<div dir="ltr"><span id="gmail-result_box" class="gmail-short_text" lang="en"><span class="gmail-">Many thanks, Pavol !!!</span></span><br></div><div class="gmail_extra"><br><div class="gmail_quote">On 2 July 2018 at 20:11, Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello Oleksandr,</p>
<p><span class="">
</span></p><blockquote type="cite">I should not care about the bronze role
assigning back because it is only initial access.</blockquote>
I see.<p></p>
<p><span class="">
</span></p><blockquote type="cite">I <span id="m_-9182414062649970919gmail-m_8865242058015927985gmail-result_box" class="m_-9182414062649970919gmail-m_8865242058015927985gmail-short_text" lang="en"><span class="m_-9182414062649970919gmail-m_8865242058015927985gmail-">noticed that using
normal strength for target assignment in mapping doesn't </span></span>assigning
back Bronze role even when emailAddress was changed.</blockquote>
Yes. It is because under the <i>relative changes</i> model that
midPoint is based on, the mapping takes <i>input change</i> and
converts it into <i>output change</i>.<p></p>
<p>Basically, when you create a user (or set - previously empty -
email address for a user), the input change is "not applicable
-> applicable" (because the condition says <i>emailAddress !=
null</i>). The output change is then <i>null -> (bronze role
assignment)</i>. So the assignment is created. But after you
simply change emailAddress from value A to B, the input change is
<i>A -> B</i>, corresponding to output change of <i>(bronze
role assignment) -> </i><i>(bronze role assignment)</i>,
i.e. in fact, nothing should be changed on the output side. Even
if bronze role assignment no longer exists because it was e.g.
deleted by administrator.</p>
<p>After you would erase emailAddress and set it again (in two
separate operations), the bronze role assignment would appear
again.</p>
<p>If this is the way you expect it to work, then OK, you can use
it.</p>
Best regards,<span class=""><br>
<pre class="m_-9182414062649970919moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span><div><div class="h5"><div class="m_-9182414062649970919moz-cite-prefix">On 02.07.2018 18:04, Oleksandr Nekriach
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Oh, Pavol you explained me this in the clear way. Thank
you.</div>
<div><br>
</div>
<div>I have a little bit different requirements and approach to
solve this.</div>
<div>I should not care about the bronze role assigning back
because it is only initial access.</div>
<div>I used next approach</div>
<div>In object template I use mapping with assignment with
normal strength (see below).</div>
<div>I <span id="m_-9182414062649970919gmail-m_8865242058015927985gmail-result_box" class="m_-9182414062649970919gmail-m_8865242058015927985gmail-short_text" lang="en"><span class="m_-9182414062649970919gmail-m_8865242058015927985gmail-">noticed
that using normal strength for target assignment in
mapping doesn't </span></span>assigning back Bronze role
even when emailAddress was changed.</div>
<div><br>
</div>
Am I correct and I can use such an approach or I something
missed?
<div><br>
</div>
<div><br>
</div>
<div><mapping id><br>
<description>Assigment to Mantis Basic
role</description><br>
<strength>normal</strength><br>
<source><br>
<name>emailAddress</name><br>
<c:path>$user/emailAddress</c:<wbr>path><br>
</source><br>
<expression><br>
<value><br>
<targetRef oid="f0cf82d0-fe50-4e89-a628-2<wbr>e5a936de379"
type="c:RoleType"/><!--Bronze role--><br>
</value><br>
</expression><br>
<target><br>
<c:path>assignment</c:path><br>
</target><br>
<condition><br>
<script xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2<wbr>001/XMLSchema-instance</a>"<br>
xsi:type="c:ScriptExpressionEv<wbr>aluatorType"><br>
<code><br>
emailAddress != null<br>
</code><br>
</script><br>
</condition><br>
</mapping><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><span id="m_-9182414062649970919gmail-m_8865242058015927985gmail-result_box" class="m_-9182414062649970919gmail-m_8865242058015927985gmail-short_text" lang="en"><span class="m_-9182414062649970919gmail-m_8865242058015927985gmail-"></span></span><br>
</div>
<div> <br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div> <br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 2 July 2018 at 11:16, Pavol Mederly
<span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello Oleksandr,</p>
<p>I assume that during normal operation, if bronze,
silver or gold role is unassigned, midPoint should
automatically assign back the bronze role.</p>
<p>Assuming that, three options come to my mind:</p>
<ol>
<li>Bind the role assignment to some user extension
property, let's call it e.g. "level". It would have
three possible values (bronze, silver, gold) - I
assume this can be ensured by defining it as a custom
enum. And there would be two mappings: (1) a weak
mapping that assigns "bronze" value to "level" if it
