<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi,</p>
<p><br>
</p>
<p>how do you need to use the orgRef information in the induced
application roles?</p>
<p><br>
</p>
<p><br>
</p>
<p>In one of my previous projects, I was using the following
principle:</p>
<p><br>
</p>
<p>1. users has Business roles assigned with orgRef. Example:
business role: "Municipality-related services" and orgRef referred
to the municipality modelled as OrgType in midPoint</p>
<p><br>
</p>
<p>2. the business roles had inducements to application roles.
Example: business role "Municipality-related services" induced
"E-mail service" role</p>
<p><br>
</p>
<p>3. the "E-mail service" role can access the orgRef from the first
assignment in the row, i.e. from User to business role, by using
the following path expression: $assignment/orgRef and I was using
midpoint.getOrgByOid(orgRef.oid) to access the OrgType if needed</p>
<p><br>
</p>
<p>In my specific case, I needed to take organization's name</p>
<p><br>
</p>
<p>In my case, orgRef was set only in the first (direct) assignment.</p>
<p><br>
</p>
<p>If you are interested into _prehistoric_ midPoint era (2014)
example in more detail, such application roles were described in
the following blog entry:
<a class="moz-txt-link-freetext" href="https://evolveum.com/working-multi-tenant-roles/">https://evolveum.com/working-multi-tenant-roles/</a> (I used
"tenantRef" instead of "orgRef", but it would work with orgRef in
the same way).</p>
<p><br>
</p>
<p>I hope this can help.</p>
<p><br>
</p>
<p>Best regards,</p>
<p>Ivan</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 4/28/26 13:40, Pilar von Pilchau
Wenzel - AKDB via midPoint wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DB8P193MB05339BFEDE9AA061FBEE8E8F83372@DB8P193MB0533.EURP193.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Hi,</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
I have a question about parametric inducements.</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
What I have understood so far from reading the docs:</div>
<ol start="1"
data-editing-info="{"applyListStyleFromLevel":false,"orderedStyleType":1}"
style="margin-top: 0px; margin-bottom: 0px; list-style-type: decimal;">
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0); margin-top: 0px; margin-bottom: 0px;">
<div class="elementToProof" role="presentation">Application
roles are the lowest level of roles and define access to an
application</div>
</li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0); margin-top: 0px; margin-bottom: 0px;">
<div class="elementToProof" role="presentation">If possible,
application roles should not be assigned directly to a user</div>
</li>
<li
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0); margin-top: 0px; margin-bottom: 0px;">
<div class="elementToProof" role="presentation">The hierarchy
shoud be business role -> application role (via
inducement)</div>
</li>
</ol>
<div
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
I want to define an application role with an orgRef. I have a
business role that I assign to a user with an orgRef which I can
set when I do the assignment. Now I want to add an inducement of
the application role that takes the orgRef from the business
role assignment.</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Unfortunately, I could not find a way to set the orgRef from the
inducement dynamically. It worked when I set it manually. The
only solution that I found so far was using a focus mapping and
create an assignment of the application role to the user with
the orgRef taken from the business role assignment. But then I
have an assignment of the application role on the user, which is
what I should avoid.</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
So my question is, am I even on the right track? And if so, is
there a way to parametrize the inducement dynamically?</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
I am still at my first steps with midpoint and happy for any
suggestions.</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Best regards</div>
<div class="elementToProof"
style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<table cellspacing="0" cellpadding="0"
style="text-align: left; color: rgb(0, 0, 0); box-sizing: border-box; border-collapse: collapse; border-spacing: 0px;">
<tbody>
<tr>
<td
style="text-align: left; padding-right: 15px; vertical-align: top;">
<table cellspacing="0" cellpadding="0"
style="text-align: left; box-sizing: border-box; border-collapse: collapse; border-spacing: 0px;">
<tbody>
<tr>
<td
style="text-align: left; color: rgb(0, 57, 121);">
<div
style="text-align: left; font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif; font-size: 12pt;">
<b>Dr. Wenzel Pilar von Pilchau</b></div>
</td>
</tr>
<tr>
<td
style="text-align: left; color: rgb(0, 57, 121);">
<div
style="text-align: left; font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif; font-size: 12pt;">
Prozessanalyst<br>
Process Management & Digitalisation</div>
</td>
</tr>
<tr>
<td style="text-align: left; padding-top: 4px;"><span
style="font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><img
alt="Mobile" width="14" height="14"
style="width: 14px; height: 14px;"
data-outlook-trace="F:1|T:1"
src="cid:part1.d2MmtGHg.0yqp2SEd@evolveum.com" class="">
</span><span
style="font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif; font-size: 12pt; color: rgb(0, 57, 121);">+49
162 2530060</span></td>
</tr>
<tr>
<td style="text-align: left; padding-top: 4px;"><span
style="font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><img
alt="Email" width="14" height="14"
style="width: 14px; height: 14px;"
data-outlook-trace="F:1|T:1"
src="cid:part2.7gVMfqf0.9dN8M9Vd@evolveum.com" class="">
</span><span
style="font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif; font-size: 12pt; color: rgb(0, 57, 121);"><a
href="mailto:Pilar-von-Pilchau.Wenzel@akdb.de"
style="color: rgb(0, 57, 121); text-decoration: none;"
moz-do-not-send="true"
class="moz-txt-link-freetext">Pilar-von-Pilchau.Wenzel@akdb.de</a></span></td>
</tr>
<tr>
<td
style="text-align: left; padding-top: 8px; color: rgb(0, 57, 121);">
<div
style="text-align: left; font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif; font-size: 12pt;">
<b>AKDB</b> · Anstalt des öffentlichen Rechts<br>
Hansastraße 12-16 · 80686 München<br>
<span style="color: rgb(0, 57, 121);"><a
href="https://www.akdb.de/"
style="color: rgb(0, 57, 121); text-decoration: none;"
moz-do-not-send="true">www.akdb.de</a></span></div>
</td>
</tr>
<tr>
<td style="text-align: left; padding-top: 8px;"><span
style="font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><img
alt="AKDB Logo" width="120"
style="width: 120px; height: auto;"
data-outlook-trace="F:1|T:1"
src="cid:part3.DxtcTGRV.0Q0m3tKe@evolveum.com" class=""></span></td>
</tr>
</tbody>
</table>
</td>
<td style="text-align: left; vertical-align: top;"><span
style="font-family: "Segoe UI", Tahoma, Geneva, Verdana, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><img
alt="Great Place to Work Certified" width="80"
style="width: 80px; height: auto;"
data-outlook-trace="F:1|T:1"
src="cid:part4.NuQjEO0f.G6xdgzEP@evolveum.com"
class=""></span></td>
</tr>
</tbody>
</table>
<div
style="font-family: Aptos; font-size: 11pt; color: rgb(0, 0, 0);"><br>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre wrap="" class="moz-quote-pre">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="https://lists.evolveum.com/mailman/listinfo/midpoint">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Ivan Noris
Expert Identity Engineer
evolveum.com
</pre>
</body>
</html>