UserMembersRule variables
Is there any way that you can retrieve the name of a virtual organization with which a UserMembersRule is linked? What I would like to do is select all users that have a reference to the organization. So something like:
<Rule authType='UserMembersRule' id='#ID#F0ED2A6D7FB07688:135605A:110A1121944:-7FF1' name='myMembersRule' displayName='myMembersRule'>
<block>
<list>
<new class='com.waveset.object.AttributeCondition'>
<s>userorglist</s> <!-- user extended attribute -->
<s>contains</s>
<ref>organizationName</ref> <!-- would be nice!! -->
</new>
</list>
</block>
<MemberObjectGroups>
<ObjectRef type='ObjectGroup' id='#ID#Top' name='Top'/>
</MemberObjectGroups>
</Rule>
Where indeed userorglist is an extended attribute that will be managed per user containing the list of orgs that they belong to. So it would be nice to check if the 'current' org (the one that the rule is called for) is in the list. Is the org available in some variable?
Thanks,
Marcel
[1446 byte] By [
snijkerma] at [2007-11-26 17:51:31]
# 1
Hi Marcel,could you figure out any solution for this problem (as I'm running into the same issue)?Best regards,Sebastian
# 2
Hi Sebastian,No responses and no new ideas for this one. Except that a specific member rule per organization has to be created. Which is a not so flexible solution.Thanks,Marcel
# 3
Hi Marcel,I couldn't find a solution neither. So I'll create as well a rule for each of my organizations. Anyway, thanks a lot for your reply.Best regards,Sebastian
# 4
Hi,
i tried it and found at least one (sad) reason why it does not work.
I created a user extended attribute department for my test and using a multiselect assigned a testuser 2 vaules for department.
<Attribute name='department' type='string'>
<value>HR</value>
<value>IT</value>
</Attribute>
I also have department in the QueryableAttrNames section of my UserUIConfig in order to have it searchable. Thats how the UserMembersRule should work after all.
select ua.attrval from userattr ua, userobj uo where ua.attrname ='DEPARTMENT' and ua.id = uo.id and uo.name = 'JOHN'
shows that for my testuser "John" only one (the first) of the multiple values is stored in the table used for searching user attributes. I was not aware of that weak handling of multivalue user attributes before but seeing this it is clear that the straight forward approach to users beeing in multiple orgs can not work :(
If i had your task i might put the department in a custom table and let the member rule do sql lookups to work around the deficiency of multivalued user extended attributes.
Regards,
Patrick
# 5
Hi Patrick,
(Thanks Patrick for your help, again!)
Your answer on this one goes a bit beyond my control over knowing where queries are executed etc.. My intension for this generic membersrule might also a bit simpler: I wanted to create only 1 rule that can be shared over many organisations. The initial problem I had was that I cannot get hold of the name of the organization that the rule is executed for at the time of execution. When that name was a variable then (only) I could start doing something that you describe. So this is all a bit too challenging for me... Here the logic of such membersrule would be (pseudo-Java):
return (user.getOrganizations().contains(organizationName));
But for that I first need the organizationName variable, and then I would probably bump into the problem that you describe, that I cannot maintain something like 'organizations' property of the user....
Thanks,
Marcel
# 6
Hi Marcel,
at least with IdM7 this information is available upon the rule evaluation in
userMemberRuleOrganizationPathNameand
userMemberRuleOrganizationDisplayName
But if your intention is to model a whole/big organizational tree with userMemberRuleOrgs just in order to allow people to be in more than one org i should warn you. I once came up with a similar aproach in presence of Tim Corder and he warned me about doing that. The argument was something along the line that the userMemberRuleOrganizations was not meant to be used in dozens/hundreds but actually should solve a lot of requirements by having a single one.
If my interpretation of what Tim tried to tell me is correct using the member rules you do not need a full tree in IdM anymore. If the tree is no more truely hierarchical because its leafes (users) are in several places leave the IdM model and roll your own.
Say you have single org with dynamic members, let us call it dynorg. Each user is assigned one or more "org memberships" by storing full org pathes in a DB(UserExtendedAttributes are not a good idea here like pointed out before).
User joe is in
EU:BE:VL:ANT
EU:BE:VL:LEU
All admins controll dynorg. If you want to know if a user is in there for a certain admin to administrating simply asign a property to the admin (again in a DB probably).
admin fred controlls:
EU:BE
to decide if fred controlls joe in pseudocode you can do something like
if (joe.getOrgs().contains(fredsControlledOrg) {
return true;
}
Iterator it = joe.getOrgs().iterator();
while (it.hasNext()) {
String org = (String)it.next();
if (org.startsWith(fredsControlledOrg+":")) return true;
}
return false;
Of course you have to take all users into account not just joe. And you should return a list of controlled users. A query should allow you to do what the pseudocode does for all users in reasonable time.
In "PseudoSQL" something like:
select userName from user2org where orgpath = fredsControlledOrg or orgpath like fredsControlledOrg+':%'
should do the trick. Another nice sideeffect might be that you do not have to keep an IdM tree in sync. If the data in the user2org table comes from HR you are fine without syncing anything.
Regards,
Patrick
