<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello Yakov,</p>
<p>this is quite an interesting situation.</p>
<p>I have no time to try this myself, but my guess is that
assignmentPath should help. I'd consider putting it into the
inducement condition, and I would simply check if Link1 is on the
path.</p>
<p>Another thing to consider could be so-called order constraints,
but they are limited to relations, not to specific intermediate
roles.<br>
</p>
<p>Regards,<br>
</p>
<pre class="moz-signature" cols="72">--
Pavol Mederly
Software developer
evolveum.com</pre>
<div class="moz-cite-prefix">On 29/03/2022 19:56, Yakov Revyakin via
midPoint wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CALXvSnts1EEXhJv2HRSds04BMNCrieq5=PJNMg0wFdOrXeH3Jw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi,<br>
<div>My organization structure looks like: </div>
<div><br>
</div>
<div>Org "Unit1"<br>
</div>
<div>- Org "Unit2"</div>
<div>- - User "User1"<br>
</div>
<div>- Org "Link1"</div>
<div>
<div>- - User "User2"<br>
</div>
<br class="gmail-Apple-interchange-newline">
</div>
<div>There are 2 types of orgs: Unit and Link.</div>
<div><br>
</div>
<div>I'd like to assign a role to a user if only the following
path exists:</div>
<div>Org "Unit1" -> <b>Org "Link1"</b> -> User "User2"</div>
<div>I can do this with order=3 inducement defined in a role
assigned to Unit1.</div>
<div><br>
</div>
<div>Above you can see that User1 also can be recognized as a
source for order=3 assignment. </div>
<div>
<div>Org "Unit1" -> Org "Unit2" -> User "User1"</div>
</div>
<div>But you can't see any Link org between User1 and parent
Unit2. So, the role should't be assigned to User1.</div>
<div><br>
</div>
<div>How to configure this kind of limitation?</div>
<div><br>
</div>
<div>Role to be assigned to Unit1:</div>
<div><role oid="172a6f10-12a5-4600-8939-875da1cf14ab"><br>
<name>Unit Role</name><br>
<inducement><br>
<targetRef
oid="d492b520-2b48-44df-8a94-88e3a2a33c56"
relation="org:default" type="c:RoleType"/><br>
<b><order>3</order></b><br>
<focusType>c:UserType</focusType><br>
</inducement><br>
</role><br>
</div>
<div><br>
</div>
<div>The role I am waiting be assigned to User2:<br>
</div>
<div><role oid="d492b520-2b48-44df-8a94-88e3a2a33c56"><br>
<name>User IT Role</name><br>
<inducement><br>
<construction><br>
<resourceRef
oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"
relation="org:default" type="c:ResourceType"/><br>
<kind>account</kind><br>
<intent>default</intent><br>
</construction><br>
</inducement><br>
<condition><br>
<expression><br>
<script><br>
<code><br>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;<br>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;<br>
<br>
ObjectType o =
assignmentPath.getProtoRole();<br>
return o instanceof OrgType
&& ((OrgType) o).costCenter == "link";<br>
</code><br>
</script><br>
</expression><br>
</condition><br>
</role><br>
</div>
<div><br>
</div>
<div>
<div>I used a condition in a role but the role is not
assigned. If I change the condition simply to true it is
always assigned independently of the parent path. It is not
clear how to use assignmentPath to solve the problem. Could
someone help?</div>
<div>J</div>
<div><br>
</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body>
</html>