<div dir="ltr">Hi again,<br><div><br></div><div>I have found the cause.</div><div>As I said in the beginning I am trying to apply the role to user's AD computer accounts.</div><div>There is a requirement that a user can have more than one computer. So, multiplicity is in place.</div><div>I have found that weak construction stops working as soon as I'm adding multiplicity support for computers.</div><div><br></div><div>Is there any way to overcome this problem?</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 27 Feb 2023 at 16:45, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com">yrevyakin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi Ivan,<br><div>Thank you for the answer.</div><div>I checked weak construction for associations in another project and it works, at least for another resource (Keycloak). </div><div>Currently I have no idea what is the cause.<br>I will create simplified project with AD and test again.<br><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 27 Feb 2023 at 10:11, Ivan Noris via midPoint <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hi,</p>
<p>I was certainly usign weak constructions with associations.</p>
<p>The following is a fragment from metarole from our Advanced
training (4.0-based, but I tested it on 4.4.x).</p>
<p>Resource is OpenLDAP (nor AD).<br>
</p>
<p><role
xmlns=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>
xmlns:c=<a href="http://midpoint.evolveum.com/xml/ns/public/common/common-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/common/common-3"</a>
xmlns:t=<a href="http://prism.evolveum.com/xml/ns/public/types-3" target="_blank">"http://prism.evolveum.com/xml/ns/public/types-3"</a>
xmlns:ri=<a href="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" target="_blank">"http://midpoint.evolveum.com/xml/ns/public/resource/instance-3"</a>
oid="ed3e5df8-2217-11e8-9d57-9793344c7aa6"><br>
<name>LDAP Org Group Metarole</name><br>
<description>If assigning this metarole, organization
name (numeric) prefixed with 'org-' will be used for group
name.</description><br>
<inducement><br>
<description>Inducement to create a group as a
projection of midPoint organization</description><br>
<construction><br>
<description>Creates an object (group) for
organization</description><br>
<resourceRef
oid="3961ffc8-2209-11e8-8018-7738b0ea3fa2"
type="c:ResourceType"/><br>
<kind>entitlement</kind><br>
<intent>ldapOrgGroup</intent><br>
</construction><br>
</inducement><br>
<inducement><br>
<description>Inducement to create an account as a
projection of user having assigned an organization with this
metarole.</description><br>
<construction><br>
<description>Creates an account for user, and
associates with group created for the organization assigned to the
user.</description><br>
<resourceRef
oid="3961ffc8-2209-11e8-8018-7738b0ea3fa2"
type="c:ResourceType"/><br>
<kind>account</kind><br>
<intent>default</intent><br>
<association><br>
<ref>ri:ldapOrgGroup</ref><br>
<outbound><br>
<strength>strong</strength><br>
<source><br>
<path>$focusAssignment/targetRef</path><br>
<!-- XXX to get relation --><br>
</source><br>
<expression><br>
<associationFromLink><br>
<projectionDiscriminator><br>
<kind>entitlement</kind><br>
<intent>ldapOrgGroup</intent><br>
</projectionDiscriminator><br>
</associationFromLink><br>
</expression><br>
</outbound><br>
</association><br>
<strength>weak</strength><br>
<!-- Will not create account unless it already
exists --><br>
</construction><br>
<order>2</order><br>
<focusType>UserType</focusType><br>
</inducement><br>
</role><br>
</p>
<p>Hope this helps. If it does not work with newer midPoint, either
there is something different in the configuration since then (I
doubt it) or you have encountered a regression bug.<br>
</p>
<p>Best regards,</p>
<p>Ivan<br>
</p>
<div>On 26. 2. 2023 22:16, Yakov Revyakin
via midPoint wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">As I understood there is no chance to add
association via weak construction. We can modify plain
attributes using this type of construction but it doesn't cover
associations. Even association mapping is strong. We even can't
see an indirect resource assignment among assignments.
