c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * Copyright 2015 ForgeRock AS. All rights reserved.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * The contents of this file are subject to the terms
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * of the Common Development and Distribution License
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * (the License). You may not use this file except in
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * compliance with the License.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * You can obtain a copy of the License at
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * http://forgerock.org/license/CDDLv1.0.html
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * See the License for the specific language governing
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * permission and limitations under the License.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * When distributing Covered Code, include this CDDL
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * Header Notice in each file and include the License file
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * at http://forgerock.org/license/CDDLv1.0.html
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * If applicable, add the following below the CDDL Header,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * with the fields enclosed by brackets [] replaced by
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * your own identifying information:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe * "Portions Copyrighted [year] [name of copyright owner]"
110f2406708abfc03243487378c58e559e04e572Jake FeaselRoles Sample: Roles and Provisioning
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe=====================================
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleOne of the great features of OpenIDM Roles is the ability to provision a set of attributes based on role membership.
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleLet's take a concrete example and continue with our Employee and Contractor roles example that was provided in the
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle_crudops_ sample. This example will also build on _sample2b_ to provision user entries from Managed User to OpenDJ.
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleAs an employee of the company a worker should be added to a couple of groups in OpenDJ (presumably to get access to some
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienleinternal applications): the Employees group and the Chat Users group. But as a Contractor, workers will be added to the
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleContractors group only. We also want the type of employee to be set properly in OpenDJ, based on the role allocated to
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienlePre-requisites: we assume that you are familiar with _sample2b_ and already have installed OpenDJ according to the
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienleinstructions and configuration provided in that sample. We also assume here that you have reconciled the entries as
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeexplained in that sample's section 2 & 4, but for this current sample.
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleNote: the Example.ldif provided with this sample should be loaded to OpenDJ, if that wasn't done previously.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ opendj/bin/ldapmodify -a -c --bindDN "cn=Directory Manager" --bindPassword password --hostname localhost --port 1389 --filename openidm/samples/roles/provrole/data/Example.ldif
665452188292a71055016d5a4a6303d9a71799f1Lana FrostTo run this sample, use the following command:
665452188292a71055016d5a4a6303d9a71799f1Lana FrostThen create the Employee and Contractor roles, as you learned in the previous (crudops) sample. You can use the Admin
665452188292a71055016d5a4a6303d9a71799f1Lana FrostUI or the REST interface to do this.
665452188292a71055016d5a4a6303d9a71799f1Lana FrostWhen you have created the roles, reconcile the managed user repository with the external system (OpenDJ). The easiest
665452188292a71055016d5a4a6303d9a71799f1Lana Frostway to do this is by using the Admin UI. From the Dashboard, click Select a Mapping. Click on the first mapping
665452188292a71055016d5a4a6303d9a71799f1Lana Frost(System/Ldap/Account --> Managed User) and click Reconcile Now. This populates the managed user repository with the
665452188292a71055016d5a4a6303d9a71799f1Lana Frostentries in OpenDJ.
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleThis sample provides all the information you need to cover the following use cases:
665452188292a71055016d5a4a6303d9a71799f1Lana Frost* Update a role with an assignment (sometimes called an entitlement)
665452188292a71055016d5a4a6303d9a71799f1Lana Frost* Assign a role to a user and observe the assignments for that user
665452188292a71055016d5a4a6303d9a71799f1Lana Frost* Specify how assignments will be propagated to an external system (OpenDJ)
665452188292a71055016d5a4a6303d9a71799f1Lana Frost* Deallocate a role from a user and observe how the assignments are withdrawn from the external system
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel1. Update the Employee role to add the correct groups and employee type
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielLet's take a look at the roles we created in the _crudops_ sample first:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/role?_queryFilter=true&_prettyPrint=true'
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "336b53d8-e17a-4693-b422-e3c0aace025c",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_rev": "1",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "Employee",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Role assigned to workers on the payroll."
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "e9a3aa84-350c-48f1-bee7-17bb47e1c303",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_rev": "1",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "Contractor",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Role assigned to contract workers."
