[midPoint] assignment checking

Ivan Noris ivan.noris at evolveum.com
Thu Jun 30 16:25:05 CEST 2016 

Hi Oskar,

if you wish to keep the user account in AD after he leaves, you can
utilize "disable instead of delete" - unassignin the last role (e.g.
Employee) will disable the AD account instead of delete.

Would that help?
https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation#ResourceSchemaHandling:Activation-DisableonUnassign

Regards,
Ivan

On 06/30/2016 03:59 PM, Oskar Butovič - AMI Praha a.s. wrote:
> Hello Pavol,
>
> Employee role gives th user accounts in AD and GoogleApps. After he
> leaves company it is still desired to keep him in AD. So I made
> mappings which switches employee role with AD and GA accounts for
> ExEmployee role with only AD account.
>
> ---
>
> Thanks for advice. I will try it and mail my results.
>
> Best Regards,
>
> Oskar
>
> 2016-06-30 15:27 GMT+02:00 Pavol Mederly <mederly at evolveum.com
> <mailto:mederly at evolveum.com>>:
>
>     Hello Oskar,
>
>     I don't quite understand your situation.
>
>      1. You create a user of 'employee' type and automatically assign
>         him Employee role. OK.
>      2. Then he leaves the company.
>      3. You say that his account is cancelled by assigning
>         ExpiredEmployee role.
>
>     Why don't you simply unassign the Employee role?
>
>     ---
>
>     But back to your question: you can simply check all directly
>     assigned roles by iterating through user.getAssignment() objects
>     (of AssignmentType), and selecting those with getTargetRef() !=
>     null and getTargetRef().getType().equals(RoleType.COMPLEX_TYPE).
>
>     Best regards,
>
>     Pavol
>
>
>     On 28.06.2016 15:15, Oskar Butovič - AMI Praha a.s. wrote:
>>     Hello All,
>>
>>     I am trying to check in mapping in user template wether the user
>>     has particular role.
>>
>>     for example following scenario
>>     i create new user with identityType (extension parameter)
>>     employee. I wan to assign role Employee to users with this type.
>>     in some time employee leaves company and his account is cancelled
>>     by assigning expiredEmployee role
>>
>>     i understand that so far it can be made by setting
>>     <authoritative>true</authoritative>
>>
>>     but i also want for this role to be kept when user is editted ad
>>     his identity Type is no longer employee.
>>
>>     this could be done with <authoritative>false</authoritative> but
>>     it then prevent prevoius scenario. If i would be able to check
>>     current roles of the user i could accomplish all required
>>     behaviour with <authoritative>true</authoritative>.
>>
>>     Do you have any advice or code snippet how to resolve this problem?
>>
>>     Regards
>>
>>     Oskar Butovič
>>
>>     -- 
>>
>>     Oskar Butovič
>>     solution architect
>>
>>     gsm: [+420] 774 480 101 <tel:%5B%2B420%5D%20774%20480%20101>
>>     e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>>
>>     	    	    	
>>
>>     AMI Praha a.s.
>>     Pláničkova 11
>>     162 00 Praha 6
>>     tel.: [+420] 274 783 239 <tel:%5B%2B420%5D%20274%20783%20239>
>>     web: www.ami.cz <http://www.ami.cz/>
>>
>>     	    	    	
>>
>>     AMI Praha a.s.
>>
>>
>>     AMI Praha a.s.
>>     <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>>
>>
>>     Textem tohoto e-mailu podepisující neslibuje uzavřít ani
>>     neuzavírá za společnost AMI Praha a.s.
>>     jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
>>     výhradně písemnou formu.
>>
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
> -- 
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101
> e-mail: oskar.butovic at ami.cz <mailto:oskar.butovic at ami.cz>
>
> 	    	    	
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz/>
>
> 	    	    	
>
> AMI Praha a.s.
>
>
> AMI Praha a.s.
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít
> výhradně písemnou formu.
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer & IDM Architect
  evolveum.com                     evolveum.com/blog/
  ___________________________________________________
  "Semper ID(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160630/57913b80/attachment.htm>

More information about the midPoint mailing list