"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">expression</code><code
class="xml plain">></code></div>
<div class="line number21 index20 alt2"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">associationTargetSearch</code><code
class="xml plain">></code></div>
<div class="line number22 index21 alt1"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">filter</code><code
class="xml plain">></code></div>
<div class="line number23 index22 alt2"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">q:equal</code><code
class="xml plain">></code></div>
<div class="line number28 index27 alt1"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">q:path</code><code
class="xml plain">></code><code class="xml plain">attributes/icfs:name</code><code
class="xml plain"></</code><code class="xml keyword">q:path</code><code
class="xml plain">> <!-- icfs:name because .NET AD
connector --><br>
</code></div>
<div class="line number29 index28 alt2"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">expression</code><code
class="xml plain">></code></div>
<div class="line number30 index29 alt1"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">script</code><code
class="xml plain">></code></div>
<div class="line number31 index30 alt2"><code class="xml spaces"> </code><code
class="xml plain"><</code><code class="xml keyword">code</code><code
class="xml plain">></code></div>
<div class="line number32 index31 alt1"><code class="xml plain">if
(!basic.isEmpty(<b>tenantRef</b>)) {</code></div>
<div class="line number33 index32 alt2"><code class="xml spaces"> </code><code
class="xml plain">org = midpoint.getOrgByOid(<b>tenantRef</b>?.getOid())</code></div>
<div class="line number34 index33 alt1"><code class="xml spaces"> </code><code
class="xml plain">if (org != null) return <font color="#ff6600"><b>'cn=ReadOnly_'
+ </b><b>org?.getName()</b><b> +
',ou=portal-groups,dc=example,</b><b>dc=com'</b></font><font
color="#3366ff"><b><br>
</b></font></code></div>
<div class="line number35 index34 alt2"><code class="xml plain">}</code></div>
<div class="line number36 index35 alt1"><code class="xml plain"></</code><code
class="xml keyword">code</code><code class="xml plain">></code></div>
<div class="line number37 index36 alt2"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">script</code><code
class="xml plain">></code></div>
<div class="line number38 index37 alt1"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">expression</code><code
class="xml plain">></code></div>
<div class="line number39 index38 alt2"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">q:equal</code><code
class="xml plain">></code></div>
<div class="line number40 index39 alt1"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">filter</code><code
class="xml plain">></code></div>
<div class="line number41 index40 alt2"><code class="xml spaces">
</code><code class="xml plain"><searchStrategy>onResourceIfNeeded</searchStrategy></code><code
class="xml plain"></code></div>
<div class="line number42 index41 alt1"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">associationTargetSearch</code><code
class="xml plain">></code></div>
<div class="line number43 index42 alt2"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">expression</code><code
class="xml plain">></code></div>
<div class="line number44 index43 alt1"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">outbound</code><code
class="xml plain">></code></div>
<div class="line number45 index44 alt2"><code class="xml spaces"> </code><code
class="xml plain"></</code><code class="xml keyword">association</code><code
class="xml plain">><br>
. . .<br>
</code></div>
<br>
The <searchStrategy> will only look up the group name if the
shadow for it does not exist in repository, so it will be quite fast
for all except the very first time.<br>
<br>
In the example you refer to, you are setting resource attribute
"dummy" to the assignment description (which is of course one of the
assignment's parameters, too). It's not setting anything related to
roles. You need to combine in the association outbound mapping.<br>
<br>
The outbound in association should return group DN or other
searchable attribute so that repository or provisioning can search
for the shadow object. And the group is identifier by whatever +
assignment parameter of your choice. In my previous example, the
resource configuration for association is (simplified) - again this
is the old .NET AD connector, so the attribute names might differ:<br>
<br>
<tt> <association></tt><tt><br>
</tt><b><tt> </tt></b><b><tt><font color="#009900"><ref>ri:adGroups</ref></font></tt></b><tt><br>
</tt><tt> <tolerant>true</tolerant></tt><tt><br>
</tt><tt>
<matchingRule>mr:stringIgnoreCase</matchingRule></tt><tt><br>
</tt><tt> <kind>entitlement</kind></tt><tt><br>
</tt><tt>
<intent>group-portal-users</intent></tt><tt><br>
</tt><tt>
<direction>objectToSubject</direction></tt><tt><br>
</tt><tt>
<associationAttribute>ri:member</associationAttribute></tt><tt><br>
</tt><tt>
<valueAttribute>icfs:name</valueAttribute></tt><tt><br>
</tt><tt>
<explicitReferentialIntegrity>false</explicitReferentialIntegrity></tt><tt><br>
</tt><tt>
