Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-4948

inbound association - can not delete assignment in midpoint

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.7.3
    • Fix Version/s: 3.9, 3.7.3, 3.8.1
    • Component/s: None
    • Labels:
      None
    • Subscription:
      Active subscription

      Description

      When i remove assignment from user via gui preview shows that assignment and association should be deleted. When i save the operation association on end system is deleted but assignemnt still stays on the user.
      When there is no inbound in association, assignment removal works ok.

      I have following configuration:
      on metarole:
      <inducement id="2">
      <construction>
      <resourceRef oid="AD-connector-resource" type="c:ResourceType"/>
      <kind>account</kind>
      <intent>default</intent>
      <association>
      <c:ref>ri:group</c:ref>
      <outbound>
      <strength>strong</strength>
      <tolerant>true</tolerant>
      <authoritative>true</authoritative>
      <expression>
      <associationFromLink>
      <projectionDiscriminator>
      <kind>entitlement</kind>
      <intent>group</intent>
      </projectionDiscriminator>
      </associationFromLink>
      </expression>
      </outbound>
      </association>
      </construction>
      <order>2</order>
      <focusType>UserType</focusType>
      </inducement>

      on resource:
      <association>
      <c:ref>ri:group</c:ref>
      <displayName>AD Group Membership</displayName>
      <inbound>
      <strength>normal</strength>
      <tolerant>false</tolerant>
      <authoritative>true</authoritative>
      <expression>
      <assignmentTargetSearch>
      <targetType>RoleType</targetType>
      <filter>
      <q:equal>
      <q:path>extension/ADpath</q:path>
      <expression>
      <trace>true</trace>
      <script>
      <code>
      log.info("inbound association entitlement?.getName(): " + entitlement?.getName());
      return entitlement?.getName();
      </code>
      </script>
      </expression>
      </q:equal>
      </filter>
      </assignmentTargetSearch>
      </expression>
      <target>
      <path>assignment</path>
      <set>
      <condition>
      <script>
      <code>
      import com.evolveum.midpoint.schema.constants.*
      import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
      import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
      import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
      import com.evolveum.midpoint.util.exception.ObjectNotFoundException;

      log.info("checking role oid: " + assignment?.getTargetRef()?.getOid());
      metaroleToCheckOid = "AD-group-meta-role";
      assignmentsToCheck = new ArrayList<AssignmentType>();
      assignmentsToCheck.add(assignment);
      hasMetarole = false;
      for(AssignmentType assignmentCandidate in assignmentsToCheck){
      if(assignmentCandidate.getTargetRef()?.getType()?.getLocalPart() == "RoleType" && assignmentCandidate.getTargetRef()?.getOid() != null){
      //najit roli
      RoleType checkedRole = null;
      try

      { checkedRole = midpoint.getObject(RoleType.class, assignmentCandidate.getTargetRef()?.getOid()); //TODO lze optimalizovat pres assignment.target pokud neni null jinak vyhledani viz o radek vyse. }

      catch(ObjectNotFoundException ex)

      { //Nenalezeno? Nevadi jedeme dal. }


      if(checkedRole != null){
      //projit jeji assignmenty jestli nema metaroli
      //log.info("checking role name: " + checkedRole.getName());
      for(AssignmentType metaAssigCand : checkedRole.assignment){
      if(metaAssigCand.getTargetRef()?.getType()?.getLocalPart() == "RoleType" && metaAssigCand.getTargetRef()?.getOid() == metaroleToCheckOid)

      { hasMetarole = true; break; }

      }
      }
      if(hasMetarole)

      { break; }

      }
      }

      log.info("role has metarole: " + hasMetarole);
      return hasMetarole;
      </code>
      </script>
      </condition>
      </set>
      </target>
      </inbound>
      <kind>entitlement</kind>
      <intent>group</intent>
      <direction>objectToSubject</direction>
      <associationAttribute>ri:member</associationAttribute>
      <valueAttribute>ri:dn</valueAttribute>
      <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
      <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
      <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
      </association>

        Attachments

        1. 01manualladd.png
          01manualladd.png
          87 kB
        2. 02assoc.png
          02assoc.png
          19 kB
        3. 03assignments.png
          03assignments.png
          85 kB
        4. 04manualAssign.png
          04manualAssign.png
          44 kB
        5. 05manualRemove.png
          05manualRemove.png
          74 kB
        6. 06heisBack.png
          06heisBack.png
          86 kB
        7. 07BrokenAdd.png
          07BrokenAdd.png
          48 kB
        8. 08assocRemovedOk.png
          08assocRemovedOk.png
          16 kB
        9. liveDemo-LDAP-resource.xml
          93 kB

          Activity

            People

            Assignee:
            oskar.butovic@ami.cz Oskar Butovič
            Reporter:
            oskar.butovic@ami.cz Oskar Butovič
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: