Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-5575

On sync users using roles and assignments, "no operation" for onAssignment should have no effect

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Not a defect
    • Affects Version/s: OpenIDM 4.5.0
    • Fix Version/s: OpenIDM 4.5.0
    • Component/s: Module - Roles
    • Labels:
    • Environment:
      OpenIDM version "4.1.0-SNAPSHOT" (revision: c8196c4)
    • Target Version/s:
    • Story Points:
      2
    • Sprint:
      OpenIDM Sprint 60

      Description

      On sync users using roles and assignments, "no operation" for onAssignment should have no effect but currently we observe that is removes the value of the property on the target.
      I know this "no operation" does not have much sense for onAssignment, but then we should either have an error message or really get no operation. Current behaviour is not good.

      Here are the steps to reproduce

      1) start OpenIDM with sample2b with custom provisioner file and sync.json (attached)

      2) create a user in LDAP with "ou" value ["salesforce","forgerock"]

      curl --header "If-None-Match: *" --header "Content-Type: application/json" --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin" --data '{"ou":["salesforce","forgerock"],"cn":"Dharlie Blue","dn":"uid=dblue,ou=People,dc=example,dc=com","uid":"dblue","sn":"blue","givenName":"Dharlie","telephoneNumber":"12345","mail":"dblue@example.com","description":"Created for OpenIDM"}' --request PUT "http://localhost:8080/openidm/system/ldap/account/uid=dblue,ou=People,dc=example,dc=com"
      

      3) create an assignment with noOp as onAssignment

      curl --header "If-None-Match: *" --header "Content-Type: application/json" --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin" --data '{ "name": "ldap", "description": "assignment description", "mapping": "managedUser_systemLdapAccounts", "attributes": [ { "name": "ou", "value": ["forgerock","workday", "google"], "assignmentOperation": "noOp", "unassignmentOperation": "removeFromTarget" } ] }' --request PUT "http://localhost:8080/openidm/managed/assignment/assignment_with_noop"
      

      4) create a role with this assignment

      curl --header "If-None-Match: *" --header "Content-Type: application/json" --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin" --data '{ "name": "role_employee", "description": "Employee Role", "assignments": [{"_ref":"managed/assignment/assignment_with_noop"}] }' --request PUT "http://localhost:8080/openidm/managed/role/employee"
      

      5) create a managed user that will correlate with LDAP user and has "ou" of "selfEmployed"

      curl --header "If-None-Match: *" --header "Content-Type: application/json" --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin" --data '{"userName": "dblue", "telephoneNumber": "6669876987", "givenName": "rick", "description": "Just another John Doe or Joe Smith", "roles": [{"_ref": "managed/role/employee"}], "sn": "sutter", "mail": "rick@example.com", "ou": ["selfemployeed"], "password": "Th3Password"}' --request PUT "http://localhost:8080/openidm/managed/user/dblue"
      

      6) the managed user is synced to LDAP

      curl --header "X-OpenIDM-Password: openidm-admin" --header "X-OpenIDM-Username: openidm-admin"  --request GET "http://localhost:8080/openidm/system/ldap/account/uid=dblue,ou=People,dc=example,dc=com"
      
      {"_id":"uid=dblue,ou=People,dc=example,dc=com","telephoneNumber":"6669876987","ldapGroups":[],"sn":"sutter","ou":[],"dn":"uid=dblue,ou=People,dc=example,dc=com","disabled":null,"employeeType":null,"mail":"rick@example.com","cn":"rick sutter","givenName":"rick","uid":"dblue","description":"Just another John Doe or Joe Smith"}
      

      => here we would expect that the "ou" is still ["salesforce","forgerock"] but it became [], which is not OK

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              chad.kienle chad.kienle
              Reporter:
              laurent.bristiel Laurent Bristiel [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: