12 Replies Latest reply: Jul 1, 2011 2:51 AM by user1175296 RSS

    Trusted Recon and evaluation of Role Membership Rule

    user1175296
      Scenario
      - Role with a Membership Rule based on the values of two UDF attributes: (ATTR1 == 0 OR ATTR2 ==0)
      - Trusted Reconciliation creates an OIM User with ATTR1 and ATTR2 empty (NULL value).

      Note
      - no Attribute Mapping is possibile from Trusted Source on ATTR1 and ATTR2-
      - it's not possible to create a Rule that manages empty/NULL values

      Solution (...tries)
      - Plugin/EventHandler on entity-type="User", operation="CREATE", stage="postprocess" to initialize the values of attributes: ATTR1 = 0, ATTR2 = 0

      Issue 1: at the end of the Trusted Reconciliation task the attributes are set on the created OIM User but it is no (it seems the Role Membership Rule is not evaluated after the Plugin/EventHandler execution...)

      - modify the previous Plugin/EventHandler on entity-type="User", operation="CREATE", stage="postprocess" to add the OIM User to the Role (API: RoleManager.grantRole(<rolename>, <userkey-attr>, <userkey-value>))

      Issue 2: at the end of the Trusted Reconciliation task the attributes are set on the created OIM User and it has got the Role membership but if I try to update the OIM User with values ATTR1 = 1 and ATTR2 = 1, it still is member of the Role. It seems that the direct Role assignment made by API makes the Rule Membership inactive, infact if I manually revoke the Role and then try to set/unset ATTR1 and ATTR2 the Rule Membership is correctly evaluated.

      Question: how can I trigger the evaluation of Membership Rule of the Role (also for all the Roles) after the OIM User creation from Trusted Reconciliation and avoid the direct assignment of the Role to the OIM User?


      Thanks and regards,
      Gabriele.

      Edited by: user1175296 on Jun 22, 2011 1:51 AM

      Edited by: user1175296 on Jun 22, 2011 1:52 AM