<shortcutAssociationAttribute>icfs:groups</shortcutAssociationAttribute></tt><tt><br>
</tt><tt>
<shortcutValueAttribute>icfs:name</shortcutValueAttribute></tt><tt><br>
</tt><tt> </association></tt><br>
<br>
Of course I'm also constructing the groups, in this case, intent
group-portal, in the same resource.<br>
<br>
Best regards,<br>
Ivan<br>
<br>
<div class="moz-cite-prefix">On 29.06.2018 23:20, Nicolas Rossi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAAxX8cgAN8A2kXdazFqjqsXGyvUA64Z3P0WbtqswHUoxVBG7vg@mail.gmail.com">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, we made some progress on this but we still have some
doubts. We defined a "dummy" property on the user schema and
we mapped an assignment parameter to this property:</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-size:small;color:rgb(68,68,68)"><font
face="monospace, monospace"><role></font></div>
<div class="gmail_default"
style="font-size:small;color:rgb(68,68,68)"><font
face="monospace, monospace">...</font></div>
<div class="gmail_default" style="font-size:small">
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace"> <inducement></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace"> <construction></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace"> <resourceRef
oid="702ecc89-deba-4542-9618-5b9c8ba94abe"
type="ResourceType"/></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
<kind>account</kind></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace"> <attribute></font></div>
<div class="gmail_default"><font face="monospace, monospace"><font
color="#444444"> <ref></font><b><font
color="#0000ff">ri:dummy</font></b><font
color="#444444"></ref></font></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
<outbound></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
<source></font></div>
<div class="gmail_default"><font face="monospace, monospace"><font
color="#444444"> <path></font><b><font
color="#0000ff">$assignment/description</font></b><font
color="#444444"></path></font></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
</source></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">
</outbound></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace"> </attribute></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace"> </construction></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace"> </inducement></font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace">...</font></div>
<div class="gmail_default" style="color:rgb(68,68,68)"><font
face="monospace, monospace"></role></font></div>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">When
the role is assigned to the user the connector receives an
AddAttributeValue operation on the "roles" attribute and then
an Update operation on the "dummy" attribute with the value
defined on the assignment. It works fine but It doesn't meet
our requirements because we need the parameter value on the
context of the AddAttributeValue operation. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"><font size="2" face="arial,
helvetica, sans-serif" color="#444444">In the past we had a
similar issue with the </font><a
href="https://github.com/Evolveum/midpoint/blob/master/samples/resources/googleapps/googleapps-resource.xml"
style="color:rgb(68,68,68);font-family:arial,helvetica,sans-serif;font-size:small"
moz-do-not-send="true">Google Apps connector</a><font
size="2" face="arial, helvetica, sans-serif" color="#444444">
because the groups membership also has an additional field
to represent the relationship type (e.g. OWNER, MEMBER). Do
you know where we can find some working examples of this
configuration ? I mean a complex association between
AccountObjectClass, GroupObjectClass
and CustomMemberObjectClass.</font></div>
<div class="gmail_default"><font size="2" face="arial,
helvetica, sans-serif" color="#444444"><br>
</font></div>
<div class="gmail_default">Thanks in advance,</div>
<div class="gmail_default"><font size="2" face="arial,
helvetica, sans-serif" color="#444444"><br>
</font></div>
<div>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a
href="http://www.identicum.com"
target="_blank"
moz-do-not-send="true">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Fri, Jun 29, 2018 at 2:09 PM Nicolas Rossi
<<a href="mailto:nrossi@identicum.com"
moz-do-not-send="true">nrossi@identicum.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Hi
Ivan, we found the assignment properties and we also
extended the AssignmentType for other project but we don't
know how to specify in a role definition that a property
on the assignment is mandatory. Is there any way to do
that ?</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">On
the other hand we are working on a Rest Connector and I
couldn't find any example to access the assignment
parameters when provisioning the role to the resource.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regarding
the issue at Jira, what does Evolveum need to continue the
development? Maybe we can find some support from our
customers to achieve that. </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Kind
regards,</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br>
</div>
<div>
<div dir="ltr"
