roles/provrole/README.md

	README.md revision 110f2406708abfc03243487378c58e559e04e572
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe    /**
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     *
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * Copyright 2015 ForgeRock AS. All rights reserved.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     *
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * The contents of this file are subject to the terms
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * of the Common Development and Distribution License
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * (the License). You may not use this file except in
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * compliance with the License.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     *
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * You can obtain a copy of the License at
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * http://forgerock.org/license/CDDLv1.0.html
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * See the License for the specific language governing
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * permission and limitations under the License.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     *
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * When distributing Covered Code, include this CDDL
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * Header Notice in each file and include the License file
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * at http://forgerock.org/license/CDDLv1.0.html
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * If applicable, add the following below the CDDL Header,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * with the fields enclosed by brackets [] replaced by
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * your own identifying information:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     * "Portions Copyrighted [year] [name of copyright owner]"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe     */
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
110f2406708abfc03243487378c58e559e04e572Jake FeaselRoles Sample: Roles and Provisioning
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe=====================================
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeOne of the great features of OpenIDM Roles is the ability to provision a set
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeof attributes based on role membership.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeLet's take a concrete example and continue with our Employee and Contractor
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philipperoles example that was provided in the _crudops_ sample. This example will
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippealso build on _sample2b_ to provision user entries from Managed User to OpenDJ.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeAs an employee of the company a worker should be added to a couple of groups in
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielOpenDJ (presumably to get access to some internal applications): the Employees
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippegroup and the Chat Users group. But as a Contractor, workers will be added
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeto the Contractors group only. We also want the type of employee to be set
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeproperly in OpenDJ, based on the role allocated to each user.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielPre-requisites: we assume that you are familiar with _sample2b_ and already
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippehave installed OpenDJ according to the instructions and configuration provided
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippein that sample. We also assume here that you have reconciled the entries as
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeexplained in that sample's section 2 & 4, but for this current sample.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielNote: the Example.ldif provided with this sample should be loaded to OpenDJ,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeif that wasn't done previously.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ opendj/bin/ldapmodify -a -c --bindDN "cn=Directory Manager" --bindPassword password --hostname localhost --port 1389 --filename openidm/samples/roles/provrole/data/Example.ldif
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielThis sample should be run like the others using the following command:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ nohup ./startup.sh -p samples/roles/provrole > logs/console.out 2>&1&
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippein order to pick up the configuration that's provided here. The reconciliation
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeof the external system (OpenDJ) can also performed easily via the UI by running
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippereconciliation for the first mapping (DJ --> Managed User) in order to populate
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippethe user entries.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielThis sample provides all the information you need to cover the following use
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielcases:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe* Update a role with an entitlement (called assignments in OpenIDM)
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe* Assign a role to a user and observe the entitlements for that user
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel* Specify how entitlements will be propagated to an external system (OpenDJ)
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe* Deallocate a role from a user and observe how the entitlements are withdrawn
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe  from the external system
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielNote: throughout this document we refer to entitlements and assignments
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeinterchangeably, as they relate to roles.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel1. Update the Employee role to add the correct groups and employee type
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielLet's take a look at the roles we created in the _crudops_ sample first:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/role?_queryFilter=true&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "result" : [ {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "properties" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "name" : "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "description" : "Role assigned to workers on the payroll."
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   },
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "_id" : "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "_rev" : "1"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 }, {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "properties" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "name" : "Contractor",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "description" : "Role assigned to contract workers."
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   },
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "_id" : "Contractor",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "_rev" : "11"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 } ],
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "resultCount" : 2,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "pagedResultsCookie" : null,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "remainingPagedResults" : -1
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeNow, according to our company's policy, we need to make sure that every employee
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielwill have the correct _employeeType_ attribute in OpenDJ (corporate directory).
