Uploaded image for project: 'MidPoint'
  1. MidPoint
  2. MID-4948

inbound association - can not delete assignment in midpoint

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.7.3
    • Fix Version/s: 3.9, 3.7.3, 3.8.1
    • Component/s: None
    • Labels:
      None
    • Subscription:
      Active subscription

      Description

      When i remove assignment from user via gui preview shows that assignment and association should be deleted. When i save the operation association on end system is deleted but assignemnt still stays on the user.
      When there is no inbound in association, assignment removal works ok.

      I have following configuration:
      on metarole:
      <inducement id="2">
      <construction>
      <resourceRef oid="AD-connector-resource" type="c:ResourceType"/>
      <kind>account</kind>
      <intent>default</intent>
      <association>
      <c:ref>ri:group</c:ref>
      <outbound>
      <strength>strong</strength>
      <tolerant>true</tolerant>
      <authoritative>true</authoritative>
      <expression>
      <associationFromLink>
      <projectionDiscriminator>
      <kind>entitlement</kind>
      <intent>group</intent>
      </projectionDiscriminator>
      </associationFromLink>
      </expression>
      </outbound>
      </association>
      </construction>
      <order>2</order>
      <focusType>UserType</focusType>
      </inducement>

      on resource:
      <association>
      <c:ref>ri:group</c:ref>
      <displayName>AD Group Membership</displayName>
      <inbound>
      <strength>normal</strength>
      <tolerant>false</tolerant>
      <authoritative>true</authoritative>
      <expression>
      <assignmentTargetSearch>
      <targetType>RoleType</targetType>
      <filter>
      <q:equal>
      <q:path>extension/ADpath</q:path>
      <expression>
      <trace>true</trace>
      <script>
      <code>
      log.info("inbound association entitlement?.getName(): " + entitlement?.getName());
      return entitlement?.getName();
      </code>
      </script>
      </expression>
      </q:equal>
      </filter>
      </assignmentTargetSearch>
      </expression>
      <target>
      <path>assignment</path>
      <set>
      <condition>
      <script>
      <code>
      import com.evolveum.midpoint.schema.constants.*
      import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
      import com.evolveum.midpoint.xml.ns._public.common.common_3.AssignmentType;
      import com.evolveum.midpoint.xml.ns._public.common.common_3.RoleType;
      import com.evolveum.midpoint.util.exception.ObjectNotFoundException;

      log.info("checking role oid: " + assignment?.getTargetRef()?.getOid());
      metaroleToCheckOid = "AD-group-meta-role";
      assignmentsToCheck = new ArrayList<AssignmentType>();
      assignmentsToCheck.add(assignment);
      hasMetarole = false;
      for(AssignmentType assignmentCandidate in assignmentsToCheck){
      if(assignmentCandidate.getTargetRef()?.getType()?.getLocalPart() == "RoleType" && assignmentCandidate.getTargetRef()?.getOid() != null){
      //najit roli
      RoleType checkedRole = null;
      try

      { checkedRole = midpoint.getObject(RoleType.class, assignmentCandidate.getTargetRef()?.getOid()); //TODO lze optimalizovat pres assignment.target pokud neni null jinak vyhledani viz o radek vyse. }

      catch(ObjectNotFoundException ex)

      { //Nenalezeno? Nevadi jedeme dal. }


      if(checkedRole != null){
      //projit jeji assignmenty jestli nema metaroli
      //log.info("checking role name: " + checkedRole.getName());
      for(AssignmentType metaAssigCand : checkedRole.assignment){
      if(metaAssigCand.getTargetRef()?.getType()?.getLocalPart() == "RoleType" && metaAssigCand.getTargetRef()?.getOid() == metaroleToCheckOid)

      { hasMetarole = true; break; }

      }
      }
      if(hasMetarole)

      { break; }

      }
      }

      log.info("role has metarole: " + hasMetarole);
      return hasMetarole;
      </code>
      </script>
      </condition>
      </set>
      </target>
      </inbound>
      <kind>entitlement</kind>
      <intent>group</intent>
      <direction>objectToSubject</direction>
      <associationAttribute>ri:member</associationAttribute>
      <valueAttribute>ri:dn</valueAttribute>
      <shortcutAssociationAttribute>ri:memberOf</shortcutAssociationAttribute>
      <shortcutValueAttribute>ri:dn</shortcutValueAttribute>
      <explicitReferentialIntegrity>false</explicitReferentialIntegrity>
      </association>

        Attachments

        1. 01manualladd.png
          87 kB
          Oskar Butovič
        2. 02assoc.png
          19 kB
          Oskar Butovič
        3. 03assignments.png
          85 kB
          Oskar Butovič
        4. 04manualAssign.png
          44 kB
          Oskar Butovič
        5. 05manualRemove.png
          74 kB
          Oskar Butovič
        6. 06heisBack.png
          86 kB
          Oskar Butovič
        7. 07BrokenAdd.png
          48 kB
          Oskar Butovič
        8. 08assocRemovedOk.png
          16 kB
          Oskar Butovič
        9. liveDemo-LDAP-resource.xml
          93 kB
          Oskar Butovič

          Activity

            People

            Assignee:
            oskar.butovic@ami.cz Oskar Butovič
            Reporter:
            oskar.butovic@ami.cz Oskar Butovič
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: