[midPoint] ScriptedSQL - add/remove entitlements

Nicolas Rossi nrossi at identicum.com
Tue Dec 13 01:45:00 CET 2016 

Hi, you have to add the association between Users and Groups. It's
something like that:

<association>
<ref>ri:GroupObjectClass</ref>
<kind>entitlement</kind>
<intent>default</intent>
<tolerant>false</tolerant>
<direction>subjectToObject</direction>
<associationAttribute>ri:groups</associationAttribute>
<valueAttribute>icfs:uid</valueAttribute>
<shortcutAssociationAttribute>ri:members</shortcutAssociationAttribute>
<shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
</association>

You can find more information about the association and the tolerant
parameter here:
https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition

Inside your Update script the operation should be ADD_ATTRIBUTE_VALUE for
objectClass __ACCOUNT__ and the attribute received should be "groups":

    case "ADD_ATTRIBUTE_VALUES":

        if(objectClass == "__ACCOUNT__")
        {
            for(String group : attributes.get("groups"))
            {
                def existingEntitlement = sql.rows("SELECT 1 FROM
UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as
String]);
                if(existingEntitlement.isEmpty())
                {
                    log.info("Sample - Adding entitlement ${group} to user
${uid}");
                    sql.execute("insert into UserGroups (user_id, group_id)
values (" + uid + "," + group + ")");
                }
                else
                {
                    log.info("Sample - Skipping assignment because user
${uid} already has group ${group}");
                }
            }
        }

You should also handle the REMOVE_ATTRIBUTE_VALUES with the same logic.
Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
resource. You can find the conversation in the mailing list. I am sure it
will help you too.

Regards,





Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl> wrote:

> Hello,
>
> I'm playing with ScriptedSQL resource, based on Evolveum example from
> Github.
> I'm able to list/add/remove users/groups and enable/disable accounts.
> Great.
> But now I want to apply an assignment (a group) to user. Unfortunately
> "Update_Script.groovy" is incomplete,
> ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
> Where can I find some examples?
>
> Thanks a lot!
> WS
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161212/66bd54b2/attachment.htm>

More information about the midPoint mailing list