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielThis is achieved in several steps. The first one is to add an _assignments_
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeproperty to the Employee role. Since we already have that role we will just
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielpatch that entry:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request PATCH \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --data '[
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                    {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                        "operation" : "add",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                        "field" : "/assignments",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                        "value" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "ldap": {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                            "attributes": [
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                              {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                                "name": "employeeType",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                                "value": "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                                "assignmentOperation" : "mergeWithTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                                "unassignmentOperation" : "removeFromTarget"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                              }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                            ]
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                        }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                    }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 ]' \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/role/Employee'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               {"properties":{"name":"Employee","description":"Role assigned to workers on the payroll."},"_id":"Employee","_rev":"2","assignments":{"ldap":{"attributes":[{"name":"employeeType","value":"Employee","assignmentOperation":"mergeWithTarget","unassignmentOperation":"removeFromTarget"}]}}}
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe2. Allocate the Employee role to bjensen
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielIn order to fully leverage _sample2b_ we will use Barbara Jensen as the employee.
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielLet's take a look at the roles we should have right now:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/role?_queryFilter=true&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "result" : [ {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "properties" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "name" : "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "description" : "Role assigned to workers on the payroll."
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   },
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "_id" : "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "_rev" : "1"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 },
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "properties" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "name" : "Contractor",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "description" : "Role assigned to contract workers."
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   },
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "_id" : "Contractor",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "_rev" : "1"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 } ],
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "resultCount" : 2,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "pagedResultsCookie" : null,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "remainingPagedResults" : -1
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeOr something along those lines.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielNote: since the last step in the _crudops_ sample was to delete the Contractor
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philipperole via the Admin UI, you might have to issue the following request again to
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielpopulate the Contractor role:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "If-None-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request PUT \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --data '{
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               "properties" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "name" : "Contractor",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "description": "Role assigned to contract workers."
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               }' \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               https://localhost:8443/openidm/managed/role/Contractor
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielOnce you have both roles listed, you just need to assign the Employee role to
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielbjensen. But first you need to find out what the identifier is for bjensen's
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielentry:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/user?_queryFilter=/userName+eq+"bjensen"&_fields=_id&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "result" : [ {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "_id" : "8ff9639f-2a89-48a2-a0fd-9df4d5297eeb"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 } ],
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "resultCount" : 1,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "pagedResultsCookie" : null,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "remainingPagedResults" : -1
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielTherefore you can assign the Employee role by using:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request PATCH \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --data '[
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "operation" : "add",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "field" : "/roles/-",
110f2406708abfc03243487378c58e559e04e572Jake Feasel                       "value" : { "_ref": "managed/role/Employee" }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 ]' \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/user/8ff9639f-2a89-48a2-a0fd-9df4d5297eeb'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
