...
There is also a more sophisticated way how to associate entitlements with accounts inside an assignment. There is a special-purpose associationTargetSearch expression evaluator that allows significant flexibility. This type of expression is using a search query to dynamically locate the entitlement shadow. Following example is looking up the group by name:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<assignment>
<construction>
<resourceRef oid="10000000-0000-0000-0000-000000000004"/>
<kind>account</kind>
<association>
<ref>ri:group</ref>
<outbound>
<expression>
<associationTargetSearch>
<query><filter>
<q:equal>
<q:path>attributes/icfs:name</q:path>
<q:value>landlubers</q:value>
</q:equal>
</query>filter>
</associationTargetSearch>
</expression>
</outbound>
</association>
</construction>
</assignment> |
...
This associationTargetSearch mechanism is usually used in a combination with an inner expression in the search filter. In this case we can use algorithm to determine the name of the entitlement (group) that we are looking for.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<assignment>
<construction>
<resourceRef oid="10000000-0000-0000-0000-000000000004"/>
<kind>account</kind>
<association>
<ref>ri:group</ref>
<outbound>
<source>
<path>name</path>
</source>
<expression>
<associationTargetSearch>
<query><filter>
<q:equal>
<q:path>attributes/icfs:name</q:path>
<expression>
<script>
<code>'group-' + name</code>
</script>
</expression>
</q:equal>
</query>filter>
</associationTargetSearch>
</expression>
</outbound>
</association>
</construction>
</assignment> |
...