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "resultCount": 2,
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "pagedResultsCookie": null,
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "totalPagedResultsPolicy": "NONE",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "totalPagedResults": -1,
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "remainingPagedResults": -1
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleNow, according to our company's policy, we need to make sure that every employee will have the correct _employeeType_
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienleattribute in OpenDJ (corporate directory).
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleThis is achieved in several steps. The first one is the create a new managed assignment:
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle $ curl --insecure \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "Content-type: application/json" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "X-OpenIDM-Username: openidm-admin" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "X-OpenIDM-Password: openidm-admin" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --request POST \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name" : "Employee",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "description": "Assignment for employees.",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "mapping" : "managedUser_systemLdapAccounts",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "attributes": [
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name": "employeeType",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "value": "Employee",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignmentOperation" : "mergeWithTarget",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "unassignmentOperation" : "removeFromTarget"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle https://localhost:8443/openidm/managed/assignment?_action=create
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle {"_id":"5d6dda22-20f2-491f-a9c1-6c3cffb2460e","_rev":"1","name":"Employee","description":"Assignment for employees.","mapping" : "managedUser_systemLdapAccounts","attributes":[{"name":"employeeType","value":"Employee","assignmentOperation":"mergeWithTarget","unassignmentOperation":"removeFromTarget"}]}
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleThe next step is to add the assignment to the Employee role. Since we already have that role we will just patch that
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request PATCH \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "operation" : "add",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "field" : "/assignments/-",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "value" : { "_ref": "managed/assignment/5d6dda22-20f2-491f-a9c1-6c3cffb2460e" }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/role/Employee'
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "Employee",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_rev": "2",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "Employee",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Role assigned to workers on the payroll."
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe2. Allocate the Employee role to bjensen
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleIn order to fully leverage _sample2b_ we will use Barbara Jensen as the employee. Let's take a look at the roles we
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienleshould have right now:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/role?_queryFilter=true&_prettyPrint=true'
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "Employee",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_rev": "2",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "Employee",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Role assigned to workers on the payroll."
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "Contractor",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_rev": "1",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "Contractor",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Role assigned to contract workers."
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "resultCount": 2,
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "pagedResultsCookie": null,
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "totalPagedResultsPolicy": "NONE",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "totalPagedResults": -1,
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "remainingPagedResults": -1
665452188292a71055016d5a4a6303d9a71799f1Lana FrostWhen you have both roles listed, you just need to assign the Employee role to bjensen. But first you need to find out
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienlewhat the identifier is for bjensen's entry:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/user?_queryFilter=/userName+eq+"bjensen"&_fields=_id&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "result" : [ {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "_id" : "8ff9639f-2a89-48a2-a0fd-9df4d5297eeb"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "resultCount" : 1,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "pagedResultsCookie" : null,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "remainingPagedResults" : -1
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielTherefore you can assign the Employee role by using:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request PATCH \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "operation" : "add",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "field" : "/roles/-",
110f2406708abfc03243487378c58e559e04e572Jake Feasel "value" : { "_ref": "managed/role/Employee" }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/user/8ff9639f-2a89-48a2-a0fd-9df4d5297eeb'
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "8ff9639f-2a89-48a2-a0fd-9df4d5297eeb",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_rev": "2",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "displayName": "Barbara Jensen",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Created for OpenIDM",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "givenName": "Barbara",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "mail": "bjensen@example.com",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "telephoneNumber": "1-360-229-7105",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "sn": "Jensen",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "userName": "bjensen",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "accountStatus": "active",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "effectiveRoles": [
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "effectiveAssignments": [
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "Employee",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Assignment for employees.",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "mapping": "managedUser_systemLdapAccounts",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "attributes": [
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "employeeType",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "value": "Employee",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "assignmentOperation": "mergeWithTarget",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "unassignmentOperation": "removeFromTarget"