110f2406708abfc03243487378c58e559e04e572Jake Feasel               {"displayName":"Barbara Jensen","description":"Created for OpenIDM","givenName":"Barbara","mail":"bjensen@example.com","telephoneNumber":"1-360-229-7105","sn":"Jensen","userName":"bjensen","ldapGroups":["cn=openidm2,ou=Groups,dc=example,dc=com"],"accountStatus":"active","roles":[{"_ref":"managed/role/Employee","_refProperties":{"_id":"193a60b6-7b2e-467e-a8fc-a59d67fca858","_rev":"1"}}],"lastPasswordSet":"","postalCode":"","stateProvince":"","passwordAttempts":"0","lastPasswordAttempt":"Fri Apr 17 2015 16:57:21 GMT-0000 (UTC)","postalAddress":"","address2":"","country":"","city":"","effectiveRoles":[{"_ref":"managed/role/Employee","_refProperties":{"_id":"193a60b6-7b2e-467e-a8fc-a59d67fca858","_rev":"1"}}],"_id":"8ff9639f-2a89-48a2-a0fd-9df4d5297eeb","_rev":"4","effectiveAssignments":{"ldap":{"attributes":[{"name":"employeeType","value":"Employee","assignmentOperation":"mergeWithTarget","unassignmentOperation":"removeFromTarget","assignedThrough":"managed/role/Employee"}]}}}
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeLet's take a closer look at bjensen's entry for what we're really interested
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielin, i.e. the roles, effective roles and effective assignments:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/user?_queryFilter=/userName+eq+"bjensen"&_fields=_id,userName,roles,effectiveRoles,effectiveAssignments&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe{
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe  "result" : [ {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe    "_id" : "8ff9639f-2a89-48a2-a0fd-9df4d5297eeb",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe    "userName" : "bjensen",
110f2406708abfc03243487378c58e559e04e572Jake Feasel    "roles" : [ {
110f2406708abfc03243487378c58e559e04e572Jake Feasel      "_ref" : "managed/role/Employee",
110f2406708abfc03243487378c58e559e04e572Jake Feasel      "_refProperties" : {
110f2406708abfc03243487378c58e559e04e572Jake Feasel        "_id" : "193a60b6-7b2e-467e-a8fc-a59d67fca858",
110f2406708abfc03243487378c58e559e04e572Jake Feasel        "_rev" : "1"
110f2406708abfc03243487378c58e559e04e572Jake Feasel      }
110f2406708abfc03243487378c58e559e04e572Jake Feasel    } ],
110f2406708abfc03243487378c58e559e04e572Jake Feasel    "effectiveRoles" : [ {
110f2406708abfc03243487378c58e559e04e572Jake Feasel      "_ref" : "managed/role/Employee",
110f2406708abfc03243487378c58e559e04e572Jake Feasel      "_refProperties" : {
110f2406708abfc03243487378c58e559e04e572Jake Feasel        "_id" : "193a60b6-7b2e-467e-a8fc-a59d67fca858",
110f2406708abfc03243487378c58e559e04e572Jake Feasel        "_rev" : "1"
110f2406708abfc03243487378c58e559e04e572Jake Feasel      }
110f2406708abfc03243487378c58e559e04e572Jake Feasel    } ],
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe    "effectiveAssignments" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe      "ldap" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        "attributes" : [ {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe          "name" : "employeeType",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe          "value" : "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe          "assignmentOperation" : "mergeWithTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe          "unassignmentOperation" : "removeFromTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe          "assignedThrough" : "managed/role/Employee"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        } ]
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe      }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe    }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe  } ],
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe  "resultCount" : 1,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe  "pagedResultsCookie" : null,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe  "remainingPagedResults" : -1
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe}
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeWe can now clearly see the impact of the new property we added to the role. The
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeuser now has a new (calculated) property which includes the set of assignments
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe(or entitlements) that pertain to the user with that role. Currently this only
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippelist the _employeeType_ attribute.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe3. Pushing assignments out to OpenDJ (external system)
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeThis sample's sync.json adds on to _sample2b_'s mapping by incorporating an
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristieladditional property, called _assignmentsToMap_:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            ....
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            "name" : "managedUser_systemLdapAccounts",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            "source" : "managed/user",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            "target" : "system/ldap/account",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            "links" : "systemLdapAccounts_managedUser",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            "assignmentsToMap" : [
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                "ldap"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            ],
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            ....
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeNow if you take a look at bjensen directly in the directory you should see the
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielattribute _employeeType_ being populated properly:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
ffea5f78721036ac91332c90c48133b6af63909dLana Frost            $ ldapsearch -p 1389 -h localhost -b "dc=example,dc=com" -D "cn=Directory Manager" -w - -s sub uid=bjensen dn uid employeeType
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            # bjensen, People, example.com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            dn: uid=bjensen,ou=People,dc=example,dc=com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            uid: bjensen
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe            employeeType: Employee
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeNow let's make this a little more interesting by adding the groups that an
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeEmployee should have in the corporate directory (OpenDJ).
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeWe just need to update the Employee role with the appropriate entitlements.
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielFirst, let's look at the Employee role entry one more time:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/role/Employee?_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "properties" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "name" : "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "description" : "Role assigned to workers on the payroll."
