Examples with SysSystemAttributeMappingFilter eu.bcvsolutions.idm.acc.dto.filter.SysSystemAttributeMappingFilter used on opensource projects

Example 46 with SysSystemAttributeMappingFilter

use of eu.bcvsolutions.idm.acc.dto.filter.SysSystemAttributeMappingFilter in project CzechIdMng by bcvsolutions.

the class AdGroupConnectorType method createSync.

/**
 * Creates role sync.
 */
private void createSync(ConnectorTypeDto connectorType) {
    boolean membershipSwitch = Boolean.parseBoolean(connectorType.getMetadata().get(SysSyncRoleConfig_.membershipSwitch.getName()));
    boolean assignCatalogueSwitch = Boolean.parseBoolean(connectorType.getMetadata().get(SysSyncRoleConfig_.assignCatalogueSwitch.getName()));
    boolean assignRoleSwitch = Boolean.parseBoolean(connectorType.getMetadata().get(SysSyncRoleConfig_.assignRoleSwitch.getName()));
    boolean assignRoleRemoveSwitch = Boolean.parseBoolean(connectorType.getMetadata().get(SysSyncRoleConfig_.assignRoleRemoveSwitch.getName()));
    boolean removeCatalogueRoleSwitch = Boolean.parseBoolean(connectorType.getMetadata().get(SysSyncRoleConfig_.removeCatalogueRoleSwitch.getName()));
    UUID mainRoleCatalogId = connectorType.getMetadata().get(MAIN_ROLE_CATALOG) != null ? UUID.fromString(connectorType.getMetadata().get(MAIN_ROLE_CATALOG)) : null;
    String newRoleCatalogCode = connectorType.getMetadata().get(NEW_ROLE_CATALOG);
    // Get mapping ID.
    String mappingSyncId = connectorType.getMetadata().get(MAPPING_SYNC_ID);
    Assert.notNull(mappingSyncId, "ID of mapping cannot be null!");
    // Get sync ID.
    String roleSyncId = connectorType.getMetadata().get(GROUP_SYNC_ID);
    SysSyncRoleConfigDto syncRoleConfigDto = null;
    if (roleSyncId == null) {
        SysSystemAttributeMappingFilter codeFilter = new SysSystemAttributeMappingFilter();
        codeFilter.setSystemMappingId(UUID.fromString(mappingSyncId));
        codeFilter.setIdmPropertyName(IdmRole_.baseCode.getName());
        SysSystemAttributeMappingDto codeAttribute = getSystemAttributeMappingService().find(codeFilter, null).getContent().stream().filter(SysSystemAttributeMappingDto::isEntityAttribute).findFirst().orElse(null);
        Assert.notNull(codeAttribute, "Code attribute cannot be null!");
        syncRoleConfigDto = new SysSyncRoleConfigDto();
        syncRoleConfigDto.setName(GROUP_SYNC_NAME);
        syncRoleConfigDto.setReconciliation(true);
        syncRoleConfigDto.setDifferentialSync(false);
        syncRoleConfigDto.setSystemMapping(UUID.fromString(mappingSyncId));
        syncRoleConfigDto.setUnlinkedAction(SynchronizationUnlinkedActionType.LINK_AND_UPDATE_ENTITY);
        syncRoleConfigDto.setMissingEntityAction(SynchronizationMissingEntityActionType.IGNORE);
        syncRoleConfigDto.setMissingAccountAction(ReconciliationMissingAccountActionType.IGNORE);
        syncRoleConfigDto.setLinkedAction(SynchronizationLinkedActionType.UPDATE_ENTITY);
        syncRoleConfigDto.setCorrelationAttribute(codeAttribute.getId());
    } else {
        syncRoleConfigDto = (SysSyncRoleConfigDto) getSyncConfigService().get(UUID.fromString(roleSyncId));
