<div dir="ltr"><div>Oh, Pavol you explained me this in the clear way. Thank you.</div><div><br></div><div>I have a little bit different requirements and approach to solve this.</div><div>I should not care about the bronze role assigning back because it is only initial access.</div><div>I used next approach</div><div>In object template I use mapping with assignment with normal strength (see below).</div><div>I <span id="gmail-m_8865242058015927985gmail-result_box" class="gmail-m_8865242058015927985gmail-short_text" lang="en"><span class="gmail-m_8865242058015927985gmail-">noticed that using normal strength for target assignment in mapping doesn't </span></span>assigning back Bronze role even when emailAddress was changed.</div><div><br></div>Am I correct and I can use such an approach or I something missed?<div></div><div></div><div><br></div><div><br></div><div><mapping id><br> <description>Assigment to Mantis Basic role</description><br> <strength>normal</strength><br> <source><br> <name>emailAddress</name><br> <c:path>$user/emailAddress</c:<wbr>path><br> </source><br> <expression><br> <value><br> <targetRef oid="f0cf82d0-fe50-4e89-a628-<wbr>2e5a936de379" type="c:RoleType"/><!--Bronze role--><br> </value><br> </expression><br> <target><br> <c:path>assignment</c:path><br> </target><br> <condition><br> <script xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/<wbr>2001/XMLSchema-instance</a>"<br> xsi:type="c:<wbr>ScriptExpressionEvaluatorType"<wbr>><br> <code><br>emailAddress != null<br> </code><br> </script><br> </condition><br> </mapping><br></div><div><br></div><div><br></div><div><span id="gmail-m_8865242058015927985gmail-result_box" class="gmail-m_8865242058015927985gmail-short_text" lang="en"><span class="gmail-m_8865242058015927985gmail-"></span></span><br></div><div> <br></div><div><br></div><div><br></div><div><br></div><div><br></div><div> <br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 2 July 2018 at 11:16, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello Oleksandr,</p>
<p>I assume that during normal operation, if bronze, silver or gold
role is unassigned, midPoint should automatically assign back the
bronze role.</p>
<p>Assuming that, three options come to my mind:</p>
<ol>
<li>Bind the role assignment to some user extension property,
let's call it e.g. "level". It would have three possible values
(bronze, silver, gold) - I assume this can be ensured by
defining it as a custom enum. And there would be two mappings:
(1) a weak mapping that assigns "bronze" value to "level" if it
has no value, (2) a strong mapping that creates a
bronze/silver/gold assignment based on the "level" value. This
means that all changes to this assignments have to go through
the "level" item, not via assignments themselves.<br>
</li>
<li>Write a custom <a href="https://wiki.evolveum.com/display/midPoint/Scripting+Hooks" target="_blank">scripting
hook</a> that would evaluate the user after each change, and
if it has no assignment to bronze/silver/gold role it would
assign the bronze role.</li>
<li>Write custom <a href="https://wiki.evolveum.com/display/midPoint/Policy+Rules" target="_blank">policy
rule</a> that would fire if there's no assignment to
bronze/silver/gold role. Unfortunately, midPoint currently has
no way of specifying "do something" policy action, except for
ugly workaround via custom "notify" action.</li>
</ol>
<p>So I would suggest either (1) or (2).</p>
<p>Hope this helps.<br>
</p><span class="">
<pre class="m_-4731538508633317565moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span><div><div class="h5"><div class="m_-4731538508633317565moz-cite-prefix">On 28.06.2018 15:18, Oleksandr Nekriach
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello Pavol,<br>
Yes, and I want that one of this radio-button role also was a
"basic" (initial) role. This basic-radio-button role should be
automatically assigned to all new users by HR reconciliation
task.<br>
<br>
For example:<br>
<br>
<ul>
<li> bronze role is a "basic" role and also radio-button
role</li>
<li> thanks to the HR reconciliation task, every new user
will be assigned to the bronze role as 'basic" role.</li>
<li> during the user life cycle user can be assigned to
another radio-button roles manually by HelpDesk or by some
automatically processes and Midpoint should remember such
assignment</li>
<li> but never the HR reconciliation should fall back to
"basic" role assigment if user has current radio-button
assignment different to "basic" role (has silver or gold
role)<br>
</li>
</ul>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 28 June 2018 at 12:38, Pavol Mederly
<span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello Oleksandr,</p>
<p>do you mean something like this? E.g. you have radio
button roles: bronze - silver - gold and you want to
ensure that a user always has exactly one of them
assigned? (e.g. bronze if neither silver nor gold)?</p>
<pre class="m_-4731538508633317565m_688872782710185640moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div>
<div class="m_-4731538508633317565h5">
<div class="m_-4731538508633317565m_688872782710185640moz-cite-prefix">On
22.06.2018 11:24, Oleksandr Nekriach wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="m_-4731538508633317565h5">
<div dir="ltr">
<div>Hi guys,</div>