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "e9901373-60f4-4d86-b928-a6cd19449d50",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_refProperties": {
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "06b5b119-e450-4ee7-9559-d3d2a0cdf76f",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleLet's take a closer look at bjensen's entry for what we're really interested in, i.e. the roles, effective roles and
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienleeffective assignments:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/user?_queryFilter=/userName+eq+"bjensen"&_fields=_id,userName,roles,effectiveRoles,effectiveAssignments&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "result" : [ {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "_id" : "8ff9639f-2a89-48a2-a0fd-9df4d5297eeb",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "userName" : "bjensen",
110f2406708abfc03243487378c58e559e04e572Jake Feasel "roles" : [ {
110f2406708abfc03243487378c58e559e04e572Jake Feasel "_refProperties" : {
110f2406708abfc03243487378c58e559e04e572Jake Feasel "_id" : "193a60b6-7b2e-467e-a8fc-a59d67fca858",
110f2406708abfc03243487378c58e559e04e572Jake Feasel "_rev" : "1"
110f2406708abfc03243487378c58e559e04e572Jake Feasel "effectiveRoles" : [ {
110f2406708abfc03243487378c58e559e04e572Jake Feasel "_refProperties" : {
110f2406708abfc03243487378c58e559e04e572Jake Feasel "_id" : "193a60b6-7b2e-467e-a8fc-a59d67fca858",
110f2406708abfc03243487378c58e559e04e572Jake Feasel "_rev" : "1"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "effectiveAssignments" : [ {
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name" : "Contractor",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "description": "Role assigned to contract workers.",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "mapping" : "managedUser_systemLdapAccounts",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "attributes" : [ {
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name" : "employeeType",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "value" : "Employee",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignmentOperation" : "mergeWithTarget",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "unassignmentOperation" : "removeFromTarget",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignedThrough" : "managed/role/Employee"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "resultCount" : 1,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "pagedResultsCookie" : null,
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "totalPagedResultsPolicy" : "NONE",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "totalPagedResults" : -1,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "remainingPagedResults" : -1
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleWe can now clearly see the impact of the new property we added to the role. The user now has a new (calculated) property
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienlewhich includes the set of assignments (or entitlements) that pertain to the user with that role. Currently this only
665452188292a71055016d5a4a6303d9a71799f1Lana Frostlists the _employeeType_ attribute.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe3. Pushing assignments out to OpenDJ (external system)
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleIf you take a look at bjensen directly in the directory you should see the attribute _employeeType_ being populated
ffea5f78721036ac91332c90c48133b6af63909dLana Frost $ ldapsearch -p 1389 -h localhost -b "dc=example,dc=com" -D "cn=Directory Manager" -w - -s sub uid=bjensen dn uid employeeType
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe # bjensen, People, example.com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe dn: uid=bjensen,ou=People,dc=example,dc=com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe employeeType: Employee
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleNow let's make this a little more interesting by adding the groups that an Employee should have in the corporate
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienledirectory (OpenDJ).
665452188292a71055016d5a4a6303d9a71799f1Lana FrostWe just need to update the Employee role with the appropriate assignments. First, look at the current assignments of the
665452188292a71055016d5a4a6303d9a71799f1Lana FrostEmployee role:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request GET \
665452188292a71055016d5a4a6303d9a71799f1Lana Frost 'https://localhost:8443/openidm/managed/role/Employee?_fields=assignments&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "_id" : "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "_rev" : "2",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name" : "Employee",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "description" : "Role assigned to workers on the payroll.",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignments": [
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "_ref": "managed/assignment/5d6dda22-20f2-491f-a9c1-6c3cffb2460e",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "_refProperties": {
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "_id": "6f3e22ae-c4a6-4422-a4f2-ac13458bf1c4",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleWe simply need to add the attribute for groups to the assignment 5d6dda22-20f2-491f-a9c1-6c3cffb2460e:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request PATCH \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "operation" : "add",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "field" : "/attributes/-",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "name": "ldapGroups",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "cn=Employees,ou=Groups,dc=example,dc=com",
0191d4bb4a3ee6db99934cdbc54065801ea35ab9Jake Feasel "cn=Chat Users,ou=Groups,dc=example,dc=com"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "assignmentOperation" : "mergeWithTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "unassignmentOperation" : "removeFromTarget"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle 'https://localhost:8443/openidm/managed/assignment/5d6dda22-20f2-491f-a9c1-6c3cffb2460e'
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "5d6dda22-20f2-491f-a9c1-6c3cffb2460e",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_rev": "2",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "Employee",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Assignment for employees.",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "mapping": "managedUser_systemLdapAccounts",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "attributes": [
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "employeeType",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "value": "Employee",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "assignmentOperation": "mergeWithTarget",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "unassignmentOperation": "removeFromTarget"
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "ldapGroups",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "cn=Employees,ou=Groups,dc=example,dc=com",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "cn=Chat Users,ou=Groups,dc=example,dc=com"
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "assignmentOperation": "mergeWithTarget",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "unassignmentOperation": "removeFromTarget"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleAfter adding this new attribute to the assignment, bjensen should be added to the Chat Users and Employees groups.