    }
    String memberSystemMappingId = connectorType.getMetadata().get(MEMBER_SYSTEM_MAPPING);
    SysSystemMappingDto systemMappingDto = null;
    if (memberSystemMappingId != null) {
        systemMappingDto = getSystemMappingService().get(UUID.fromString(memberSystemMappingId), IdmBasePermission.READ);
    }
    if (systemMappingDto != null) {
        // LDAP groups attribute.
        SysSystemAttributeMappingFilter attributeFilter = new SysSystemAttributeMappingFilter();
        attributeFilter.setSystemMappingId(systemMappingDto.getId());
        attributeFilter.setSchemaAttributeName(LDAP_GROUPS_ATTRIBUTE);
        SysSystemAttributeMappingDto ldapGroupsAttribute = getSystemAttributeMappingService().find(attributeFilter, null).getContent().stream().findFirst().orElse(null);
        syncRoleConfigDto.setMembershipSwitch(true);
        syncRoleConfigDto.setMemberSystemMapping(systemMappingDto.getId());
        if (ldapGroupsAttribute != null) {
            syncRoleConfigDto.setMemberOfAttribute(ldapGroupsAttribute.getId());
        }
        // Member DN schema attribute.
        SysSchemaAttributeFilter schemaAttributeFilter = new SysSchemaAttributeFilter();
        schemaAttributeFilter.setObjectClassId(systemMappingDto.getObjectClass());
        schemaAttributeFilter.setName(DN_ATTR_CODE);
        SysSchemaAttributeDto dnAttribute = getSchemaAttributeService().find(schemaAttributeFilter, null).getContent().stream().findFirst().orElse(null);
        if (dnAttribute != null) {
            syncRoleConfigDto.setMemberIdentifierAttribute(dnAttribute.getId());
        }
    }
    syncRoleConfigDto.setAssignRoleSwitch(assignRoleSwitch);
    syncRoleConfigDto.setAssignCatalogueSwitch(assignCatalogueSwitch);
    syncRoleConfigDto.setAssignRoleRemoveSwitch(assignRoleRemoveSwitch);
    syncRoleConfigDto.setMembershipSwitch(membershipSwitch);
    syncRoleConfigDto.setRemoveCatalogueRoleSwitch(removeCatalogueRoleSwitch);
    if (mainRoleCatalogId != null) {
        syncRoleConfigDto.setMainCatalogueRoleNode(mainRoleCatalogId);
    } else if (Strings.isNotBlank(newRoleCatalogCode)) {
        // Check if new catalog is unique.
        IdmRoleCatalogueDto newRoleCatalog = roleCatalogueService.getByCode(newRoleCatalogCode);
        if (newRoleCatalog == null) {
            // Create new catalog.
            newRoleCatalog = new IdmRoleCatalogueDto();
            newRoleCatalog.setCode(newRoleCatalogCode);
            newRoleCatalog.setName(newRoleCatalogCode);
            newRoleCatalog = roleCatalogueService.save(newRoleCatalog, IdmBasePermission.CREATE);
        }
        syncRoleConfigDto.setMainCatalogueRoleNode(newRoleCatalog.getId());
    }
    if (syncRoleConfigDto.isRemoveCatalogueRoleSwitch()) {
        // If removing of a catalog is enabled, then main catalog will be use as parent.
        syncRoleConfigDto.setRemoveCatalogueRoleParentNode(syncRoleConfigDto.getMainCatalogueRoleNode());
    }
    syncRoleConfigDto = (SysSyncRoleConfigDto) getSyncConfigService().save(syncRoleConfigDto);
    connectorType.getMetadata().put(GROUP_SYNC_ID, syncRoleConfigDto.getId().toString());
}

