[midPoint] ScriptedSQL - add/remove entitlements

Nicolas Rossi nrossi at identicum.com
Thu Dec 15 13:43:27 CET 2016 

Can you share with us the create and update scripts ?

Regards



Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Thu, Dec 15, 2016 at 5:15 AM, Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl> wrote:

> I've done it with joins instead "where .. and .. and", and it works, but
> now I my account appears multiple times on the resource (the number of
> accounts = the number of groups). This is definitely not a simple thing
> and the documentation is weak. :(
>
> W dniu 15.12.2016 o 02:34, Nicolas Rossi pisze:
> > The Search script should return the ID, Name and Members of the group.
> > It doesn't matter if you use 1, 2 or more queries but you should return
> > an array with one row for each group where the members attribute is an
> > array too.
> >
> > Can you copy the sql error of the query with the where filter?
> >
> > Regards,
> >
> >
> > Nicolás
> >
> >
> > El El mié, 14 de dic. de 2016 a las 09:12, Wojciech Staszewski
> > <wojciech.staszewski at diagnostyka.pl
> > <mailto:wojciech.staszewski at diagnostyka.pl>> escribió:
> >
> >     Just 4 more questions.
> >
> >
> >
> >     I have a little trouble with search script.
> >
> >
> >
> >     1. Searching associated groups: can it be in a separate sql query in
> >
> >     __ACCOUNT__ case?
> >
> >     2. It must return: "__UID__", "__NAME__" and "groups" attributes,
> right?
> >
> >     (the list of groups)
> >
> >     3. Or it must be one single guery returning all attributes including
> >
> >     group membership? But then it will return more than one row...
> >
> >
> >
> >     4. How to construct the SQL query using "where" template?
> >
> >     I tried to put something like this:
> >
> >
> >
> >     "select g.name <http://g.name> as name, u.alias from users_groups
> >     ug, usrgrp g, users u"
> >
> >     + where + " AND g.usrgrpid = ug.usrgrpid and u.userid = ug.userid"
> >
> >
> >
> >     (msg:Search WHERE clause is:  WHERE u.userid = 1)
> >
> >
> >
> >     But i got SQL syntax error. I log this query, Ctrl+C from log,
> Ctrl+V in
> >
> >     SQL console and it works.
> >
> >
> >
> >     Thanks,
> >
> >     Best regards, WS
> >
> >
> >
> >     W dniu 13.12.2016 o 18:30, Wojciech Staszewski pisze:
> >
> >     > Thank you very much!
> >
> >     > Regards,  WS
> >
> >     >
> >
> >     > Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas Rossi
> pisze:
> >
> >     >> Hi, you have to add the association between Users and Groups. It's
> >
> >     >> something like that:
> >
> >     >>
> >
> >     >> <association>
> >
> >     >> <ref>ri:GroupObjectClass</ref>
> >
> >     >> <kind>entitlement</kind>
> >
> >     >> <intent>default</intent>
> >
> >     >> <tolerant>false</tolerant>
> >
> >     >> <direction>subjectToObject</direction>
> >
> >     >> <associationAttribute>ri:groups</associationAttribute>
> >
> >     >> <valueAttribute>icfs:uid</valueAttribute>
> >
> >     >>
> >     <shortcutAssociationAttribute>ri:members</
> shortcutAssociationAttribute>
> >
> >     >> <shortcutValueAttribute>icfs:uid</shortcutValueAttribute>
> >
> >     >> </association>
> >
> >     >>
> >
> >     >> You can find more information about the association and the
> tolerant
> >
> >     >> parameter here:
> >
> >     >>
> >     https://wiki.evolveum.com/display/midPoint/Entitlements#
> Entitlements-AssociationDefinition
> >
> >     >>
> >
> >     >> Inside your Update script the operation should be
> >     ADD_ATTRIBUTE_VALUE for
> >
> >     >> objectClass __ACCOUNT__ and the attribute received should be
> >     "groups":
> >
> >     >>
> >
> >     >>     case "ADD_ATTRIBUTE_VALUES":
> >
> >     >>
> >
