----- Le 13 Déc 22, à 16:13, Francesco Chicchiriccò ilgro...@apache.org a écrit :
> On 09/12/22 15:52, Lionel SCHWARZ wrote: >> Dear all, >> >> Could someone explain me how dynRoles works? because I found something >> strange >> and am not sure if I missed sthg or not... >> >> I have created a role with "dynMembershipCond" based on users having a >> certain >> relationship. This works fine as after creating the role, all users that have >> this relationship got the role in "dynRoles". >> >> However, when I then create a new user with such a relationship, it does not >> get >> the the role (and if I then update the role, the new user gets it!) >> >> Is there anything more I need to do at creation, or something I >> misconfigured? > > Hi Lionel, > dynamic (group or role) membership is a weird feature, as it basically saves > the > results of a user query (e.g. the dynamic membership condition) every time > that > either the group / role or user are saved. > Unfortunately, it has proven to perform decently only with small numbers. > > Every time a user gets saved, all existing Roles with dynamic conditions are > considered to see if the user is matching so that the saved query results are > updated. > Similarly, when groups or roles with dynamic conditions are saved, a query for > all users matching the condition is run, again to update the saved query > results. > > The case you are describing above might be possibly not working because of the > condition based on a "dependent" element as a relationship, so the matching > process is failing in first place (e.g. when the user is created) but is > succeeding later (e.g. when the role is updated). > > You might want to try using a different condition, based on a user attribute, > to > see if that works for new users as well. Thanks Francesco for your answer. What do you mean by "small numbers"? Should I forget about dynamic roles for a database of 5K users for example? Lionel
smime.p7s
Description: S/MIME Cryptographic Signature
