[midPoint] ScriptedSQL - add/remove entitlements

Wojciech Staszewski wojciech.staszewski at diagnostyka.pl
Tue Dec 13 18:30:22 CET 2016


Thank you very much!
Regards,  WS

Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas Rossi pisze:
> Hi, you have to add the association between Users and Groups. It's
> something like that:
> 
> <association>
> <ref>ri:GroupObjectClass</ref>
> <kind>entitlement</kind>
> <intent>default</intent>
> <tolerant>false</tolerant>
> <direction>subjectToObject</direction>
> <associationAttribute>ri:groups</associationAttribute>
> <valueAttribute>icfs:uid</valueAttribute>
> <shortcutAssociationAttribute>ri:members</shortcutAssociationAttribute>
> <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
> </association>
> 
> You can find more information about the association and the tolerant
> parameter here:
> https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition
> 
> Inside your Update script the operation should be ADD_ATTRIBUTE_VALUE for
> objectClass __ACCOUNT__ and the attribute received should be "groups":
> 
>     case "ADD_ATTRIBUTE_VALUES":
> 
>         if(objectClass == "__ACCOUNT__")
>         {
>             for(String group : attributes.get("groups"))
>             {
>                 def existingEntitlement = sql.rows("SELECT 1 FROM
> UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as
> String]);
>                 if(existingEntitlement.isEmpty())
>                 {
>                     log.info("Sample - Adding entitlement ${group} to user
> ${uid}");
>                     sql.execute("insert into UserGroups (user_id, group_id)
> values (" + uid + "," + group + ")");
>                 }
>                 else
>                 {
>                     log.info("Sample - Skipping assignment because user
> ${uid} already has group ${group}");
>                 }
>             }
>         }
> 
> You should also handle the REMOVE_ATTRIBUTE_VALUES with the same logic.
> Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
> resource. You can find the conversation in the mailing list. I am sure it
> will help you too.
> 
> Regards,
> 
> 
> 
> 
> 
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> www.identicum.com
> 
> On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
> wojciech.staszewski at diagnostyka.pl> wrote:
> 
> > Hello,
> >
> > I'm playing with ScriptedSQL resource, based on Evolveum example from
> > Github.
> > I'm able to list/add/remove users/groups and enable/disable accounts.
> > Great.
> > But now I want to apply an assignment (a group) to user. Unfortunately
> > "Update_Script.groovy" is incomplete,
> > ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
> > Where can I find some examples?
> >
> > Thanks a lot!
> > WS
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
> 


-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
Dział IT
DIAGNOSTYKA 
Spółka z ograniczoną odpowiedzialnością 
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
tel.: +48 12 295 01 00
fax: +48 12 295 01 02 
tel. kom: 663 680 236
www.diag.pl
DIAGNOSTYKA Spółka z ograniczoną odpowiedzialnością ul. Prof. M. Życzkowskiego 16, 31-864 Kraków; 
KRS: Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy Krajowego KRS: 0000381559; NIP: 675-12-65-009; REGON: 356366975, Kapitał zakładowy: 33 252 500 zł.



More information about the midPoint mailing list