Hi Francesco, On Fri, Apr 19, 2013 at 8:27 AM, Francesco Chicchiriccò <[email protected] > wrote:
> On 18/04/2013 20:12, Martin van Es wrote: > > On Tue, Apr 16, 2013 at 2:37 PM, Francesco Chicchiriccò < > [email protected]> wrote: > >> On 16/04/2013 14:26, Martin van Es wrote: >> >>> I was wondering if it's possible to automatically provisioin certain >>> resource for one account based on a condition (attribute) set in the source >>> resource. >>> >>> Hi Martin, >> I've understood that you want to assign upon synchronization role A, B or >> C to users from a CSVDir resource where A has assigned a LDAP resource, B a >> DB resource and C both. Is this correct? >> >> If so, you need to define a SyncJobActionsClass [1] or SyncActionsClass >> [2] (depending on the Syncope version you are running) and implement the >> logic "assign role A, B or C to synchronizing user" in the before() method. >> >> > I was googling on syncope role membership and found this snippet on [1] > > > The possible implementations could be: > > 1. I could ignore role/membership attribute mappings during synchronization > > (this is > the current implementation ---> no issue to open) > > 2. I can try to synchronize these information also: > > a. Role attribute mappings could be used to assign syncope roles > > dynamically during > synchronization > > Example, again: let's suppose we are synchronizing an LDAP user user1 > with memberOf "cn=B,ou=groups,dc=tirasa,dc=net"; in this case Syncope > will try to assign role B (i.e. Syncope role with same value of > "membershipsOnLDAP") to Syncope user matching user1 on LDAP. > > This would match my question for conditional resources. Since you > participated in this thread and it's more than a year old, can you tell me > what the status of implementation 2 is? Is it completely off radar? > > > Basically, with LDAP and Active Directory connectors, you can actually > propagate / synchronize memberships from / to Syncope by empowering two > specific action classes (LDAPMembershipPropagationActions and > LDAPMembershipSyncActions), and a good schema mapping that will include > both user and role mapping. > > This is nog what I mean, the part of the thread I'm referring to is the example: By being member of "cn=B,ou=groups,dc=tirasa,dc=net", Syncope would try to assign role B to syncope user, based on the match in the role attribute membershipsOnLDAP. If this was implemented (and extended to a role attribute value in the synchronisation source e.g.) I would have a way of conditionally provision resources to users (by mapping resources to the matched role). I see your objections further in the discussion that it would be a very complicated logistic process managing all requirements of mandatory attributes following the role assignment, but in the simple case it would be a very handy way of conditionally propagating users to resources (not memberships on resources). Best regards. Martin
