<div dir="ltr">Hi Ivan,<br><div>This works and suits as a workaround. Thank you.</div><div><br></div><div>Using this solution we still have a list of IT roles assigned to the user indirectly and which don't result in assigning associations because the metarole prevents this. Those IT roles in the list can confuse any administrator who can see roles assigned but can't see any income in resources.</div><div>I still would like to understand this <orderConstraint> feature deeper and how to apply it for my case.</div><div>I've prepared some objects. <br><br></div><div>Org structure contains 2 orgs - top and subordinate: </div><div><br><org xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a>"<br> oid="1a4ec491-58d8-4646-9d9f-a00bc4091257"><br> <name>Top Org</name><br> <assignment><br> <targetRef oid="13ed0755-e5b6-4f2f-beb5-0eab5e8ac92e" relation="org:default" type="c:RoleType"/><br> </assignment><br></org><br></div><div><br></div><div><org xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a>"<br> oid="e80eb644-6a7b-414d-97dd-7209378708a8"<br> version="0"><br> <name>Bottom Org</name><br> <assignment><br> <targetRef oid="1a4ec491-58d8-4646-9d9f-a00bc4091257" relation="org:default" type="c:OrgType"/><br> </assignment><br> <assignment><br> <targetRef oid="1db7b2ac-b840-45d0-b4b7-44a1b63e9050" relation="org:default" type="c:RoleType"/><br> </assignment><br></org><br></div><div><br></div><div>Two business roles - Top Role assigned to Top Org, Bottom Role assigned to Bottom Org.</div><div><br></div><div><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a>"<br> oid="13ed0755-e5b6-4f2f-beb5-0eab5e8ac92e"><br> <name>Top Role</name><br> <inducement><br> <targetRef oid="8bfb56c3-d3f6-4176-91c8-d5b66d866666" relation="org:default" type="c:RoleType" /><br> <orderConstraint><br> <order>2</order><br> <resetOrder>1</resetOrder><br> <relation>org:default</relation><br> </orderConstraint><br> <focusType>c:UserType</focusType><br> </inducement><br></role><br></div><div><br></div><div><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a>"<br> oid="1db7b2ac-b840-45d0-b4b7-44a1b63e9050"><br> <name>Bottom Role</name><br> <inducement><br> <targetRef oid="ed7bbc79-e048-4e49-bea7-180b48ef41ea" relation="org:default" type="c:RoleType" /><br> <orderConstraint><br> <order>2</order><br> <resetOrder>1</resetOrder><br> <relation>org:default</relation><br> </orderConstraint><br> <focusType>c:UserType</focusType><br> </inducement><br></role><br></div><div><br></div><div>Also there are two IT roles which business roles assign</div><div><br></div><div><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" oid="ed7bbc79-e048-4e49-bea7-180b48ef41ea"><br> <name>o365-dynamics365-team-members</name><br></role><br></div><div><br></div><div><role xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>" oid="8bfb56c3-d3f6-4176-91c8-d5b66d866666"><br> <name>o365-ms365-e3</name><br></role><br></div><div><br></div><div>.. and two users who living in appropriate orgs</div><div><br></div><div><user xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a>"<br> oid="1d63fb35-9a99-4494-97ac-3977670fea96"><br> <name>Top User</name><br> <assignment><br> <targetRef oid="1a4ec491-58d8-4646-9d9f-a00bc4091257" relation="org:default" type="c:OrgType"/><br> </assignment><br></user><br></div><div><br></div><div><user xmlns="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:c="<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3">http://midpoint.evolveum.com/xml/ns/public/common/common-3</a>"<br> xmlns:org="<a href="http://midpoint.evolveum.com/xml/ns/public/common/org-3">http://midpoint.evolveum.com/xml/ns/public/common/org-3</a>"<br> oid="0d63fb35-9a99-4494-97ac-3977670fea96"><br> <name>Bottom User</name><br> <assignment><br> <targetRef oid="e80eb644-6a7b-414d-97dd-7209378708a8" relation="org:default" type="c:OrgType"/><br> </assignment><br></user><br></div><div><br></div><div>My expectation is that Midpoint assigns an IT role from Top Role to a member of Top Org, an IT role from Bottom Role to a member of Bottom Org. <b>For this I've set resetOrder=1 </b>(I think 1 corresponds to organization in assignmentPath) <b>for default relation</b> (member of organization).</div><div><br></div><div>Actually, I can see that the Top User received the IT role from the Top Role, but the Bottom User received the IT role from the Bottom Role and, also, the IT role from the Top Role!!!! The Top Role assigns its IT roles to members of its own organization and also to members of all subordinate orgs.</div><div><br></div><div>If I try to use well-known order=2 instead of using orderConstraint I have proper assignments. But for this case I can't manage relations and if an org includes a manager who is not a member I can't prevent IT role assignment to this manager.</div><div><br></div><div>Could you explain what actually happens and where my mistake is?</div><div>Thanks in advance,</div><div>Yakov</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 23 Jan 2023 at 10:10, Ivan Noris via midPoint <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hi Yakov,</p>
<p>I was using this for something similar (only members, not
managers should have a group association given by a metarole in
organization unit):</p>
<p> <condition><br>
<script><br>
<code><br>
/* fixes MID-5538 as relation may be null in some waves.<br>
Checking just for ORG_DEFAULT does not work in such cases. This
method works even if the relation is null.<br>
<br>
Credits to P. Mederly<br>
*/<br>
<br>
targetRef != null &&<br>
<font color="#1b70e5">midpoint.relationRegistry.isMember(targetRef.relation)</font>
&&<br>
<font color="#ffa348"> !midpoint.relationRegistry.isManager(targetRef.relation)</font><br>
</code><br>
</script><br>
</condition><br>
</p>
<p>I was using this condition in my association/outbound element in
metarole, but you can try it for your case as well.</p>
<p>The original author of this example is noted in the comments :-)</p>
<p>NOTE: I last used/tested this with midPoint 4.4.something.<br>
</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<div>On 22. 1. 2023 17:08, Yakov Revyakin
via midPoint wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi friends,
<div>I have a question about how to assign something a bit
unusual.</div>
<div><br>
There is an Org with 2 users. User1 is a member of the Org,
User2 is a manager of the Org but isn't a member of it.
<div>There is a BusinessRole which induces an IT Role to
order=2 users. </div>
<div><br>
</div>
<div>I'm assigning the BusinessRole to the Org. User1 &
User2 are order 2 users related to the Business Role
(correct?).</div>
<div><br>
</div>
<div>Is it possible to differentiate User1 (a member) and
User2 (a manager) during assigning the IT Role which happens
as result of assigning the BusinessRole to the Org?</div>
<div><br>
</div>
<div>So, I'd like to assign the BusinessRole to the Org and
have the IT Role assigned to members of the Org only
(User1).</div>
<div><br>
</div>
<div>Thanks in advance,</div>
<div>J </div>
<div><br>
</div>
<div> </div>
</div>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre cols="72">--
Ivan Noris
Expert Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>