[midPoint] ScriptedSQL - add/remove entitlements

Wojciech Staszewski wojciech.staszewski at diagnostyka.pl
Thu Dec 15 09:15:09 CET 2016


I've done it with joins instead "where .. and .. and", and it works, but
now I my account appears multiple times on the resource (the number of
accounts = the number of groups). This is definitely not a simple thing
and the documentation is weak. :(

W dniu 15.12.2016 o 02:34, Nicolas Rossi pisze:
> The Search script should return the ID, Name and Members of the group.
> It doesn't matter if you use 1, 2 or more queries but you should return
> an array with one row for each group where the members attribute is an
> array too. 
> 
> Can you copy the sql error of the query with the where filter?
> 
> Regards,
> 
> 
> Nicolás 
> 
> 
> El El mié, 14 de dic. de 2016 a las 09:12, Wojciech Staszewski
> <wojciech.staszewski at diagnostyka.pl
> <mailto:wojciech.staszewski at diagnostyka.pl>> escribió:
> 
>     Just 4 more questions.
> 
> 
> 
>     I have a little trouble with search script.
> 
> 
> 
>     1. Searching associated groups: can it be in a separate sql query in
> 
>     __ACCOUNT__ case?
> 
>     2. It must return: "__UID__", "__NAME__" and "groups" attributes, right?
> 
>     (the list of groups)
> 
>     3. Or it must be one single guery returning all attributes including
> 
>     group membership? But then it will return more than one row...
> 
> 
> 
>     4. How to construct the SQL query using "where" template?
> 
>     I tried to put something like this:
> 
> 
> 
>     "select g.name <http://g.name> as name, u.alias from users_groups
>     ug, usrgrp g, users u"
> 
>     + where + " AND g.usrgrpid = ug.usrgrpid and u.userid = ug.userid"
> 
> 
> 
>     (msg:Search WHERE clause is:  WHERE u.userid = 1)
> 
> 
> 
>     But i got SQL syntax error. I log this query, Ctrl+C from log, Ctrl+V in
> 
>     SQL console and it works.
> 
> 
> 
>     Thanks,
> 
>     Best regards, WS
> 
> 
> 
>     W dniu 13.12.2016 o 18:30, Wojciech Staszewski pisze:
> 
>     > Thank you very much!
> 
>     > Regards,  WS
> 
>     >
> 
>     > Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas Rossi pisze:
> 
>     >> Hi, you have to add the association between Users and Groups. It's
> 
>     >> something like that:
> 
>     >>
> 
>     >> <association>
> 
>     >> <ref>ri:GroupObjectClass</ref>
> 
>     >> <kind>entitlement</kind>
> 
>     >> <intent>default</intent>
> 
>     >> <tolerant>false</tolerant>
> 
>     >> <direction>subjectToObject</direction>
> 
>     >> <associationAttribute>ri:groups</associationAttribute>
> 
>     >> <valueAttribute>icfs:uid</valueAttribute>
> 
>     >>
>     <shortcutAssociationAttribute>ri:members</shortcutAssociationAttribute>
> 
>     >> <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
> 
>     >> </association>
> 
>     >>
> 
>     >> You can find more information about the association and the tolerant
> 
>     >> parameter here:
> 
>     >>
>     https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition
> 
>     >>
> 
>     >> Inside your Update script the operation should be
>     ADD_ATTRIBUTE_VALUE for
> 
>     >> objectClass __ACCOUNT__ and the attribute received should be
>     "groups":
> 
>     >>
> 
>     >>     case "ADD_ATTRIBUTE_VALUES":
> 
>     >>
> 
>     >>         if(objectClass == "__ACCOUNT__")
> 
>     >>         {
> 
>     >>             for(String group : attributes.get("groups"))
> 
>     >>             {
> 
>     >>                 def existingEntitlement = sql.rows("SELECT 1 FROM
> 
>     >> UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as
> 
>     >> String]);
> 
>     >>                 if(existingEntitlement.isEmpty())
> 
>     >>                 {
> 
>     >>                     log.info <http://log.info>("Sample - Adding
>     entitlement ${group} to user
> 
>     >> ${uid}");
> 
>     >>                     sql.execute("insert into UserGroups (user_id,
>     group_id)
> 
>     >> values (" + uid + "," + group + ")");
> 
>     >>                 }
> 
>     >>                 else
> 
>     >>                 {
> 
>     >>                     log.info <http://log.info>("Sample - Skipping
>     assignment because user
> 
>     >> ${uid} already has group ${group}");
> 
>     >>                 }
> 
>     >>             }
> 
>     >>         }
> 
>     >>
> 
>     >> You should also handle the REMOVE_ATTRIBUTE_VALUES with the same
>     logic.
> 
>     >> Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
> 
>     >> resource. You can find the conversation in the mailing list. I am
>     sure it
> 
>     >> will help you too.
> 
>     >>
> 
>     >> Regards,
> 
>     >>
> 
>     >>
> 
>     >>
> 
>     >>
> 
>     >>
> 
>     >> Ing Nicolás Rossi
> 
>     >> Identicum S.A.
> 
>     >> Jorge Newbery 3226
> 
>     >> Tel: +54 (11) 4552-3050
> 
>     >> www.identicum.com <http://www.identicum.com>
> 
>     >>
> 
>     >> On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
> 
>     >> wojciech.staszewski at diagnostyka.pl
>     <mailto:wojciech.staszewski at diagnostyka.pl>> wrote:
> 
>     >>
> 
>     >>> Hello,
> 
>     >>>
> 
>     >>> I'm playing with ScriptedSQL resource, based on Evolveum example
>     from
> 
>     >>> Github.
> 
>     >>> I'm able to list/add/remove users/groups and enable/disable
>     accounts.
> 
>     >>> Great.
> 
>     >>> But now I want to apply an assignment (a group) to user.
>     Unfortunately
> 
>     >>> "Update_Script.groovy" is incomplete,
> 
>     >>> ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
> 
>     >>> Where can I find some examples?
> 
>     >>>
> 
>     >>> Thanks a lot!
> 
>     >>> WS
> 
>     >>> _______________________________________________
> 
>     >>> midPoint mailing list
> 
>     >>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> 
>     >>> http://lists.evolveum.com/mailman/listinfo/midpoint
> 
>     >>>
> 
>     >>
> 
>     >
> 
>     >
> 
>     _______________________________________________
> 
>     midPoint mailing list
> 
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> 
>     http://lists.evolveum.com/mailman/listinfo/midpoint
> 
> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
> 

-- 
Wojciech Staszewski
Administrator Systemów Sieciowych
tel. kom: 663 680 236
www.diagnostyka.pl
Diagnostyka Sp. z o. o.
ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie,
XI Wydział Gospodarczy KRS)
NIP: 675-12-65-009; REGON: 356366975
Kapitał zakładowy: 33 756 500 zł.

Pomyśl o środowisku zanim wydrukujesz ten e-mail.


More information about the midPoint mailing list