<div><br>
</div>
<div>Does Midpoint have elegant solution for
basic role assignment which is also a
radio-button role? <br>
</div>
<div>I have faced that the assignment of
basic-radio-button role by object template
mapping (a weak strength) does not work if we
have other assignment mappings in the same
object template (for example OrgType
assignments).<br>
</div>
<div><br>
</div>
<div>Thank you in advance.</div>
<div> <br>
</div>
<div>-- <br>
<div class="m_-4731538508633317565m_688872782710185640gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr"><span style="color:#4c4c4c">Best
regards, </span></div>
<div dir="ltr"><br>
<span style="color:#4c4c4c"></span></div>
<div dir="ltr"><span style="color:#4c4c4c"><img src="cid:part5.A6D32997.E95BE3DC@evolveum.com"> <br>
<br>
Oleksandr Nekriach | Identity and access
management engineer <br>
<br>
Dynatech, <a href="https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g" target="_blank">Mednieku
str. 4a, Riga, LV-1010, Latvia</a> <br>
<br>
<div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>
,
<div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div>
|
<div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div>
<br>
<br>
Stay connected: <br>
<div style="display:inline-block;margin:5px 5px 0 0"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:part10.B8BE96AC.790094FF@evolveum.com"></a></div>
<div style="display:inline-block;margin:5px 0 0 0"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:part12.9950AE35.C7F80FD0@evolveum.com"></a></div>
<br>
<br>
<span style="font-size:11px;color:#a1a1a1">Confidentiality
Notice: This message contains
confidential information and is intended
only for the named recipient(s). If you
are not the addressee you may not copy,
distribute or perform any other
activities with this information. If you
have received this transmission in
error, please notify us by e-mail
immediately. E-mail transmission cannot
be guaranteed to be secure or error-free
as information could be intercepted,
corrupted, lost, destroyed, arrive late
or incomplete, or contain viruses.</span></span></div>
</div>
</div>
</div>
<br>
<fieldset class="m_-4731538508633317565m_688872782710185640mimeAttachmentHeader"></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-4731538508633317565m_688872782710185640moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-4731538508633317565m_688872782710185640moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="m_-4731538508633317565gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr"><span style="color:#4c4c4c">Best regards, <br>
<br>
<img src="cid:part5.A6D32997.E95BE3DC@evolveum.com"> <br>
<br>
Oleksandr Nekriach | Identity and access management
engineer <br>
<br>
Dynatech, <a href="https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g" target="_blank">Mednieku str. 4a,
Riga, LV-1010, Latvia</a> <br>
<br>
<div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>
,
<div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div>
|
<div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div>
<br>
<br>
Stay connected: <br>
<div style="display:inline-block;margin:5px 5px 0 0"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:part10.B8BE96AC.790094FF@evolveum.com"></a></div>
<div style="display:inline-block;margin:5px 0 0 0"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:part12.9950AE35.C7F80FD0@evolveum.com"></a></div>
<br>
<br>
<span style="font-size:11px;color:#a1a1a1">Confidentiality
Notice: This message contains confidential information
and is intended only for the named recipient(s). If you
are not the addressee you may not copy, distribute or
perform any other activities with this information. If
you have received this transmission in error, please
notify us by e-mail immediately. E-mail transmission
cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain
viruses.</span></span></div>
</div>
</div>
<br>
<fieldset class="m_-4731538508633317565mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-4731538508633317565moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-4731538508633317565moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span style="color:#4c4c4c">Best regards, <br><br><img src="cid:o.nekriach@dynatech.lv1520941785292-7770"> <br><br>Oleksandr Nekriach | Identity and access management engineer <br><br>Dynatech, <a href="https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g" target="_blank">Mednieku str. 4a, Riga, LV-1010, Latvia</a> <br><br><div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>, <div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div> | <div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div> <br><br>Stay connected: <br><div style="display:inline-block;margin:5px 5px 0 0"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7771"></a></div><div style="display:inline-block;margin:5px 0 0 0"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7772"></a></div><br><br><span style="font-size:11px;color:#a1a1a1">Confidentiality
Notice: This message contains confidential information and is intended
only for the named recipient(s). If you are not the addressee you may
not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please
notify us by e-mail immediately. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses.</span></span></div></div>
</div>