
<div dir="ltr">Hi <span style="white-space:pre-wrap">Pavol,</span><div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap">I tried to move the condition to inducement. The inducement doesn't trigger account assignment.</span></div><div><span style="white-space:pre-wrap">I think I know why it doesn't work but I don't know how to proceed the case.</span></div><div><br></div><div>In reality User2 has or has to have the following assignments:<br></div><div>- Org "Link1"</div><div>- Org "UnitX"</div><div>- Role "User It Role"</div><div><br></div><div>As Org "Link1" is among these objects I am waiting for the Role "User IT Role" will be assigned.</div><div><br></div><div>In my condition script </div><div>ObjectType o = assignmentPath.getProtoRole(); </div><div><span style="white-space:pre-wrap">gets three appropriate objects during 3 distinct cycles (with a lot of repeating):</span></div><div><span style="white-space:pre-wrap">OrgType "Link1"</span></div><div><span style="white-space:pre-wrap">OrgType "UnitX"</span></div><div><span style="white-space:pre-wrap">RoleType "User IT Role"</span></div><div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap">I check and return   </span></div><div><b>o instanceof OrgType &amp;&amp; ((OrgType) o).costCenter == "link" </b><span style="white-space:pre-wrap"><br></span></div><div>as a condition result.</div><div><br></div><div>In result I have three appropriate condition values:</div><div>true</div><div>false</div><div>false</div><div><br></div><div>I think this results in resulting <b>FALSE</b>.</div><div><br></div><div>To calculate the right condition I need a full and the same assignmentPath for each cycle and always return true if the right org is in place.  </div><div>Also</div><div><relativityMode>absolute</relativityMode><br></div><div>doesn't help me.</div><div><br></div><div>I think I can try to make a decision with user.parentOrgRef and <relativityMode>absolute</relativityMode>.</div><div><br></div><div>Probably, you know how to reach the goal with assignmentPath?</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div><span style="white-space:pre-wrap"><br></span></div><div><span style="white-space:pre-wrap">  </span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 29 Mar 2022 at 21:49, Pavol Mederly via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

  
  <div>

    <p>Hello Yakov,</p>

    <p>this is quite an interesting situation.</p>

    <p>I have no time to try this myself, but my guess is that

      assignmentPath should help. I'd consider putting it into the

      inducement condition, and I would simply check if Link1 is on the

      path.</p>

    <p>Another thing to consider could be so-called order constraints,

      but they are limited to relations, not to specific intermediate

      roles.<br>

    </p>

    <p>Regards,<br>

    </p>

    <pre cols="72">-- 

Pavol Mederly

Software developer

<a href="http://evolveum.com" target="_blank">evolveum.com</a></pre>

    <div>On 29/03/2022 19:56, Yakov Revyakin via

      midPoint wrote:<br>

    </div>

    <blockquote type="cite">

      
      <div dir="ltr">Hi,<br>

        <div>My organization structure looks like: </div>

        <div><br>

        </div>

        <div>Org "Unit1"<br>

        </div>

        <div>- Org "Unit2"</div>

        <div>- - User "User1"<br>

        </div>

        <div>- Org "Link1"</div>

        <div>

          <div>- - User "User2"<br>

          </div>

          <br>

        </div>

        <div>There are 2 types of orgs: Unit and Link.</div>

        <div><br>

        </div>

        <div>I'd like to assign a role to a user if only the following

          path exists:</div>

        <div>Org "Unit1" -> <b>Org "Link1"</b> -> User "User2"</div>

        <div>I can do this with order=3 inducement defined in a role

          assigned to Unit1.</div>

        <div><br>

        </div>

        <div>Above you can see that User1 also can be recognized as a

          source for order=3 assignment. </div>

        <div>

          <div>Org "Unit1" -> Org "Unit2" -> User "User1"</div>

        </div>

        <div>But you can't see any Link org between User1 and parent

          Unit2. So, the role should't be assigned to User1.</div>

        <div><br>

        </div>

        <div>How to configure this kind of limitation?</div>

        <div><br>

        </div>

        <div>Role to be assigned to Unit1:</div>

        <div><role oid="172a6f10-12a5-4600-8939-875da1cf14ab"><br>

              <name>Unit Role</name><br>

              <inducement><br>

                  <targetRef

          oid="d492b520-2b48-44df-8a94-88e3a2a33c56"

          relation="org:default" type="c:RoleType"/><br>

                  <b><order>3</order></b><br>

                  <focusType>c:UserType</focusType><br>

              </inducement><br>

          </role><br>

        </div>

        <div><br>

        </div>

        <div>The role I am waiting be assigned to User2:<br>

        </div>

        <div><role oid="d492b520-2b48-44df-8a94-88e3a2a33c56"><br>

              <name>User IT Role</name><br>

              <inducement><br>

                  <construction><br>

                      <resourceRef

          oid="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2"

          relation="org:default" type="c:ResourceType"/><br>

                      <kind>account</kind><br>

                      <intent>default</intent><br>

                  </construction><br>

              </inducement><br>

              <condition><br>

                  <expression><br>

                      <script><br>

                          <code><br>

                              import

          com.evolveum.midpoint.xml.ns._public.common.common_3.ObjectType;<br>

                              import

          com.evolveum.midpoint.xml.ns._public.common.common_3.OrgType;<br>

          <br>

                              ObjectType o =

          assignmentPath.getProtoRole();<br>

                              return o instanceof OrgType

          &amp;&amp; ((OrgType) o).costCenter == "link";<br>

                          </code><br>

                      </script><br>

                  </expression><br>

              </condition><br>

          </role><br>

        </div>

        <div><br>

        </div>

        <div>

          <div>I used a condition in a role but the role is not

            assigned. If I change the condition simply to true it is

            always assigned independently of the parent path. It is not

            clear how to use assignmentPath to solve the problem. Could

            someone help?</div>

          <div>J</div>

          <div><br>

          </div>

        </div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div><br>

        </div>

        <div><br>

        </div>

      </div>

      <br>

      <fieldset></fieldset>

      <pre>_______________________________________________

midPoint mailing list

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>

<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>

</pre>

    </blockquote>

  </div>


_______________________________________________<br>

midPoint mailing list<br>

<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>

<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>

</blockquote></div>