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 },
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "_id" : "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "_rev" : "2",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "assignments" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "ldap" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "attributes" : [ {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "name" : "employeeType",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "value" : "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "assignmentOperation" : "mergeWithTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "unassignmentOperation" : "removeFromTarget"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     } ]
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielWe simply need to add the entitlement for groups under:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeassignments/ldap/attributes
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request PATCH \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --data '[
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "operation" : "add",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "field" : "/assignments/ldap/attributes/-",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "value" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "name": "ldapGroups",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "value": [
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                              "cn=Employees,ou=Groups,dc=example,dc=com",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                              "cn=Chat User,ou=Groups,dc=example,dc=com"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          ],
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "assignmentOperation" : "mergeWithTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "unassignmentOperation" : "removeFromTarget"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                      }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               ]' \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/role/Employee'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               {"properties":{"name":"Employee","description":"Role assigned to workers on the payroll."},"_id":"Employee","_rev":"3","assignments":{"ldap":{"attributes":[{"name":"employeeType","value":"Employee","assignmentOperation":"mergeWithTarget","unassignmentOperation":"removeFromTarget"},{"name":"ldapGroups","value":["cn=Employees,ou=Groups,dc=example,dc=com","cn=Chat User,ou=Groups,dc=example,dc=com"],"assignmentOperation":"mergeWithTarget","unassignmentOperation":"removeFromTarget"}]}}}
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeAfter adding this new entitlement to the Employee role, bjensen should be
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeadded to the Chat Users and Employees groups.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
ffea5f78721036ac91332c90c48133b6af63909dLana Frost               $ ldapsearch -p 1389 -h localhost -b "dc=example,dc=com" -D "cn=Directory Manager" -w - -s sub uid=bjensen dn uid employeeType isMemberOf
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               # bjensen, People, example.com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               dn: uid=bjensen,ou=People,dc=example,dc=com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               uid: bjensen
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               employeeType: Employee
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               isMemberOf: cn=Chat User,ou=Groups,dc=example,dc=com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               isMemberOf: cn=Employees,ou=Groups,dc=example,dc=com
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/system/ldap/account?_queryFilter=/uid+sw+"bjensen"&_fields=dn,uid,employeeType,ldapGroups&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel               {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "result" : [ {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "dn" : "uid=bjensen,ou=People,dc=example,dc=com",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "uid" : "bjensen",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "employeeType" : "Employee",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "ldapGroups" : [ "cn=Chat Users,ou=Groups,dc=example,dc=com", "cn=Employees,ou=Groups,dc=example,dc=com",  ]
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 } ],
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "resultCount" : 1,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "pagedResultsCookie" : null,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "remainingPagedResults" : -1
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel               }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeLet's continue with adding the appropriate entitlements to the Contractor role
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeand allocating that role to jdoe, who is a contractor and therefore not
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielentitled to access the internal chat application:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request PATCH \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --data '[
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "operation" : "add",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "field" : "/assignments/ldap/attributes",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "value" : [{
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "name": "ldapGroups",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "value": [
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                              "cn=Contractors,ou=Groups,dc=example,dc=com"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          ],
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "assignmentOperation" : "mergeWithTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "unassignmentOperation" : "removeFromTarget"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       },
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "name": "employeeType",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "value": "Contractor",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "assignmentOperation": "mergeWithTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                          "unassignmentOperation": "removeFromTarget"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       }]
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               ]' \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/role/Contractor'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               {"properties":{"name":"Contractor","description":"Role assigned to contract workers."},"_id":"Contractor","_rev":"2","assignments":{"ldap":{"attributes":[{"name":"ldapGroups","value":["cn=Contractors,ou=Groups,dc=example,dc=com"],"assignmentOperation":"mergeWithTarget","unassignmentOperation":"removeFromTarget"},{"name":"employeeType","value":"Contractor","assignmentOperation":"mergeWithTarget","unassignmentOperation":"removeFromTarget"}]}}}
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeNow we just need to allocate the Contractor role to jdoe and he should be
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeautomatically added to the Contractors group in OpenDJ. Let's first take a look
