[midPoint] Group Memberships In ScriptSQL Question

Pavol Mederly mederly at evolveum.com
Wed Sep 21 11:49:51 CEST 2016


Hello Martin,

concerning this one:

> Without doing any other assignment to the user, we remove the Group 
> Role. In this case, after verifying the group and user existance (with 
> the SearcScript), we found out that the connector executes the 
> DeleteScript in order to manage User deletion. But it does not do 
> anything with the group membership.
This is the responsibility of your groovy script in ScriptedSQL 
resource. So, when requested to delete the user, you have to delete all 
of his entitlements.

> The behaviour that we are trying to accomplish is the following: Once 
> the user loose the last group, remove the user from that group but 
> leave it created (and disabled) within the database.
This has to be solved at the level of midPoint, *not* in connector itself.

Here is a related HOWTO: 
https://wiki.evolveum.com/display/midPoint/Disable+instead+of+Delete.

Best regards,

Pavol Mederly
Software developer
evolveum.com

On 13.09.2016 16:01, Martin Marchese wrote:
> Hi All,
>
> We were running some tests with the ScriptedSQL connector in order to 
> manage group membership in a database.
>
> Our DB model has the following tables:
>
> USERS
> GROUPS
> USERGROUPS
>
> Assigning the resource to a User, executes the create script and we 
> use that to create the user in the USERS table.
>
> Adding a Role to a user already linked (which has the resource 
> meta-rol assigned) execute the UPDATE script with the 
> ADD_ATTRIBUTES_VALUE action and we use that script to add a record 
> into the USERGROUPS table. Similar behaviour when we remove the role 
> to the user, but in this case with a REMOVE_ATTRIBUTE_VALUES action.
>
> Finallly, we tested the following case:
>
> User not linked nor assigned the Resource. We assign the Group Role, 
> which creates the user in the USERS table (CreateScript) and adds the 
> corresponding record to the USERGROUPS table (UpdateScript with 
> ADD_ATTRIBUTE_VALUE action).
>
> Without doing any other assignment to the user, we remove the Group 
> Role. In this case, after verifying the group and user existance (with 
> the SearcScript), we found out that the connector executes the 
> DeleteScript in order to manage User deletion. But it does not do 
> anything with the group membership.
>
> The behaviour that we are trying to accomplish is the following: Once 
> the user loose the last group, remove the user from that group but 
> leave it created (and disabled) within the database.
> Yes, we could process this within the delete script, but in a real 
> Delete (when a user is being deleted but it has many group assignments 
> within the DB), we would like to disable the user, without removing 
> the group memberships.
>
> Is this possible or is not how the connector works?
>
> Thanks in advance
>
> *Ing. Martín Marchese*
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050
> mmarchese at identicum.com <mailto:mmarchese at identicum.com>
> www.identicum.com <http://www.identicum.com>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160921/da7e132c/attachment.htm>


More information about the midPoint mailing list