[midPoint] HA: Prohibit having particular assignments

Илья Дорофеев i.dorofeev at solarsecurity.ru
Tue May 19 15:30:08 CEST 2015 

Hi Radovan,



I saw the solution exactly as you have specified in your reply. Just wanted to make sure there's no other option to tackle this issue in other way. The downside of this approach is the necessity of specifying the same condition for all the roles created in the system, whether they are business roles created by users manually or roles which are being created during the entitlements synchronization process.



Ilya Dorofeev

Software Architect

Solar Security

________________________________
От: midPoint [midpoint-bounces at lists.evolveum.com] от имени Radovan Semancik [radovan.semancik at evolveum.com]
Отправлено: 19 мая 2015 г. 15:01
Кому: midpoint at lists.evolveum.com
Тема: Re: [midPoint] Prohibit having particular assignments

Hi Ilya,

This works a bit differently in midPoint. We do not have separate policies for automatic assignment and unassignemnt. These are the same. Therefore simply use mapping in user template that automatically adds an assignment. And specify a condition when user should have such an assignment. E.g.

<objectTemplate>
  ...
  <mapping>
     <expression> .... assignment here ... </expression>
     <target><path>assignment</path></target>
     <condition>
        <script>
            <code>employeeType == 'active'</code>
        </script>
     </condition>
  </mapping>

Now, this works both for assignment and unassignment. If this user does not have such assignment and his employeeType changes to 'active' then the assignment will be added. But if user already has employeeType='active' and this changes to something else then the assignment will be removed.

MidPoint works with relative changes. This means that after every change in user attributes midPoint recomputes all the mappings and figures out what are the resulting (secondary) changes. E.g. if employeeType attribute changes from 'active' to 'inactive' then midPoint realizes that the condition in this particular mapping changes from true to false. Which means that the user should have the assignment given by this mapping before the change, but this user should NOT have the assignment after the change. Therefore midPoint removes the assignment.


--

                                           Radovan Semancik
                                          Software Architect
                                             evolveum.com




On 05/18/2015 01:02 PM, Илья Дорофеев wrote:

Hi,



I would like to adjust a policy that will automatically revoke all user's assignments (or just some of them selected by a rule) in accordance with particular values of some user properties. For instance, I would like all the fired users have their assignments revoked. I didn't find any mentions in docs of how it is supposed to be configured.



Thanks in advance,

Ilya Dorofeev



_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
http://lists.evolveum.com/mailman/listinfo/midpoint



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150519/c7c5909b/attachment.htm>

More information about the midPoint mailing list