ffea5f78721036ac91332c90c48133b6af63909dLana Frost $ ldapsearch -p 1389 -h localhost -b "dc=example,dc=com" -D "cn=Directory Manager" -w - -s sub uid=bjensen dn uid employeeType isMemberOf
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe # bjensen, People, example.com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe dn: uid=bjensen,ou=People,dc=example,dc=com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe employeeType: Employee
0191d4bb4a3ee6db99934cdbc54065801ea35ab9Jake Feasel isMemberOf: cn=Chat Users,ou=Groups,dc=example,dc=com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe isMemberOf: cn=Employees,ou=Groups,dc=example,dc=com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/system/ldap/account?_queryFilter=/uid+sw+"bjensen"&_fields=dn,uid,employeeType,ldapGroups&_prettyPrint=true'
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "result" : [ {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "dn" : "uid=bjensen,ou=People,dc=example,dc=com",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "uid" : "bjensen",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "employeeType" : "Employee",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "ldapGroups" : [ "cn=Chat Users,ou=Groups,dc=example,dc=com", "cn=Employees,ou=Groups,dc=example,dc=com", ]
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "resultCount" : 1,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "pagedResultsCookie" : null,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "remainingPagedResults" : -1
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleLet's continue with adding the appropriate attribute to the Contractor assignment and allocating that role to jdoe, who
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienleis a contractor and therefore not entitled to access the internal chat application.
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleFirst create the Contractor assignment:
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle $ curl --insecure \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "Content-type: application/json" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "X-OpenIDM-Username: openidm-admin" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "X-OpenIDM-Password: openidm-admin" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "If-None-Match: *" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --request PUT \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name" : "Contractor",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "description": "Contractor assignment for contract workers.",
be7dfaaf75f75fe568315cebef32cc35f28b5128Chad Kienle "mapping": "managedUser_systemLdapAccounts",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "attributes": [
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name": "ldapGroups",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "cn=Contractors,ou=Groups,dc=example,dc=com"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignmentOperation" : "mergeWithTarget",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "unassignmentOperation" : "removeFromTarget"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name": "employeeType",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "value": "Contractor",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignmentOperation" : "mergeWithTarget",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "unassignmentOperation" : "removeFromTarget"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle 'https://localhost:8443/openidm/managed/assignment/Contractor'
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "Contractor",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_rev": "1",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "Contractor",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Contractor assignment for contract workers.",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "mapping": "managedUser_systemLdapAccounts",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "attributes": [
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "ldapGroups",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "cn=Contractors,ou=Groups,dc=example,dc=com"
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "assignmentOperation": "mergeWithTarget",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "unassignmentOperation": "removeFromTarget"
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "employeeType",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "value": "Contractor",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "assignmentOperation": "mergeWithTarget",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "unassignmentOperation": "removeFromTarget"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleNow add the Contractor assignment to the Contractor role:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request PATCH \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "operation" : "add",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "field" : "/assignments/-",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/role/Contractor'
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "Contractor",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_rev": "2",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "Contractor",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Role assigned to contract workers."
