<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Ádám,</p>
<p>the trick is to set up a mapping range, e.g. using assignment
subtype (or another relevant "flag" for assignment values created
by your mappings).</p>
<p>I am not sure how to do that for auto-assigned roles, but for
templated-based mappings it is quite simple.<br>
</p>
<p>Please refer to docs and/or the samples (including the ones used
for testing, i.e. in main midPoint github repo). Justs search for
any assignment-related mappings with <range> element
present.</p>
<p>Best regards,<br>
</p>
<pre class="moz-signature" cols="72">--
Pavol Mederly
Software developer
evolveum.com</pre>
<div class="moz-cite-prefix">On 13/04/2022 13:46, Német, Ádám via
midPoint wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABw35SzMZD=U2JmHPbPWrdUVKr5vDFTubXuE=wPgiGPeaiOkQw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr" data-smartmail="gmail_signature">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">
<div>
<div>Hi,<br>
<br>
I use Midpoint version 4.4.1. <br>
<br>
I would like to create Attribute-Based Access
Control (ABAC) roles. I tried with role object
auto assignment and object template, you can see
the configuration below. It was working very well
in most cases.</div>
<div> <br>
But when I changed the auto assign mapping rule of
the role, then the unassign operation was not
running to users who were only in the kitchen
organizational unit.</div>
<div> <b>Old ABAC rule:</b> <font
face="monospace">organizationalUnit?.norm ==
'kitchen' </font><br>
<b>New ABAC rule:</b> <font face="monospace">organizationalUnit?.norm
== 'livingroom'</font></div>
<div> <br>
It was the same effect on object templates with
another rule. </div>
<div> <b>Old ABAC rule: </b><span
style="font-family:monospace">employeeNumber ==
'12345'</span></div>
<div> <b>New </b><b>ABAC rule: </b><span
style="font-family:monospace">employeeNumber ==
'123456789'</span></div>
<div><br>
</div>
<div>So, the role membership revoke from the users
were not evaluating, when the role mapping rule
was changing. I tried to run recomputation tasks
too, but nothing happened.</div>
<div><br>
Is there a way to automatically unassign the role
form users after the role auto assign rule
changed? </div>
<div><br>
</div>
<div>If the unassing has to be done manually, is
there a best practice for this case?<br>
<br>
Thank you for helping!<br>
<br>
Best regards,</div>
<div>Adam Nemet<br>
<br>
<b>Configuration:</b><br>
<font face="monospace"><?xml version="1.0"
encoding="UTF-8"?><br>
<br>
<config><br>
<role
oid="1638b6d0-e0de-45b8-9828-c3b5ab6bf46e"><br>
<name>Requester</name><br>
<autoassign><br>
<enabled>true</enabled><br>
<focus><br>
<mapping id="16"><br>
<strength>strong</strength><br>
<source><br>
<path>organizationalUnit</path><br>
</source><br>
<condition><br>
<script><br>
<code><br>
organizationalUnit?.norm ==
'kitchen'<br>
</code><br>
</script><br>
</condition><br>
</mapping><br>
<selector><br>
<type>UserType</type><br>
</selector><br>
</focus><br>
</autoassign><br>
</role><br>
<br>
<br>
<objectTemplate
oid="516a979a-824d-497d-ac44-53f8af592a12"><br>
<name>User AD role auto
assigment</name><br>
<mapping><br>
<authoritative>true</authoritative><br>
<source><br>
<path>employeeNumber</path><br>
</source><br>
<expression><br>
<value><br>
<targetRef
oid="e8fe3a12-6701-4943-8180-c3aff2d132e6"
type="RoleType"/><br>
</value><br>
</expression><br>
<target><br>
<path>assignment</path><br>
</target><br>
<condition><br>
<script><br>
<code>employeeNumber ==
'12345'</code><br>
</script><br>
</condition><br>
</mapping><br>
</objectTemplate><br>
<br>
<br>
<systemConfiguration><br>
...<br>
<roleManagement><br>
<roleCatalogRef
oid="20000000-7798-11e2-964e-200000000100"
relation="org:default" type="c:OrgType"><br>
<!-- IT Department --><br>
</roleCatalogRef><br>
<roleCatalogCollections><br>
<collection><br>
<collectionUri><a
href="http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog"
moz-do-not-send="true"
class="moz-txt-link-freetext">http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog</a></collectionUri><br>
</collection><br>
<collection><br>
<collectionUri><a
href="http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allRoles"
moz-do-not-send="true"
class="moz-txt-link-freetext">http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#allRoles</a></collectionUri><br>
</collection><br>
</roleCatalogCollections><br>
<defaultCollection><br>
<collectionUri><a
href="http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog"
moz-do-not-send="true"
class="moz-txt-link-freetext">http://midpoint.evolveum.com/xml/ns/public/common/object-collections-3#roleCatalog</a></collectionUri><br>
</defaultCollection><br>
<autoassignEnabled>true</autoassignEnabled><br>
</roleManagement><br>
...<br>
<defaultObjectPolicyConfiguration><br>
<objectTemplateRef
oid="516a979a-824d-497d-ac44-53f8af592a12"
relation="org:default"
type="c:ObjectTemplateType"><br>
<!-- User Template --><br>
</objectTemplateRef><br>
<type>UserType</type><br>
</defaultObjectPolicyConfiguration><br>
...<br>
</systemConfiguration><br>
</config><br>
<font style="font-size:12.8px"><font size="1"><font
color="#0b5394"><br>
</font></font></font></font></div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</body>
</html>