Roles and relationship change notification
Before you read this section, see Configure relationship change notification to understand the notify
and notifyRelationships
properties, and how change notification works for relationships in general. In the case of roles, the change notification configuration exists to ensure that managed users are notified when any of the relationships that link users, roles, and assignments are manipulated (that is, created, updated, or deleted).
Consider the situation where a user has role R
. A new assignment A
is created that references role R
. Ultimately, we want to notify all users that have role R
so that their reconciliation state will reflect any attributes in the new assignment A
. We achieve this notification with the following configuration:
In the managed object schema, the assignment
object definition has a roles
property that includes a resourceCollection
. The path
of this resource collection is managed/realm-name_role
and "notify" : true
for the resource collection:
{
"name" : "assignment",
"schema" : {
...
"properties" : {
...
"roles" : {
...
"items" : {
...
"resourceCollection" : [
{
"notify" : true,
"path" : "managed/realm-name_role",
"label" : "Role",
"query" : {
"queryFilter" : "true",
"fields" : [
"name"
]
}
}
...
}
With this configuration, when assignment A
is created, with a reference to role R
, role R
is notified of the change. However, we still need to propagate that notification to any users
who are members
of role R
. To do this, we configure the role
object as follows:
{
"name" : "role",
"schema" : {
...
"properties" : {
...
"assignments" : {
...
"notifyRelationships" : ["members"]
}
...
}
When role R
is notified of the creation of a new relationship to assignment A
, the notification is propagated through the assignments
property. Because "notifyRelationships" : ["members"]
is set on the assignments
property, the notification is propagated across role R
to all members of role R
.