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielat jdoe's entry to make sure we know the value of the identifier:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/user?_queryFilter=/userName+eq+"jdoe"&_fields=_id&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "result" : [ {
110f2406708abfc03243487378c58e559e04e572Jake Feasel                   "_id" : "3f9ada28-2809-4909-aadf-815567b00a4d"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 } ],
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "resultCount" : 1,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "pagedResultsCookie" : null,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 "remainingPagedResults" : -1
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielNow we can update jdoe's entry with the Contractor role:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request PATCH \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --data '[
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "operation" : "add",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "field" : "/roles/-",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "value" : "managed/role/Contractor"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 ]' \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/user/3f9ada28-2809-4909-aadf-815567b00a4d'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c1bed58d59da76132e7b960e74825f038c282555Jon Branch               {"displayName":"John Doe","description":"Created for OpenIDM","givenName":"John","mail":"jdoe@example.com","telephoneNumber":"1-415-599-1100","sn":"Doe","userName":"jdoe","ldapGroups":["cn=openidm,ou=Groups,dc=example,dc=com"],"accountStatus":"active","roles":["openidm-authorized","managed/role/Contractor"],"lastPasswordSet":"","postalCode":"","stateProvince":"","passwordAttempts":"0","lastPasswordAttempt":"Fri Apr 17 2015 16:57:21 GMT-0000 (UTC)","postalAddress":"","address2":"","country":"","city":"","effectiveRoles":[{"_ref":"managed/role/Contractor"}],"effectiveAssignments":{"ldap":{"attributes":[{"name":"ldapGroups","value":["cn=Contractors,ou=Groups,dc=example,dc=com"],"assignmentOperation":"mergeWithTarget","unassignmentOperation":"removeFromTarget","assignedThrough":"managed/role/Contractor"},{"name":"employeeType","value":"Contractor","assignmentOperation":"mergeWithTarget","unassignmentOperation":"removeFromTarget","assignedThrough":"managed/role/Contractor"}]}},"_id":"3f9ada28-2809-4909-aadf-815567b00a4d","_rev":"2"}
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeLet's now take a look at jdoe's entry in order to make sure that the proper
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeemployee type has been set and that jdoe has been added to the Contractors
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippegroup.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/system/ldap/account?_queryFilter=/uid+sw+"jdoe"&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel               {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "result" : [ {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "sn" : "Doe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "telephoneNumber" : "1-415-599-1100",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "employeeType" : "Contractor",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "dn" : "uid=jdoe,ou=People,dc=example,dc=com",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "cn" : "John Doe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "uid" : "jdoe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "ldapGroups" : [ "cn=openidm,ou=Groups,dc=example,dc=com", "cn=Contractors,ou=Groups,dc=example,dc=com" ],
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "givenName" : "John",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "mail" : "jdoe@example.com",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "description" : "Created for OpenIDM",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "_id" : "uid=jdoe,ou=People,dc=example,dc=com"
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 } ],
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "resultCount" : 1,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "pagedResultsCookie" : null,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "remainingPagedResults" : -1
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel               }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe4. Removing a role from a user
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeNow we know what happens with entitlements when a role is assigned to a user,
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippelet's take a look at what happens when a role is deallocated from a user entry.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielAgain, we take a look at jdoe's entry to find out about its state:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/user?_queryFilter=/userName+eq+"jdoe"&_fields=_id,roles&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel               {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "result" : [ {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "_id" : "3f9ada28-2809-4909-aadf-815567b00a4d",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "roles" : [ "openidm-authorized", "managed/role/Contractor" ]
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 } ],
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "resultCount" : 1,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "pagedResultsCookie" : null,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "remainingPagedResults" : -1
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel               }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeWe therefore need to remove the 2nd element of the roles array (index = 1) in
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeorder to remove the Contractor role -- also please note the entry's identifier
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielthat is used in the request's URL:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "If-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request PATCH \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --data '[
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "operation" : "remove",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       "field" : "/roles/1"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 ]' \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/user/3f9ada28-2809-4909-aadf-815567b00a4d'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c1bed58d59da76132e7b960e74825f038c282555Jon Branch               {"displayName":"John Doe","description":"Created for OpenIDM","givenName":"John","mail":"jdoe@example.com","telephoneNumber":"1-415-599-1100","sn":"Doe","userName":"jdoe","ldapGroups":["cn=openidm,ou=Groups,dc=example,dc=com"],"accountStatus":"active","roles":["openidm-authorized"],"lastPasswordSet":"","postalCode":"","stateProvince":"","passwordAttempts":"0","lastPasswordAttempt":"Fri Apr 17 2015 16:57:21 GMT-0000 (UTC)","postalAddress":"","address2":"","country":"","city":"","effectiveRoles":[],"_id":"3f9ada28-2809-4909-aadf-815567b00a4d","_rev":"3","effectiveAssignments":{}}
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeThis results in jdoe's entry in OpenDJ not belonging to the Contractors group
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielanymore and its employee type being undefined."