has no value, (2) a strong mapping that creates a
bronze/silver/gold assignment based on the "level"
value. This means that all changes to this assignments
have to go through the "level" item, not via
assignments themselves.<br>
</li>
<li>Write a custom <a href="https://wiki.evolveum.com/display/midPoint/Scripting+Hooks" target="_blank">scripting
hook</a> that would evaluate the user after each
change, and if it has no assignment to
bronze/silver/gold role it would assign the bronze
role.</li>
<li>Write custom <a href="https://wiki.evolveum.com/display/midPoint/Policy+Rules" target="_blank">policy rule</a>
that would fire if there's no assignment to
bronze/silver/gold role. Unfortunately, midPoint
currently has no way of specifying "do something"
policy action, except for ugly workaround via custom
"notify" action.</li>
</ol>
<p>So I would suggest either (1) or (2).</p>
<p>Hope this helps.<br>
</p>
<span>
<pre class="m_-9182414062649970919m_-4731538508633317565moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</span>
<div>
<div class="m_-9182414062649970919h5">
<div class="m_-9182414062649970919m_-4731538508633317565moz-cite-prefix">On
28.06.2018 15:18, Oleksandr Nekriach wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hello Pavol,<br>
Yes, and I want that one of this radio-button role
also was a "basic" (initial) role. This
basic-radio-button role should be automatically
assigned to all new users by HR reconciliation
task.<br>
<br>
For example:<br>
<br>
<ul>
<li> bronze role is a "basic" role and also
radio-button role</li>
<li> thanks to the HR reconciliation task,
every new user will be assigned to the bronze
role as 'basic" role.</li>
<li> during the user life cycle user can be
assigned to another radio-button roles
manually by HelpDesk or by some automatically
processes and Midpoint should remember such
assignment</li>
<li> but never the HR reconciliation should
fall back to "basic" role assigment if user
has current radio-button assignment different
to "basic" role (has silver or gold role)<br>
</li>
</ul>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 28 June 2018 at 12:38,
Pavol Mederly <span dir="ltr"><<a href="mailto:mederly@evolveum.com" target="_blank">mederly@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello Oleksandr,</p>
<p>do you mean something like this? E.g. you
have radio button roles: bronze - silver -
gold and you want to ensure that a user
always has exactly one of them assigned?
(e.g. bronze if neither silver nor gold)?</p>
<pre class="m_-9182414062649970919m_-4731538508633317565m_688872782710185640moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div>
<div class="m_-9182414062649970919m_-4731538508633317565h5">
<div class="m_-9182414062649970919m_-4731538508633317565m_688872782710185640moz-cite-prefix">On
22.06.2018 11:24, Oleksandr Nekriach
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="m_-9182414062649970919m_-4731538508633317565h5">
<div dir="ltr">
<div>Hi guys,</div>
<div><br>
</div>
<div>Does Midpoint have elegant
solution for basic role
assignment which is also a
radio-button role? <br>
</div>
<div>I have faced that the
assignment of basic-radio-button
role by object template mapping (a
weak strength) does not work if we
have other assignment mappings in
the same object template (for
example OrgType assignments).<br>
</div>
<div><br>
</div>
<div>Thank you in advance.</div>
<div> <br>
</div>
<div>-- <br>
<div class="m_-9182414062649970919m_-4731538508633317565m_688872782710185640gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr"><span style="color:#4c4c4c">Best
regards, </span></div>
<div dir="ltr"><br>
<span style="color:#4c4c4c"></span></div>
<div dir="ltr"><span style="color:#4c4c4c"><img src="cid:part8.092AE2D5.A68920D3@evolveum.com"> <br>
<br>
Oleksandr Nekriach |
Identity and access
management engineer <br>
<br>
Dynatech, <a href="https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g" target="_blank">Mednieku
str. 4a, Riga, LV-1010,
Latvia</a> <br>
<br>
<div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>
,
<div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div>
|
<div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div>
<br>
<br>
Stay connected: <br>
<div style="display:inline-block;margin:5px 5px 0 0"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:part13.143A003E.051CE222@evolveum.com"></a></div>
<div style="display:inline-block;margin:5px 0 0 0"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:part15.583D7558.BF30E495@evolveum.com"></a></div>
<br>
<br>
<span style="font-size:11px;color:#a1a1a1">Confidentiality
Notice: This message
contains confidential
information and is
intended only for the
named recipient(s). If you
are not the addressee you
may not copy, distribute
or perform any other
activities with this
information. If you have
received this transmission
in error, please notify us
by e-mail immediately.