class="m_-2508070504232116415gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial, helvetica,
sans-serif"><br>
<br>
<font color="#444444">Ing
Nicolás Rossi</font><br>
<font color="#999999">Identicum
S.A.</font><br>
<font color="#999999">Jorge
Newbery 3226</font><br>
<font color="#999999">Tel:
+54 (11) 4552-3050</font><br>
<font color="#999999"><a
href="http://www.identicum.com" target="_blank" moz-do-not-send="true">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Fri, Jun 29, 2018 at 4:03 AM Ivan Noris
<<a href="mailto:ivan.noris@evolveum.com"
target="_blank" moz-do-not-send="true">ivan.noris@evolveum.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi Nicolas,</p>
<p>when I was working with parametric roles, I was using
an approach which I described here: <a
class="m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext"
href="https://evolveum.com/blog/working-multi-tenant-roles/"
target="_blank" moz-do-not-send="true">https://evolveum.com/blog/working-multi-tenant-roles/</a></p>
<p>(The screenshots are from old midpoint :-) but you
should get the message.)</p>
<p>By default you can assign roles with parameters:
orgRef or tenantRef:</p>
<p>- orgRef: you select (probably any) of the
organizations in midPoint to be the parameter</p>
<p>- tenantRef: you select any organization marked as
tenant in midPoint to be the parameter</p>
<p>This might help you as it is (we were / are using
this in multiple deployments).<br>
</p>
<p>What we definitely want is to make this more
configurable and extensible. But I'm sure Radovan will
prove more on this topic.<br>
</p>
<p>I believe the feature is tracked here: <a
class="m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext"
href="https://jira.evolveum.com/browse/MID-3515"
target="_blank" moz-do-not-send="true">https://jira.evolveum.com/browse/MID-3515</a><br>
</p>
Best regards,<br>
Ivan<br>
<br>
<div
class="m_-2508070504232116415m_4974245802337387919moz-cite-prefix">On
29.06.2018 00:11, Nicolas Rossi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Hi
guys, </div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">We
are working on a customer who needs to define some
roles with parameters to prevent role explosion
scenario. I have found lot of references to this
issue on the wiki (<a
href="https://wiki.evolveum.com/display/midPoint/Role+Explosion"
target="_blank" moz-do-not-send="true">here</a>,
<a
href="https://wiki.evolveum.com/display/midPoint/Advanced+Hybrid+RBAC#AdvancedHybridRBAC-ParametricRoles"
target="_blank" moz-do-not-send="true">here</a>
and <a
href="https://wiki.evolveum.com/display/midPoint/Assignment+Configuration#AssignmentConfiguration-ParametricAssignments"
target="_blank" moz-do-not-send="true">here</a>).
There were also <a
href="https://lists.evolveum.com/pipermail/midpoint/2013-July/000096.html"
target="_blank" moz-do-not-send="true">similar
question</a>s on the mailing list few years ago
where Radovan explains that is was designed but
not implemented.</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Regarding
the Radovan explanation I am not sure if we should
extend the AssociationType to add custom
parameters or if we should define role parameters
(couldn't find any example on the documentation).</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">On
the UI when and end-user request a new role, he
can define properties on the assignment
(parameters) for each role, but... is there any
way to define that some properties / parameters
are required so the user can't request the role
without specifying some value for that parameter ?</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">I
apologize in advance for the lengthy e-mail</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)"><br>
</div>
<div class="gmail_default"
style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(68,68,68)">Thanks,</div>
<div>
<div dir="ltr"
class="m_-2508070504232116415m_4974245802337387919gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr"><font
face="arial,
helvetica,
sans-serif"><br>
<br>
<font
color="#444444">Ing
Nicolás Rossi</font><br>
<font
color="#999999">Identicum
S.A.</font><br>
<font
color="#999999">Jorge
Newbery 3226</font><br>
<font
color="#999999">Tel:
+54
(11) 4552-3050</font><br>
<font
color="#999999"><a
href="http://www.identicum.com" target="_blank" moz-do-not-send="true">www.identicum.com</a></font></font><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset
class="m_-2508070504232116415m_4974245802337387919mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a class="m_-2508070504232116415m_4974245802337387919moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a>
<a class="m_-2508070504232116415m_4974245802337387919moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="m_-2508070504232116415m_4974245802337387919moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a href="http://evolveum.com" target="_blank" moz-do-not-send="true">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com"
target="_blank" moz-do-not-send="true">midPoint@lists.evolveum.com</a><br>
<a
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
</blockquote>
</div>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
evolveum.com
</pre>
</body>
</html>