Example 47 with SysSystemAttributeMappingFilter

use of eu.bcvsolutions.idm.acc.dto.filter.SysSystemAttributeMappingFilter in project CzechIdMng by bcvsolutions.

the class CrossDomainAdUserConnectorTypeTest method testUpdateAccountInCrossDomain.

@Test
public void testUpdateAccountInCrossDomain() {
    ConnectorType connectorType = connectorManager.getConnectorType(MockCrossDomainAdUserConnectorType.NAME);
    SysSystemDto systemDto = initSystem(connectorType);
    SysSystemAttributeMappingFilter filter = new SysSystemAttributeMappingFilter();
    filter.setSystemId(systemDto.getId());
    filter.setName(MockCrossDomainAdUserConnectorType.LDAP_GROUPS_ATTRIBUTE);
    List<SysSystemAttributeMappingDto> attributes = attributeMappingService.find(filter, null).getContent();
    assertEquals(1, attributes.size());
    SysSystemAttributeMappingDto ldapGroupsAttribute = attributes.stream().findFirst().get();
    // Creates cross-domain group.
    SysSystemGroupDto groupSystemDto = new SysSystemGroupDto();
    groupSystemDto.setCode(getHelper().createName());
    groupSystemDto.setType(SystemGroupType.CROSS_DOMAIN);
    groupSystemDto = systemGroupService.save(groupSystemDto);
    SysSystemGroupSystemDto systemGroupSystemOne = new SysSystemGroupSystemDto();
    systemGroupSystemOne.setSystemGroup(groupSystemDto.getId());
    systemGroupSystemOne.setMergeAttribute(ldapGroupsAttribute.getId());
    systemGroupSystemOne.setSystem(systemDto.getId());
    systemGroupSystemService.save(systemGroupSystemOne);
    // Creates the login role.
    IdmRoleDto loginRole = helper.createRole();
    helper.createRoleSystem(loginRole, systemDto);
    // Creates cross-domain no-login role.
    IdmRoleDto roleInCrossDomainGroup = helper.createRole();
    SysRoleSystemDto roleSystem = helper.createRoleSystem(roleInCrossDomainGroup, systemDto);
    SysRoleSystemFilter roleSystemFilter = new SysRoleSystemFilter();
    roleSystemFilter.setIsInCrossDomainGroupRoleId(roleInCrossDomainGroup.getId());
    roleSystemFilter.setCheckIfIsInCrossDomainGroup(Boolean.TRUE);
    roleSystemFilter.setId(roleSystem.getId());
    List<SysRoleSystemDto> roleSystemDtos = roleSystemService.find(roleSystemFilter, null).getContent();
    assertEquals(0, roleSystemDtos.size());
    // Creates overridden ldapGroup merge attribute.
    createOverriddenLdapGroupAttribute(ldapGroupsAttribute, roleSystem);
    // Role-system should be in cross-domain group now.
    roleSystemDtos = roleSystemService.find(roleSystemFilter, null).getContent();
    assertEquals(1, roleSystemDtos.size());
    SysRoleSystemDto roleSystemDto = roleSystemDtos.stream().findFirst().get();
    assertTrue(roleSystemDto.isInCrossDomainGroup());
    IdmIdentityDto identity = getHelper().createIdentity();
    IdmIdentityContractDto contract = getHelper().createContract(identity);
    mockCrossDomainAdUserConnectorType.setReadConnectorObjectCallBack((system, uid, objectClass) -> {
        IcConnectorObjectImpl connectorObject = new IcConnectorObjectImpl(identity.getUsername(), null, null);
        connectorObject.getAttributes().add(new IcAttributeImpl(MockCrossDomainAdUserConnectorType.LDAP_GROUPS_ATTRIBUTE, "TWO"));