<div>This is a bit strange. </div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, 24 Feb 2023 at 08:56,
Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com" target="_blank">yrevyakin@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">I use mp4.4.3
<div>I have metarole-role assign/revoke working for AD
user accounts. I have no any specific logic in group
object definition <br>
<div>I also checked my case with outbound mapping for
associations set to strong. Nothing happens.</div>
<div>Some posts ago I could see that weak
construction with associations working for someone -
"LDAP Role not unassigned when validTo is reached". He
used mp4.6. Can it be the cause?</div>
<div><br>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 23 Feb 2023 at
23:12, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com" target="_blank">yrevyakin@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi again,
<div>I'm trying to apply weak construction described
here</div>
<div><a href="https://docs.evolveum.com/midpoint/reference/roles-policies/assignment/configuration/#strong-and-weak-constructions" target="_blank">https://docs.evolveum.com/midpoint/reference/roles-policies/assignment/configuration/#strong-and-weak-constructions</a></div>
<div>for AD computer objects. </div>
<div>I simply sync existing computer objects linking
them with a user and after that apply some policies
on them. The solution must work only with existing
objects. So, computer creation/deletion is
forbidden.</div>
<div><br>
</div>
<div>The first policy is to control a computer's DN -
this works fine.</div>
<div>The second is to add the computer to a group
applying role+metarole to a user who owns this
computer.</div>
<div><br>
</div>
<div>I'm not sure how to arrange this. I write a weak
construction with association but I can't see any
influence on computer membership. Could you help to
complete this task?</div>
<div><br>
</div>
<div>My meta-role computer's groups:<br>
<pre style="background-color:rgb(43,43,43);color:rgb(169,183,198);font-family:"JetBrains Mono",monospace;font-size:9.8pt"><span style="color:rgb(232,191,106)"><role>
</span><span style="color:rgb(232,191,106)"> <name></span>Meta IT Computer<span style="color:rgb(232,191,106)"></name>
</span><span style="color:rgb(232,191,106)"> <costCenter></span>managed<span style="color:rgb(232,191,106)"></costCenter>
</span><span style="color:rgb(232,191,106)"> <inducement>
</span><span style="color:rgb(232,191,106)"> <construction>
</span><span style="color:rgb(232,191,106)"> <strength></span>weak<span style="color:rgb(232,191,106)"></strength>
</span><span style="color:rgb(232,191,106)"> <resourceRef </span><span style="color:rgb(186,186,186)">oid</span><span style="color:rgb(106,135,89)">="746ecf5e-3e8c-11e6-b2f9-3c970e44b9e2" </span><span style="color:rgb(186,186,186)">relation</span><span style="color:rgb(106,135,89)">="org:default" </span><span style="color:rgb(186,186,186)">type</span><span style="color:rgb(106,135,89)">="c:ResourceType"</span><span style="color:rgb(232,191,106)">/>
</span><span style="color:rgb(232,191,106)"> <kind></span>account<span style="color:rgb(232,191,106)"></kind>
</span><span style="color:rgb(232,191,106)"> <intent></span>computer<span style="color:rgb(232,191,106)"></intent>
</span><span style="color:rgb(232,191,106)"> <association>
</span><span style="color:rgb(232,191,106)"> <ref></span>ri:group<span style="color:rgb(232,191,106)"></ref>
</span><span style="color:rgb(232,191,106)"> <outbound>
</span><span style="color:rgb(232,191,106)"> <authoritative></span>true<span style="color:rgb(232,191,106)"></authoritative>
</span><span style="color:rgb(232,191,106)"> <expression>
</span><span style="color:rgb(232,191,106)"> <associationFromLink>
</span><span style="color:rgb(232,191,106)"> <projectionDiscriminator </span><span style="color:rgb(152,118,170)">xsi</span><span style="color:rgb(186,186,186)">:type</span><span style="color:rgb(106,135,89)">="c:ShadowDiscriminatorType"</span><span style="color:rgb(232,191,106)">>
</span><span style="color:rgb(232,191,106)"> <kind></span>entitlement<span style="color:rgb(232,191,106)"></kind>
</span><span style="color:rgb(232,191,106)"> <intent></span>group<span style="color:rgb(232,191,106)"></intent>
</span><span style="color:rgb(232,191,106)"> </projectionDiscriminator>
</span><span style="color:rgb(232,191,106)"> </associationFromLink>
</span><span style="color:rgb(232,191,106)"> </expression>
</span><span style="color:rgb(232,191,106)"> </outbound>
</span><span style="color:rgb(232,191,106)"> </association>
</span><span style="color:rgb(232,191,106)"> </construction>
</span><span style="color:rgb(232,191,106)"> <order></span>2<span style="color:rgb(232,191,106)"></order>
</span><span style="color:rgb(232,191,106)"> <focusType></span>UserType<span style="color:rgb(232,191,106)"></focusType>
</span><span style="color:rgb(232,191,106)"> </inducement>
</span><span style="color:rgb(232,191,106)"></role>
</span></pre>
<div><br>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre cols="72">--
Ivan Noris
Expert Identity Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>
</blockquote></div>