Re: role with "dynMembershipCond"
On 13/12/22 16:55, Lionel SCHWARZ wrote: - Le 13 Déc 22, à 16:13, Francesco Chicchiriccò ilgro...@apache.org a écrit : On 09/12/22 15:52, Lionel SCHWARZ wrote: Dear all, Could someone explain me how dynRoles works? because I found something strange and am not sure if I missed sthg or not... I have created a role with "dynMembershipCond" based on users having a certain relationship. This works fine as after creating the role, all users that have this relationship got the role in "dynRoles". However, when I then create a new user with such a relationship, it does not get the the role (and if I then update the role, the new user gets it!) Is there anything more I need to do at creation, or something I misconfigured? Hi Lionel, dynamic (group or role) membership is a weird feature, as it basically saves the results of a user query (e.g. the dynamic membership condition) every time that either the group / role or user are saved. Unfortunately, it has proven to perform decently only with small numbers. Every time a user gets saved, all existing Roles with dynamic conditions are considered to see if the user is matching so that the saved query results are updated. Similarly, when groups or roles with dynamic conditions are saved, a query for all users matching the condition is run, again to update the saved query results. The case you are describing above might be possibly not working because of the condition based on a "dependent" element as a relationship, so the matching process is failing in first place (e.g. when the user is created) but is succeeding later (e.g. when the role is updated). You might want to try using a different condition, based on a user attribute, to see if that works for new users as well. Thanks Francesco for your answer. What do you mean by "small numbers"? Should I forget about dynamic roles for a database of 5K users for example? The number that counts much in your case is the number of roles with dynamic membership condition. I'd suggest anyway to execute some performance tests to understand if the feature is actually fit for your use case. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
Re: role with "dynMembershipCond"
- Le 13 Déc 22, à 16:13, Francesco Chicchiriccò ilgro...@apache.org a écrit : > On 09/12/22 15:52, Lionel SCHWARZ wrote: >> Dear all, >> >> Could someone explain me how dynRoles works? because I found something >> strange >> and am not sure if I missed sthg or not... >> >> I have created a role with "dynMembershipCond" based on users having a >> certain >> relationship. This works fine as after creating the role, all users that have >> this relationship got the role in "dynRoles". >> >> However, when I then create a new user with such a relationship, it does not >> get >> the the role (and if I then update the role, the new user gets it!) >> >> Is there anything more I need to do at creation, or something I >> misconfigured? > > Hi Lionel, > dynamic (group or role) membership is a weird feature, as it basically saves > the > results of a user query (e.g. the dynamic membership condition) every time > that > either the group / role or user are saved. > Unfortunately, it has proven to perform decently only with small numbers. > > Every time a user gets saved, all existing Roles with dynamic conditions are > considered to see if the user is matching so that the saved query results are > updated. > Similarly, when groups or roles with dynamic conditions are saved, a query for > all users matching the condition is run, again to update the saved query > results. > > The case you are describing above might be possibly not working because of the > condition based on a "dependent" element as a relationship, so the matching > process is failing in first place (e.g. when the user is created) but is > succeeding later (e.g. when the role is updated). > > You might want to try using a different condition, based on a user attribute, > to > see if that works for new users as well. Thanks Francesco for your answer. What do you mean by "small numbers"? Should I forget about dynamic roles for a database of 5K users for example? Lionel smime.p7s Description: S/MIME Cryptographic Signature
Re: role with "dynMembershipCond"
On 09/12/22 15:52, Lionel SCHWARZ wrote: Dear all, Could someone explain me how dynRoles works? because I found something strange and am not sure if I missed sthg or not... I have created a role with "dynMembershipCond" based on users having a certain relationship. This works fine as after creating the role, all users that have this relationship got the role in "dynRoles". However, when I then create a new user with such a relationship, it does not get the the role (and if I then update the role, the new user gets it!) Is there anything more I need to do at creation, or something I misconfigured? Hi Lionel, dynamic (group or role) membership is a weird feature, as it basically saves the results of a user query (e.g. the dynamic membership condition) every time that either the group / role or user are saved. Unfortunately, it has proven to perform decently only with small numbers. Every time a user gets saved, all existing Roles with dynamic conditions are considered to see if the user is matching so that the saved query results are updated. Similarly, when groups or roles with dynamic conditions are saved, a query for all users matching the condition is run, again to update the saved query results. The case you are describing above might be possibly not working because of the condition based on a "dependent" element as a relationship, so the matching process is failing in first place (e.g. when the user is created) but is succeeding later (e.g. when the role is updated). You might want to try using a different condition, based on a user attribute, to see if that works for new users as well. Regards. -- Francesco Chicchiriccò Tirasa - Open Source Excellence http://www.tirasa.net/ Member at The Apache Software Foundation Syncope, Cocoon, Olingo, CXF, OpenJPA, PonyMail http://home.apache.org/~ilgrosso/
role with "dynMembershipCond"
Dear all, Could someone explain me how dynRoles works? because I found something strange and am not sure if I missed sthg or not... I have created a role with "dynMembershipCond" based on users having a certain relationship. This works fine as after creating the role, all users that have this relationship got the role in "dynRoles". However, when I then create a new user with such a relationship, it does not get the the role (and if I then update the role, the new user gets it!) Is there anything more I need to do at creation, or something I misconfigured? Cheers Lionel smime.p7s Description: S/MIME Cryptographic Signature