        return mockCrossDomainAdUserConnectorType.getCrossDomainConnectorObject(system, uid, objectClass, connectorObject);
    });
    IdmRoleRequestDto roleRequestDto = getHelper().assignRoles(contract, roleInCrossDomainGroup, loginRole);
    assertEquals(RoleRequestState.EXECUTED, roleRequestDto.getState());
    assertNotNull(roleRequestDto.getSystemState());
    AccIdentityAccountFilter identityAccountFilter = new AccIdentityAccountFilter();
    identityAccountFilter.setIdentityId(identity.getId());
    identityAccountFilter.setSystemId(systemDto.getId());
    assertEquals(1, identityAccountService.find(identityAccountFilter, null).getContent().size());
    // Check if provisioning contains ldapGroups attribute with value ('ONE') from the role.
    SysProvisioningOperationFilter provisioningOperationFilter = new SysProvisioningOperationFilter();
    provisioningOperationFilter.setSystemId(systemDto.getId());
    provisioningOperationFilter.setEntityType(SystemEntityType.IDENTITY);
    provisioningOperationFilter.setEntityIdentifier(identity.getId());
    List<SysProvisioningOperationDto> provisioningOperationDtos = provisioningOperationService.find(provisioningOperationFilter, null).getContent();
    assertEquals(1, provisioningOperationDtos.size());
    SysProvisioningOperationDto provisioningOperationDto = provisioningOperationDtos.stream().findFirst().get();
    assertEquals(ProvisioningEventType.UPDATE, provisioningOperationDto.getOperationType());
    ProvisioningAttributeDto provisioningAttributeLdapGroupsDto = provisioningOperationDto.getProvisioningContext().getAccountObject().keySet().stream().filter(provisioningAtt -> MockCrossDomainAdUserConnectorType.LDAP_GROUPS_ATTRIBUTE.equals(provisioningAtt.getSchemaAttributeName())).findFirst().get();
    assertNotNull(provisioningAttributeLdapGroupsDto);
    Object ldapGroupsValue = provisioningOperationDto.getProvisioningContext().getAccountObject().get(provisioningAttributeLdapGroupsDto);
    assertEquals(1, ((List<?>) ldapGroupsValue).size());
    assertTrue(((List<?>) ldapGroupsValue).stream().anyMatch(value -> value.equals("ONE")));
    IcAttribute ldapGroups = provisioningOperationDto.getProvisioningContext().getConnectorObject().getAttributeByName(MockCrossDomainAdUserConnectorType.LDAP_GROUPS_ATTRIBUTE);
    IcAttribute ldapGroupsOld = provisioningOperationDto.getProvisioningContext().getConnectorObject().getAttributeByName(MessageFormat.format(MockCrossDomainAdUserConnectorType.OLD_ATTRIBUTE_PATTERN, MockCrossDomainAdUserConnectorType.LDAP_GROUPS_ATTRIBUTE));
    assertNotNull(ldapGroups);
    assertTrue(ldapGroups.getValues().stream().anyMatch(value -> value.equals("ONE")));
    assertTrue(ldapGroups.getValues().stream().anyMatch(value -> value.equals("TWO")));
    assertNotNull(ldapGroupsOld);
    assertEquals(1, ldapGroupsOld.getValues().size());
    assertTrue(ldapGroupsOld.getValues().stream().anyMatch(value -> value.equals("TWO")));
    // Clean
    provisioningOperationService.deleteOperations(systemDto.getId());
    systemGroupService.delete(groupSystemDto);
    getHelper().deleteIdentity(identity.getId());
    mockCrossDomainAdUserConnectorType.setReadConnectorObjectCallBack(null);
}