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request GET \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/system/ldap/account?_queryFilter=/uid+sw+"jdoe"&_prettyPrint=true'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel               {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "result" : [ {
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "sn" : "Doe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "telephoneNumber" : "1-415-599-1100",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "employeeType" : null,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "dn" : "uid=jdoe,ou=People,dc=example,dc=com",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "cn" : "John Doe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "uid" : "jdoe",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "ldapGroups" : [ "cn=openidm,ou=Groups,dc=example,dc=com" ],
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "givenName" : "John",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "mail" : "jdoe@example.com",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "description" : "Created for OpenIDM",
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                   "_id" : "uid=jdoe,ou=People,dc=example,dc=com"
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 } ],
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "resultCount" : 1,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "pagedResultsCookie" : null,
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristiel                 "remainingPagedResults" : -1
110f2406708abfc03243487378c58e559e04e572Jake Feasel               }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent BristielNote: some additional samples might be provided to demonstrate the different
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeassignment operations (merge, replace, remove, etc.).
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeThis is pretty much everything you need to know about roles and entitlements
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippeand how to manipulate them via the REST API.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeAt this time entitlements are not available through the Admin UI, but they
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippewill soon be.
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeAppendix
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe--------
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas PhilippeIf you need to reload the Employee and Contractor roles entirely without
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielgoing through each step in the samples, here are the REST requests
3ee0383ad6381d9b18fb94cf251068f5031ba480Laurent Bristielto do just that:
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "If-None-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request PUT \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --data '{
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               "properties" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "name" : "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "description": "Role assigned to workers on the payroll."
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               },
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               "assignments": {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "ldap": {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "attributes": [
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "name": "ldapGroups",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "value": [
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                           "cn=Employees,ou=Groups,dc=example,dc=com",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                           "cn=Chat Users,ou=Groups,dc=example,dc=com"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         ],
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "assignmentOperation" : "mergeWithTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "unassignmentOperation" : "removeFromTarget"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       },
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "name": "employeeType",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "value": "Employee",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "assignmentOperation" : "mergeWithTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "unassignmentOperation" : "removeFromTarget"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     ]
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               }' \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/role/Employee'
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe        $ curl --insecure \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "Content-type: application/json" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Username: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "X-OpenIDM-Password: openidm-admin" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --header "If-None-Match: *" \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --request PUT \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               --data '{
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               "properties" : {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "name" : "Contractor",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "description": "Role assigned to contract workers."
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               },
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               "assignments": {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   "ldap": {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     "attributes": [
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "name": "ldapGroups",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "value": [
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                           "cn=Contractors,ou=Groups,dc=example,dc=com"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         ],
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "assignmentOperation" : "mergeWithTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "unassignmentOperation" : "removeFromTarget"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       },
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       {
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "name": "employeeType",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "value": "Contractor",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "assignmentOperation" : "mergeWithTarget",
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                         "unassignmentOperation" : "removeFromTarget"
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                       }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                     ]
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                   }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe                 }
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               }' \
c47e9248564b807eca4362bb0e9c4997101a16e9Nicolas Philippe               'https://localhost:8443/openidm/managed/role/Contractor'