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleNow we just need to allocate the Contractor role to jdoe and he should be automatically added to the Contractors group
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienlein OpenDJ. Let's first take a look at jdoe's entry to make sure we know the value of the identifier:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/user?_queryFilter=/userName+eq+"jdoe"&_fields=_id&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "result" : [ {
110f2406708abfc03243487378c58e559e04e572Jake Feasel "_id" : "3f9ada28-2809-4909-aadf-815567b00a4d"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "resultCount" : 1,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "pagedResultsCookie" : null,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "remainingPagedResults" : -1
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielNow we can update jdoe's entry with the Contractor role:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request PATCH \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "operation" : "add",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "field" : "/roles/-",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/user/3f9ada28-2809-4909-aadf-815567b00a4d'
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "3f9ada28-2809-4909-aadf-815567b00a4d",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_rev": "2",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "displayName": "John Doe",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Created for OpenIDM",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "givenName": "John",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "mail": "jdoe@example.com",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "telephoneNumber": "1-415-599-1100",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "sn": "Doe",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "userName": "jdoe",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "accountStatus": "active",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "effectiveRoles": [
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "effectiveAssignments": [
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "Contractor",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Contractor assignment for contract workers.",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "mapping": "managedUser_systemLdapAccounts",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "attributes": [
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "ldapGroups",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "cn=Contractors,ou=Groups,dc=example,dc=com"
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "assignmentOperation": "mergeWithTarget",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "unassignmentOperation": "removeFromTarget"
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "name": "employeeType",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "value": "Contractor",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "assignmentOperation": "mergeWithTarget",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "unassignmentOperation": "removeFromTarget"
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "Contractor",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_refProperties": {
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "e8295a1f-f367-489d-9573-f4ccbb2822d1",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleLet's now take a look at jdoe's entry in order to make sure that the proper employee type has been set and that jdoe has
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienlebeen added to the Contractors group.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/system/ldap/account?_queryFilter=/uid+sw+"jdoe"&_prettyPrint=true'
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "result" : [ {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "sn" : "Doe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "telephoneNumber" : "1-415-599-1100",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "employeeType" : "Contractor",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "dn" : "uid=jdoe,ou=People,dc=example,dc=com",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "cn" : "John Doe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "uid" : "jdoe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "ldapGroups" : [ "cn=openidm,ou=Groups,dc=example,dc=com", "cn=Contractors,ou=Groups,dc=example,dc=com" ],
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "givenName" : "John",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "mail" : "jdoe@example.com",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "description" : "Created for OpenIDM",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "_id" : "uid=jdoe,ou=People,dc=example,dc=com"
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "resultCount" : 1,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "pagedResultsCookie" : null,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "remainingPagedResults" : -1
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe4. Removing a role from a user
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleNow we know what happens with entitlements when a role is assigned to a user, let's take a look at what happens when a
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienlerole is deallocated from a user entry.
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielAgain, we take a look at jdoe's entry to find out about its state:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/user?_queryFilter=/userName+eq+"jdoe"&_fields=_id,roles&_prettyPrint=true'
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "result" : [ {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "_id" : "3f9ada28-2809-4909-aadf-815567b00a4d",
0191d4bb4a3ee6db99934cdbc54065801ea35ab9Jake Feasel "roles" : [ {
0191d4bb4a3ee6db99934cdbc54065801ea35ab9Jake Feasel "_refProperties" : {
0191d4bb4a3ee6db99934cdbc54065801ea35ab9Jake Feasel "_id" : "e8295a1f-f367-489d-9573-f4ccbb2822d1",
0191d4bb4a3ee6db99934cdbc54065801ea35ab9Jake Feasel "_rev" : "1"
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "resultCount" : 1,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "pagedResultsCookie" : null,
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "totalPagedResultsPolicy" : "NONE",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "totalPagedResults" : -1,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "remainingPagedResults" : -1
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleWe therefore need to remove the 1st element of the roles array (index = 0) in order to remove the Contractor role --
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienlealso please note the entry's identifier that is used in the request's URL:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request PATCH \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe "operation" : "remove",
0191d4bb4a3ee6db99934cdbc54065801ea35ab9Jake Feasel "field" : "/roles/0"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/user/3f9ada28-2809-4909-aadf-815567b00a4d'