Example 48 with SysSystemAttributeMappingFilter

use of eu.bcvsolutions.idm.acc.dto.filter.SysSystemAttributeMappingFilter in project CzechIdMng by bcvsolutions.

the class CrossDomainAdUserConnectorTypeTest method testRoleSystemInDisabledCrossDomainGroup.

@Test
public void testRoleSystemInDisabledCrossDomainGroup() {
    ConnectorType connectorType = connectorManager.getConnectorType(MockCrossDomainAdUserConnectorType.NAME);
    SysSystemDto systemDto = initSystem(connectorType);
    SysSystemAttributeMappingFilter filter = new SysSystemAttributeMappingFilter();
    filter.setSystemId(systemDto.getId());
    filter.setName(MockCrossDomainAdUserConnectorType.LDAP_GROUPS_ATTRIBUTE);
    List<SysSystemAttributeMappingDto> attributes = attributeMappingService.find(filter, null).getContent();
    assertEquals(1, attributes.size());
    SysSystemAttributeMappingDto ldapGroupsAttribute = attributes.stream().findFirst().get();
    // Creates cross-domain group.
    SysSystemGroupDto groupSystemDto = new SysSystemGroupDto();
    groupSystemDto.setCode(getHelper().createName());
    groupSystemDto.setType(SystemGroupType.CROSS_DOMAIN);
    groupSystemDto.setDisabled(true);
    groupSystemDto = systemGroupService.save(groupSystemDto);
    SysSystemGroupSystemDto systemGroupSystemOne = new SysSystemGroupSystemDto();
    systemGroupSystemOne.setSystemGroup(groupSystemDto.getId());
    systemGroupSystemOne.setMergeAttribute(ldapGroupsAttribute.getId());
    systemGroupSystemOne.setSystem(systemDto.getId());
    systemGroupSystemOne = systemGroupSystemService.save(systemGroupSystemOne);
    // Creates cross-domain no-login role.
    IdmRoleDto roleInCrossDomainGroup = helper.createRole();
    SysRoleSystemDto roleSystem = helper.createRoleSystem(roleInCrossDomainGroup, systemDto);
    SysRoleSystemFilter roleSystemFilter = new SysRoleSystemFilter();
    roleSystemFilter.setIsInCrossDomainGroupRoleId(roleInCrossDomainGroup.getId());
    roleSystemFilter.setCheckIfIsInCrossDomainGroup(Boolean.TRUE);
    roleSystemFilter.setId(roleSystem.getId());
    List<SysRoleSystemDto> roleSystemDtos = roleSystemService.find(roleSystemFilter, null).getContent();
    assertEquals(0, roleSystemDtos.size());
    // Creates overridden ldapGroup merge attribute.
    createOverriddenLdapGroupAttribute(ldapGroupsAttribute, roleSystem);
    // Role-system should be not in a cross-domain group now.
    roleSystemDtos = roleSystemService.find(roleSystemFilter, null).getContent();
    assertEquals(0, roleSystemDtos.size());
    // Flag 'isInCrossDomainGroup' in role-system should be false now.
    roleSystemFilter.setIsInCrossDomainGroupRoleId(null);
    roleSystemDtos = roleSystemService.find(roleSystemFilter, null).getContent();
    assertEquals(1, roleSystemDtos.size());
    SysRoleSystemDto roleSystemDto = roleSystemDtos.stream().findFirst().get();
    assertFalse(roleSystemDto.isInCrossDomainGroup());
    // Clean
    systemGroupService.delete(groupSystemDto);
    assertNull(systemGroupSystemService.get(systemGroupSystemOne));
    systemService.delete(systemDto);
    roleService.delete(roleInCrossDomainGroup);
}

Example 49 with SysSystemAttributeMappingFilter

use of eu.bcvsolutions.idm.acc.dto.filter.SysSystemAttributeMappingFilter in project CzechIdMng by bcvsolutions.

the class CrossDomainAdUserConnectorTypeTest method testRoleInCrossDomainGroupCannotCreateAccount.