> >     >>         if(objectClass == "__ACCOUNT__")
> >
> >     >>         {
> >
> >     >>             for(String group : attributes.get("groups"))
> >
> >     >>             {
> >
> >     >>                 def existingEntitlement = sql.rows("SELECT 1 FROM
> >
> >     >> UserGroups WHERE user_id=? AND group_id=?",[uid as String, group
> as
> >
> >     >> String]);
> >
> >     >>                 if(existingEntitlement.isEmpty())
> >
> >     >>                 {
> >
> >     >>                     log.info <http://log.info>("Sample - Adding
> >     entitlement ${group} to user
> >
> >     >> ${uid}");
> >
> >     >>                     sql.execute("insert into UserGroups (user_id,
> >     group_id)
> >
> >     >> values (" + uid + "," + group + ")");
> >
> >     >>                 }
> >
> >     >>                 else
> >
> >     >>                 {
> >
> >     >>                     log.info <http://log.info>("Sample - Skipping
> >     assignment because user
> >
> >     >> ${uid} already has group ${group}");
> >
> >     >>                 }
> >
> >     >>             }
> >
> >     >>         }
> >
> >     >>
> >
> >     >> You should also handle the REMOVE_ATTRIBUTE_VALUES with the same
> >     logic.
> >
> >     >> Radovan and Ivan have helped us few weeks ago with the ScriptedSQL
> >
> >     >> resource. You can find the conversation in the mailing list. I am
> >     sure it
> >
> >     >> will help you too.
> >
> >     >>
> >
> >     >> Regards,
> >
> >     >>
> >
> >     >>
> >
> >     >>
> >
> >     >>
> >
> >     >>
> >
> >     >> Ing Nicolás Rossi
> >
> >     >> Identicum S.A.
> >
> >     >> Jorge Newbery 3226
> >
> >     >> Tel: +54 (11) 4552-3050
> >
> >     >> www.identicum.com <http://www.identicum.com>
> >
> >     >>
> >
> >     >> On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <
> >
> >     >> wojciech.staszewski at diagnostyka.pl
> >     <mailto:wojciech.staszewski at diagnostyka.pl>> wrote:
> >
> >     >>
> >
> >     >>> Hello,
> >
> >     >>>
> >
> >     >>> I'm playing with ScriptedSQL resource, based on Evolveum example
> >     from
> >
> >     >>> Github.
> >
> >     >>> I'm able to list/add/remove users/groups and enable/disable
> >     accounts.
> >
> >     >>> Great.
> >
> >     >>> But now I want to apply an assignment (a group) to user.
> >     Unfortunately
> >
> >     >>> "Update_Script.groovy" is incomplete,
> >
> >     >>> ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.
> >
> >     >>> Where can I find some examples?
> >
> >     >>>
> >
> >     >>> Thanks a lot!
> >
> >     >>> WS
> >
> >     >>> _______________________________________________
> >
> >     >>> midPoint mailing list
> >
> >     >>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> >
> >     >>> http://lists.evolveum.com/mailman/listinfo/midpoint
> >
> >     >>>
> >
> >     >>
> >
> >     >
> >
> >     >
> >
> >     _______________________________________________
> >
> >     midPoint mailing list
> >
> >     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> >
> >     http://lists.evolveum.com/mailman/listinfo/midpoint
> >
> >
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > http://lists.evolveum.com/mailman/listinfo/midpoint
> >
>
> --
> Wojciech Staszewski
> Administrator Systemów Sieciowych
> tel. kom: 663 680 236
> www.diagnostyka.pl
> Diagnostyka Sp. z o. o.
> ul. Prof. M. Życzkowskiego 16, 31-864 Kraków
> Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie,
> XI Wydział Gospodarczy KRS)
> NIP: 675-12-65-009; REGON: 356366975
> Kapitał zakładowy: 33 756 500 zł.
>
> Pomyśl o środowisku zanim wydrukujesz ten e-mail.
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20161215/2607c773/attachment.htm>

More information about the midPoint mailing list