[midPoint] removal of all roles of certain type
Oskar Butovič - AMI Praha a.s.
oskar.butovic at ami.cz
Thu Jan 5 10:32:47 CET 2017
In the end i made quite ugli script which does taht but I was wondering
wether there is any nicer way.
Script follows:
<task xmlns:apti="http://midpoint.evolveum.com/xml/ns/public/
common/api-types-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/
common/common-3" xmlns:gen45="http://prism.evolveum.com/xml/ns/public/debug"
xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/
connector/icf-1/resource-schema-3" xmlns:q="http://prism.
evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.
evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.
evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/
2001/XMLSchema-instance" oid="recompute-users-with-catch" version="20"
xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<name>Remove ga groups script</name>
<extension xmlns:se="http://midpoint.evolveum.com/xml/ns/public/
model/scripting/extension-3">
<se:executeScript xmlns:s="http://midpoint.
evolveum.com/xml/ns/public/model/scripting-3">
<s:search>
<s:type>c:UserType</s:type>
<s:query>
<q:filter>
<q:and>
<!-- <q:equal>
<q:path>name</q:path>
<q:value>wagnerova</q:value>
</q:equal> -->
<q:equal>
<q:path>activation/effectiveStatus</q:path>
<q:value>disabled</q:value>
</q:equal>
<q:greaterOrEqual>
<q:path>name</q:path>
<q:value>a</q:value>
</q:greaterOrEqual>
</q:and>
</q:filter>
<q:paging>
<q:orderBy>name</q:orderBy>
</q:paging>
</s:query>
<s:action>
<s:type>execute-script</s:type>
<s:parameter>
<s:name>script</s:name>
<c:value xsi:type="c:ScriptExpressionEvaluatorType">
<c:code>
import com.evolveum.midpoint.util.exception.
ExpressionEvaluationException;
import java.io.StringWriter;
import java.io.PrintWriter;
import com.evolveum.midpoint.xml.ns._
public.common.common_3.UserType;
import com.evolveum.midpoint.xml.ns._
public.common.common_3.RoleType;
import com.evolveum.midpoint.xml.ns._
public.common.common_3.FocusType;
import com.evolveum.midpoint.xml.ns._
public.common.common_3.AssignmentType;
import javax.xml.namespace.QName;
import com.evolveum.midpoint.prism.delta.ObjectDelta;
userDelta = null;
allAssignments = input?.getAssignment();
//log.info("allAssignments " + allAssignments);
allAssignments?.each {
//log.info("it.getTargetRef()?.getType().getLocalPart() "
+ it.getTargetRef()?.getType().getLocalPart());
if(it.getTargetRef()?.getType().getLocalPart() ==
"RoleType"){
assignmentOid = basic.stringify(it.
getTargetRef()?.getOid());
//log.info("assignmentOid " + assignmentOid);
role = midpoint.getObject(RoleType, assignmentOid);
if(role != null){
roleAssignments = role?.getAssignment();
for(roleAssignment in roleAssignments){
metaAssignmentOid = basic.stringify(
roleAssignment.getTargetRef()?.getOid());
//log.info("metaAssignmentOid " + metaAssignmentOid);
if(metaAssignmentOid == "GA-group-meta-role"){
log.info("found GA role " + role.getName() + " removing
from user " + input.getName());
//TODO udelat deltu
assignmentQname = new QName('http://midpoint.
evolveum.com/xml/ns/public/common/common-3', 'assignment');
log.info("assignment " + it);
//userDelta =
ObjectDelta.createModificationDeleteReference(UserType.class,
input?.getOid(), assignmentQname, midpoint.getPrismContext(),
assignmentOid);
AssignmentType a = new AssignmentType();
a.setId(it.getId());
if(userDelta == null){
userDelta =
ObjectDelta.createModificationDeleteContainer(UserType.class,
input?.getOid(), UserType.F_ASSIGNMENT, midpoint.getPrismContext(), a);
}else{
userDelta.addModificationDeleteContainer(UserType.F_ASSIGNMENT, a);
}
//userDelta = ObjectDelta.createModificationDeleteContainer(UserType.class,
input?.getOid(), FocusType.F_ASSIGNMENT, midpoint.getPrismContext(), it);
}
}
}
}
}
if(userDelta != null){
midpoint.executeChanges(userDelta);
}
</c:code>
</c:value>
</s:parameter>
</s:action>
</s:search>
</se:executeScript>
</extension>
<ownerRef xmlns:tns="http://midpoint.evolveum.com/xml/ns/public/
common/common-3" oid="00000000-0000-0000-0000-000000000002"
type="tns:UserType"/>
<executionStatus>closed</executionStatus>
<category>BulkActions</category>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/
model/scripting/handler-3</handlerUri>
<recurrence>single</recurrence>
</task>
2017-01-04 17:32 GMT+01:00 Oskar Butovič - AMI Praha a.s. <
oskar.butovic at ami.cz>:
> Hello everybody,
>
> I need to unassign certain type of roles from all disabled users. There
> are about 1800 roles of this type. I used roles to represent google apps
> groups.
>
> Mappings doesnt seem to be very good at removing assignments. They remove
> certain assignment only during disabling user. When he is disabled not even
> strong authoritative and nontolerant mapping removes that assignment.
>
> When i make task with 1800 item deltas to remove all relevant roles
> midpoint is unable to even show that task. When i divided it into 4 tasks
> with 500 item deltas it took ridiculously long.
>
> Is there any way to write some kind of smarter delta or mapping? For
> example: remove all assignments to roles with projection to google apps
> resource.
>
> Best Regards
>
> Oskar Butovič
>
> --
>
> Oskar Butovič
> solution architect
>
> gsm: [+420] 774 480 101 <+420%20774%20480%20101>
> e-mail: oskar.butovic at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239 <+420%20274%20783%20239>
> web: www.ami.cz
>
>
> [image: AMI Praha a.s.]
>
> [image: AMI Praha a.s.]
> <http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
--
Oskar Butovič
solution architect
gsm: [+420] 774 480 101
e-mail: oskar.butovic at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.]
[image: AMI Praha a.s.]
<http://www.ami.cz/reseni-a-sluzby/bezpecnost-dat/identity-management>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170105/75ccf77b/attachment.htm>
More information about the midPoint
mailing list