@Test
public void testRoleInCrossDomainGroupCannotCreateAccount() {
    ConnectorType connectorType = connectorManager.getConnectorType(MockCrossDomainAdUserConnectorType.NAME);
    SysSystemDto systemDto = initSystem(connectorType);
    SysSystemAttributeMappingFilter filter = new SysSystemAttributeMappingFilter();
    filter.setSystemId(systemDto.getId());
    filter.setName(MockCrossDomainAdUserConnectorType.LDAP_GROUPS_ATTRIBUTE);
    List<SysSystemAttributeMappingDto> attributes = attributeMappingService.find(filter, null).getContent();
    assertEquals(1, attributes.size());
    SysSystemAttributeMappingDto ldapGroupsAttribute = attributes.stream().findFirst().get();
    // Creates cross-domain group.
    SysSystemGroupDto groupSystemDto = new SysSystemGroupDto();
    groupSystemDto.setCode(getHelper().createName());
    groupSystemDto.setType(SystemGroupType.CROSS_DOMAIN);
    groupSystemDto = systemGroupService.save(groupSystemDto);
    SysSystemGroupSystemDto systemGroupSystemOne = new SysSystemGroupSystemDto();
    systemGroupSystemOne.setSystemGroup(groupSystemDto.getId());
    systemGroupSystemOne.setMergeAttribute(ldapGroupsAttribute.getId());
    systemGroupSystemOne.setSystem(systemDto.getId());
    systemGroupSystemService.save(systemGroupSystemOne);
    // Creates the login role.
    IdmRoleDto loginRole = helper.createRole();
    helper.createRoleSystem(loginRole, systemDto);
    // Creates cross-domain no-login role.
    IdmRoleDto roleInCrossDomainGroup = helper.createRole();
    SysRoleSystemDto roleSystem = helper.createRoleSystem(roleInCrossDomainGroup, systemDto);
    SysRoleSystemFilter roleSystemFilter = new SysRoleSystemFilter();
    roleSystemFilter.setIsInCrossDomainGroupRoleId(roleInCrossDomainGroup.getId());
    roleSystemFilter.setCheckIfIsInCrossDomainGroup(Boolean.TRUE);
    roleSystemFilter.setId(roleSystem.getId());
    List<SysRoleSystemDto> roleSystemDtos = roleSystemService.find(roleSystemFilter, null).getContent();
    assertEquals(0, roleSystemDtos.size());
    // Creates overridden ldapGroup merge attribute.
    createOverriddenLdapGroupAttribute(ldapGroupsAttribute, roleSystem);
    // Role-system should be in cross-domain group now.
    roleSystemDtos = roleSystemService.find(roleSystemFilter, null).getContent();
    assertEquals(1, roleSystemDtos.size());
    SysRoleSystemDto roleSystemDto = roleSystemDtos.stream().findFirst().get();
    assertTrue(roleSystemDto.isInCrossDomainGroup());
    IdmIdentityDto identity = getHelper().createIdentity();
    IdmIdentityContractDto contract = getHelper().createContract(identity);
    IdmRoleRequestDto roleRequestDto = getHelper().assignRoles(contract, false, roleInCrossDomainGroup);
    assertEquals(RoleRequestState.EXECUTED, roleRequestDto.getState());
    assertNull(roleRequestDto.getSystemState());
    AccIdentityAccountFilter identityAccountFilter = new AccIdentityAccountFilter();
    identityAccountFilter.setIdentityId(identity.getId());
    identityAccountFilter.setSystemId(systemDto.getId());
    assertEquals(0, identityAccountService.find(identityAccountFilter, null).getContent().size());
    roleRequestDto = getHelper().assignRoles(contract, false, loginRole);
    assertEquals(RoleRequestState.EXECUTED, roleRequestDto.getState());
    assertNotNull(roleRequestDto.getSystemState());
    assertEquals(1, identityAccountService.find(identityAccountFilter, null).getContent().size());
    // Check if provisioning contains ldapGroups attribute with value ('ONE') from the role.
    SysProvisioningOperationFilter provisioningOperationFilter = new SysProvisioningOperationFilter();
    provisioningOperationFilter.setSystemId(systemDto.getId());
    provisioningOperationFilter.setEntityType(SystemEntityType.IDENTITY);
    provisioningOperationFilter.setEntityIdentifier(identity.getId());
    List<SysProvisioningOperationDto> provisioningOperationDtos = provisioningOperationService.find(provisioningOperationFilter, null).getContent();
    assertEquals(1, provisioningOperationDtos.size());
    SysProvisioningOperationDto provisioningOperationDto = provisioningOperationDtos.stream().findFirst().get();
    ProvisioningAttributeDto provisioningAttributeLdapGroupsDto = provisioningOperationDto.getProvisioningContext().getAccountObject().keySet().stream().filter(provisioningAtt -> MockCrossDomainAdUserConnectorType.LDAP_GROUPS_ATTRIBUTE.equals(provisioningAtt.getSchemaAttributeName())).findFirst().get();
    assertNotNull(provisioningAttributeLdapGroupsDto);
    Object ldapGroupsValue = provisioningOperationDto.getProvisioningContext().getAccountObject().get(provisioningAttributeLdapGroupsDto);
    assertEquals("ONE", ((List<?>) ldapGroupsValue).get(0));
    // Clean
    provisioningOperationService.deleteOperations(systemDto.getId());
    systemGroupService.delete(groupSystemDto);
    getHelper().deleteIdentity(identity.getId());
}

Example 50 with SysSystemAttributeMappingFilter

use of eu.bcvsolutions.idm.acc.dto.filter.SysSystemAttributeMappingFilter in project CzechIdMng by bcvsolutions.

the class CrossDomainAdUserConnectorTypeTest method testRoleInCrossDomainGroupProvisioningForBusinessRole.