E-mail transmission cannot
be guaranteed to be secure
or error-free as
information could be
intercepted, corrupted,
lost, destroyed, arrive
late or incomplete, or
contain viruses.</span></span></div>
</div>
</div>
</div>
<br>
<fieldset class="m_-9182414062649970919m_-4731538508633317565m_688872782710185640mimeAttachmentHeader"></fieldset>
<br>
</div>
</div>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-9182414062649970919m_-4731538508633317565m_688872782710185640moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-9182414062649970919m_-4731538508633317565m_688872782710185640moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="m_-9182414062649970919m_-4731538508633317565gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr"><span style="color:#4c4c4c">Best
regards, <br>
<br>
<img src="cid:part8.092AE2D5.A68920D3@evolveum.com"> <br>
<br>
Oleksandr Nekriach | Identity and access
management engineer <br>
<br>
Dynatech, <a href="https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g" target="_blank">Mednieku
str. 4a, Riga, LV-1010, Latvia</a> <br>
<br>
<div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>
,
<div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div>
|
<div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div>
<br>
<br>
Stay connected: <br>
<div style="display:inline-block;margin:5px 5px 0 0"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:part13.143A003E.051CE222@evolveum.com"></a></div>
<div style="display:inline-block;margin:5px 0 0 0"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:part15.583D7558.BF30E495@evolveum.com"></a></div>
<br>
<br>
<span style="font-size:11px;color:#a1a1a1">Confidentiality
Notice: This message contains confidential
information and is intended only for the
named recipient(s). If you are not the
addressee you may not copy, distribute or
perform any other activities with this
information. If you have received this
transmission in error, please notify us by
e-mail immediately. E-mail transmission
cannot be guaranteed to be secure or
error-free as information could be
intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain
viruses.</span></span></div>
</div>
</div>
<br>
<fieldset class="m_-9182414062649970919m_-4731538508633317565mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-9182414062649970919m_-4731538508633317565moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-9182414062649970919m_-4731538508633317565moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/mail<wbr>man/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="m_-9182414062649970919gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr"><span style="color:#4c4c4c">Best regards, <br>
<br>
<img src="cid:part8.092AE2D5.A68920D3@evolveum.com"> <br>
<br>
Oleksandr Nekriach | Identity and access management
engineer <br>
<br>
Dynatech, <a href="https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g" target="_blank">Mednieku str. 4a,
Riga, LV-1010, Latvia</a> <br>
<br>
<div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>
,
<div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div>
|
<div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div>
<br>
<br>
Stay connected: <br>
<div style="display:inline-block;margin:5px 5px 0 0"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:part13.143A003E.051CE222@evolveum.com"></a></div>
<div style="display:inline-block;margin:5px 0 0 0"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:part15.583D7558.BF30E495@evolveum.com"></a></div>
<br>
<br>
<span style="font-size:11px;color:#a1a1a1">Confidentiality
Notice: This message contains confidential information
and is intended only for the named recipient(s). If you
are not the addressee you may not copy, distribute or
perform any other activities with this information. If
you have received this transmission in error, please
notify us by e-mail immediately. E-mail transmission
cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain
viruses.</span></span></div>
</div>
</div>
<br>
<fieldset class="m_-9182414062649970919mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
midPoint mailing list
<a class="m_-9182414062649970919moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a class="m_-9182414062649970919moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span style="color:#4c4c4c">Best regards, <br><br><img src="cid:o.nekriach@dynatech.lv1520941785292-7770"> <br><br>Oleksandr Nekriach | Identity and access management engineer <br><br>Dynatech, <a href="https://maps.google.com/?q=Mednieku+str.+4a,+Riga,+LV-1010,+Latvia&entry=gmail&source=g" target="_blank">Mednieku str. 4a, Riga, LV-1010, Latvia</a> <br><br><div style="display:inline-block"><a href="tel:+371%2025%20314%20685" value="+37125314685" target="_blank">+37125314685</a></div>, <div style="display:inline-block"><a href="mailto:o.nekriach@dynatech.lv" target="_blank">o.nekriach@dynatech.lv</a></div> | <div style="display:inline-block"><a href="http://www.dynatech.lv" target="_blank">www.dynatech.lv</a></div> <br><br>Stay connected: <br><div style="display:inline-block;margin:5px 5px 0 0"><a href="https://www.facebook.com/DynatechLatvia/?ref=br_rs" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7771"></a></div><div style="display:inline-block;margin:5px 0 0 0"><a href="https://www.linkedin.com/company-beta/17893047/" target="_blank"><img src="cid:o.nekriach@dynatech.lv1520941785292-7772"></a></div><br><br><span style="font-size:11px;color:#a1a1a1">Confidentiality
Notice: This message contains confidential information and is intended
only for the named recipient(s). If you are not the addressee you may
not copy, distribute or perform any other activities with this
information. If you have received this transmission in error, please
notify us by e-mail immediately. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses.</span></span></div></div>
</div>