[midPoint] Debugging assignment's referential integrity issues

Martin Lízner - AMI Praha a.s. martin.lizner at ami.cz
Wed Feb 1 20:33:18 CET 2017


Hi, auto clean works just for projections, Im not sure whether it is
supposed to work for assignments and inducements too. In order to clean
missing assignments to roles and orgs I coded following custom task. M.

<c:task xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:xsd="
http://www.w3.org/2001/XMLSchema">
<c:name>Purge user assignments (roles, orgs)</c:name>
<c:description>This tasks removes from users all targetRef assignments
(roles and orgs) that cannot be resolved. E.g. assigned role object has
been deleted and user object points to its OID.</c:description>
<c:extension>
<scext:executeScript xmlns:scext="
http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3">
<s:pipeline xmlns:s="
http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
   <s:expression xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="s:SearchExpressionType">
       <s:type>UserType</s:type>
       <s:query>
        <q:filter>
        <q:equal>
        <q:path>name</q:path>
        <q:value>user12345</q:value>
        </q:equal>
        </q:filter>
       </s:query>
   </s:expression>
  <s:expression xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="s:ActionExpressionType">
       <s:type>execute-script</s:type>
       <s:parameter>
           <s:name>script</s:name>
           <c:value xsi:type="c:ScriptExpressionEvaluatorType" xmlns:c="
http://midpoint.evolveum.com/xml/ns/public/common/common-3">
               <c:code>
                import
com.evolveum.midpoint.xml.ns._public.common.common_3.*
                import com.evolveum.midpoint.prism.delta.builder.*
                import com.evolveum.midpoint.model.api.*

                def assignmentsToDel = []

                for (a in input.assignment) {
                if (a.targetRef == null) {
                continue; // this is resource assignment construction, we
are interested in roles and orgs only
                }
                ObjectType ot =
midpoint.resolveReferenceIfExists(a.targetRef)
                //log.info ("OID is: {}, resolving to: {}",
a.targetRef?.oid, ot);
                if (ot == null) {
                def removeAssignment = new AssignmentType()
                      removeAssignment.targetRef = a.targetRef.clone() //
we need to construct new assignment to avoid metadata and order disturbing
stuff

assignmentsToDel.add(removeAssignment.asPrismContainerValue())
                log.info('User: {}, going to purge assignment: {}',
input.name, a.targetRef?.oid)
                }
 }

 def delta = DeltaBuilder.deltaFor(FocusType.class, prismContext)
                    .item(FocusType.F_ASSIGNMENT).delete(assignmentsToDel)
                    .asObjectDelta(input.oid)

                  midpoint.modifyObject(delta,
ModelExecuteOptions.createRaw())
               </c:code>
           </c:value>
       </s:parameter>
   </s:expression>
</s:pipeline>
</scext:executeScript>
</c:extension>
<c:taskIdentifier>1474775896757:987750751</c:taskIdentifier>
<c:ownerRef oid="00000000-0000-0000-0000-000000000002"/>
<c:executionStatus>runnable</c:executionStatus>
<c:category>BulkActions</c:category>
<c:handlerUri>
http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3
</c:handlerUri>
<c:recurrence>single</c:recurrence>
</c:task>

Martin Lízner
solution architect

gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz


AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz



[image: AMI Praha a.s.] <http://www.skyidentity.com/>

Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.


2017-02-01 20:12 GMT+01:00 Nicolas Rossi <nrossi at identicum.com>:

> Hi guys, it is also happening in midPoint 3.5. We tried running Cleanup
> and Validity Scanner tasks but the reference is still there. Is there any
> way to fix this references ?
>
> Thanks in advance !
>
>
>
>
>
>
> Ing Nicolás Rossi
> Identicum S.A.
> Jorge Newbery 3226
> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
> www.identicum.com
>
> On Mon, Jan 16, 2017 at 1:01 PM, Rodrigo Yanis <ryanis at identicum.com>
> wrote:
>
>> Hello all,
>>
>> We've come across the following case involving issues in how midpoint
>> handles referential integrity in assignments and inducements. As for
>> version 3.4.1, the case is the following:
>> 1. An object "A" is created and assigned / induced into another object "B"
>> 2. Object "A" is then deleted from midpoint
>> 3. Object "B" keeps the reference to object's "A" oid, even though it
>> doesn't exist anymore.
>> We replicated this in role to user assignments, role to role assignments,
>> role to role inducements.
>> Is there any automatic native mechanism for resolving this referential
>> errors?
>> If not, is there a way to attack the issue through the use of tasks?
>>
>> Thanks,
>>
>> *Rodrigo Yanis.*
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4824-9971 <+54%2011%204824-9971>
>> ryanis at identicum.com
>> www.identicum.com
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170201/7b087a08/attachment.htm>


More information about the midPoint mailing list