@Test
public void testRoleInCrossDomainGroupProvisioningForBusinessRole() {
    ConnectorType connectorType = connectorManager.getConnectorType(MockCrossDomainAdUserConnectorType.NAME);
    SysSystemDto systemDto = initSystem(connectorType);
    SysSystemAttributeMappingFilter filter = new SysSystemAttributeMappingFilter();
    filter.setSystemId(systemDto.getId());
    filter.setName(MockCrossDomainAdUserConnectorType.LDAP_GROUPS_ATTRIBUTE);
    List<SysSystemAttributeMappingDto> attributes = attributeMappingService.find(filter, null).getContent();
    assertEquals(1, attributes.size());
    SysSystemAttributeMappingDto ldapGroupsAttribute = attributes.stream().findFirst().get();
    // Creates cross-domain group.
    SysSystemGroupDto groupSystemDto = new SysSystemGroupDto();
    groupSystemDto.setCode(getHelper().createName());
    groupSystemDto.setType(SystemGroupType.CROSS_DOMAIN);
    groupSystemDto = systemGroupService.save(groupSystemDto);
    SysSystemGroupSystemDto systemGroupSystemOne = new SysSystemGroupSystemDto();
    systemGroupSystemOne.setSystemGroup(groupSystemDto.getId());
    systemGroupSystemOne.setMergeAttribute(ldapGroupsAttribute.getId());
    systemGroupSystemOne.setSystem(systemDto.getId());
    systemGroupSystemService.save(systemGroupSystemOne);
    // Creates the login role.
    IdmRoleDto loginRole = helper.createRole();
    helper.createRoleSystem(loginRole, systemDto);
    IdmRoleDto parentNoLoginRole = helper.createRole();
    // Creates no-login role.
    IdmRoleDto noLoginRole = helper.createRole();
    SysRoleSystemDto roleSystem = helper.createRoleSystem(noLoginRole, systemDto);
    roleSystem.setCreateAccountByDefault(true);
    roleSystemService.save(roleSystem);
    SysRoleSystemFilter roleSystemFilter = new SysRoleSystemFilter();
    roleSystemFilter.setIsInCrossDomainGroupRoleId(noLoginRole.getId());
    roleSystemFilter.setCheckIfIsInCrossDomainGroup(Boolean.TRUE);
    roleSystemFilter.setId(roleSystem.getId());
    List<SysRoleSystemDto> roleSystemDtos = roleSystemService.find(roleSystemFilter, null).getContent();
    assertEquals(0, roleSystemDtos.size());
    // Creates overridden ldapGroup merge attribute.
    createOverriddenLdapGroupAttribute(ldapGroupsAttribute, roleSystem);
    // Role-system should be in cross-domain group now.
    roleSystemDtos = roleSystemService.find(roleSystemFilter, null).getContent();
    assertEquals(1, roleSystemDtos.size());
    SysRoleSystemDto roleSystemDto = roleSystemDtos.stream().findFirst().get();
    assertTrue(roleSystemDto.isInCrossDomainGroup());
    IdmRoleCompositionDto roleComposition = getHelper().createRoleComposition(parentNoLoginRole, noLoginRole);
    IdmIdentityDto identity = getHelper().createIdentity();
    IdmIdentityContractDto contract = getHelper().getPrimeContract(identity.getId());
    IdmIdentityRoleFilter identityRoleFilter = new IdmIdentityRoleFilter();
    identityRoleFilter.setIdentityId(identity.getId());
    identityRoleFilter.setRoleId(noLoginRole.getId());
    assertEquals(0, identityRoleService.count(identityRoleFilter));
    AccIdentityAccountFilter identityAccountFilter = new AccIdentityAccountFilter();
    identityAccountFilter.setIdentityId(identity.getId());
    identityAccountFilter.setSystemId(systemDto.getId());
    assertEquals(0, identityAccountService.find(identityAccountFilter, null).getContent().size());