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_id": "3f9ada28-2809-4909-aadf-815567b00a4d",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "_rev": "3",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "displayName": "John Doe",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "description": "Created for OpenIDM",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "givenName": "John",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "mail": "jdoe@example.com",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "telephoneNumber": "1-415-599-1100",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "sn": "Doe",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "userName": "jdoe",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "accountStatus": "active",
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "effectiveRoles": [],
665452188292a71055016d5a4a6303d9a71799f1Lana Frost "effectiveAssignments": [],
665452188292a71055016d5a4a6303d9a71799f1Lana FrostThis results in jdoe's entry in OpenDJ not belonging to the Contractors group anymore and in his employee type being
665452188292a71055016d5a4a6303d9a71799f1Lana Frostundefined. Check that with a query on his entry in OpenDJ:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/system/ldap/account?_queryFilter=/uid+sw+"jdoe"&_prettyPrint=true'
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "result" : [ {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "sn" : "Doe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "telephoneNumber" : "1-415-599-1100",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "employeeType" : null,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "dn" : "uid=jdoe,ou=People,dc=example,dc=com",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "cn" : "John Doe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "uid" : "jdoe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "ldapGroups" : [ "cn=openidm,ou=Groups,dc=example,dc=com" ],
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "givenName" : "John",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "mail" : "jdoe@example.com",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "description" : "Created for OpenIDM",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "_id" : "uid=jdoe,ou=People,dc=example,dc=com"
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "resultCount" : 1,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "pagedResultsCookie" : null,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel "remainingPagedResults" : -1
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleNote: some additional samples might be provided to demonstrate the different assignment operations (merge, replace,
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienleremove, etc.).
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleThis is pretty much everything you need to know about roles, assignments and entitlements and how to manipulate them via
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienlethe REST API.
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad KienleIf you need to reload the Employee and Contractor roles and assignments entirely without going through each step in the
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienlesamples, here are the REST requests to do just that:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "If-None-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request PUT \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name" : "Employee",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "description": "Employee assignment for workers on the payroll.",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "mapping": "managedUser_systemLdapAccounts",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "attributes": [
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name": "ldapGroups",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "cn=Employees,ou=Groups,dc=example,dc=com",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "cn=Chat Users,ou=Groups,dc=example,dc=com"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignmentOperation" : "mergeWithTarget",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "unassignmentOperation" : "removeFromTarget"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name": "employeeType",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "value": "Employee",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignmentOperation" : "mergeWithTarget",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "unassignmentOperation" : "removeFromTarget"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle 'https://localhost:8443/openidm/managed/assignment/Employee'
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle $ curl --insecure \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "Content-type: application/json" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "X-OpenIDM-Username: openidm-admin" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "X-OpenIDM-Password: openidm-admin" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "If-None-Match: *" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --request PUT \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name" : "Contractor",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "description": "Contractor assignment for contract workers.",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "attributes": [
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name": "ldapGroups",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "cn=Contractors,ou=Groups,dc=example,dc=com"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignmentOperation" : "mergeWithTarget",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "unassignmentOperation" : "removeFromTarget"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name": "employeeType",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "value": "Contractor",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignmentOperation" : "mergeWithTarget",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "unassignmentOperation" : "removeFromTarget"
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle 'https://localhost:8443/openidm/managed/assignment/Contractor'
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle $ curl --insecure \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "Content-type: application/json" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "X-OpenIDM-Username: openidm-admin" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "X-OpenIDM-Password: openidm-admin" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --header "If-None-Match: *" \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle --request PUT \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name" : "Employee",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "description": "Role assigned to workers on the payroll.",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignments": [
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe 'https://localhost:8443/openidm/managed/role/Employee'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --header "If-None-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe --request PUT \
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "name" : "Contractor",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "description": "Role assigned to contract workers.",
b31a18cdb1b7c0bd3b3436df2992af32f0dd21a9Chad Kienle "assignments": [