Affects Version/s: 1.1.0
Fix Version/s: 1.1.0
SYNCOPE-225 introduced the concept of role owner, than could be either a user or another role (not both at the same time).
Test content provides an example of how role owner can be propagated by empowering a derived attribute (ownerDN): this approach is working only for propagation and makes the AccountLink expression duplicated.
A more complete approach is to define a new type of internal mapping, RoleOwnerSchema.
During role propagation (in MappingUtil.getIntValues()):
- if userOwner != null and the propagating resource has UMapping defined
- if roleOwner != null (the propagating resource has RMapping because of the ongoing propagation)
the AccountLink (or AccountId if no AccountLink is defined) is generated and given as value for the external attribute mapped to RoleOwnerSchema
During role synchronization (in ConnObjectUtil.getAttributableTOFromConnObject()), if a value is present in the ConnectorObject for the role being synchronized, this value must be used for searching the same connector for either ObjectClass.ACCOUNT and ObjectClass.GROUP; if a unique match is found, the matching ConnectorObject can be used to find the corresponding Syncope entity (user or role); now userOwner or roleOwner of the role being synchronized can be set.
Especially in case of roleOwner, precedence issues must be taken into account: it might happen, in fact, that the owned role is being synchronized before the owner role synchronization takes place.