    IdmRoleRequestDto roleRequestDto = getHelper().assignRoles(contract, false, loginRole);
    assertEquals(RoleRequestState.EXECUTED, roleRequestDto.getState());
    assertNotNull(roleRequestDto.getSystemState());
    assertEquals(1, identityAccountService.find(identityAccountFilter, null).getContent().size());
    // Check if provisioning NOT contains ldapGroups attribute with value ('ONE') from the role.
    SysProvisioningOperationFilter provisioningOperationFilter = new SysProvisioningOperationFilter();
    provisioningOperationFilter.setSystemId(systemDto.getId());
    provisioningOperationFilter.setEntityType(SystemEntityType.IDENTITY);
    provisioningOperationFilter.setEntityIdentifier(identity.getId());
    List<SysProvisioningOperationDto> provisioningOperationDtos = provisioningOperationService.find(provisioningOperationFilter, null).getContent();
    assertEquals(1, provisioningOperationDtos.size());
    SysProvisioningOperationDto provisioningOperationDto = provisioningOperationDtos.stream().findFirst().get();
    ProvisioningAttributeDto provisioningAttributeLdapGroupsDto = provisioningOperationDto.getProvisioningContext().getAccountObject().keySet().stream().filter(provisioningAtt -> MockCrossDomainAdUserConnectorType.LDAP_GROUPS_ATTRIBUTE.equals(provisioningAtt.getSchemaAttributeName())).findFirst().get();
    assertNotNull(provisioningAttributeLdapGroupsDto);
    Object ldapGroupsValue = provisioningOperationDto.getProvisioningContext().getAccountObject().get(provisioningAttributeLdapGroupsDto);
    assertEquals(0, ((List<?>) ldapGroupsValue).size());
    // Delete old provisioning.
    provisioningOperationService.delete(provisioningOperationDto);
    // Assign parent role.
    roleRequestDto = getHelper().assignRoles(contract, false, parentNoLoginRole);
    assertEquals(RoleRequestState.EXECUTED, roleRequestDto.getState());
    assertNotNull(roleRequestDto.getSystemState());
    // Check if provisioning contains ldapGroups attribute with value ('ONE') from the role.
    provisioningOperationFilter = new SysProvisioningOperationFilter();
    provisioningOperationFilter.setSystemId(systemDto.getId());
    provisioningOperationFilter.setEntityType(SystemEntityType.IDENTITY);
    provisioningOperationFilter.setEntityIdentifier(identity.getId());
    provisioningOperationDtos = provisioningOperationService.find(provisioningOperationFilter, null).getContent();
    assertEquals(1, provisioningOperationDtos.size());
    provisioningOperationDto = provisioningOperationDtos.stream().findFirst().get();
    provisioningAttributeLdapGroupsDto = provisioningOperationDto.getProvisioningContext().getAccountObject().keySet().stream().filter(provisioningAtt -> MockCrossDomainAdUserConnectorType.LDAP_GROUPS_ATTRIBUTE.equals(provisioningAtt.getSchemaAttributeName())).findFirst().get();
    assertNotNull(provisioningAttributeLdapGroupsDto);
    ldapGroupsValue = provisioningOperationDto.getProvisioningContext().getAccountObject().get(provisioningAttributeLdapGroupsDto);
    assertEquals("ONE", ((List<?>) ldapGroupsValue).get(0));
    assertEquals(1, identityRoleService.count(identityRoleFilter));
    // Clean
    provisioningOperationService.deleteOperations(systemDto.getId());
    getHelper().deleteIdentity(identity.getId());
    roleCompositionService.delete(roleComposition);
    getHelper().deleteRole(noLoginRole.getId());
    getHelper().deleteRole(parentNoLoginRole.getId());
}