[midPoint] validityStatus changing validTo date

Tue Jan 24 15:12:27 CET 2017

Hi Martin, thank you for the example. I have reported the issue on JIRA and
I will wait a couple of days to get it resolved. In the meantime we moved
the business logic to the resources mappings (we have 2 resources to
populate midPoint) and it's working now.

Regards,

Ing Nicolás Rossi
Identicum S.A.
Jorge Newbery 3226
Tel: +54 (11) 4552-3050
www.identicum.com

On Tue, Jan 24, 2017 at 10:17 AM, Martin Lízner - AMI Praha a.s. <
martin.lizner at ami.cz> wrote:

> This is our code to workaround the problem:
>
> <mapping>
> <name>Effective Status management</name>
> <strength>strong</strength>
> <source>
> <c:path>$focus/activation/administrativeStatus</c:path>
> </source>
> <source>
> <c:path>$focus/activation/validFrom</c:path>
> </source>
> <expression>
> <script>
> <code>
>                 import com.evolveum.midpoint.common.Clock;
>                 import javax.xml.datatype.DatatypeConstants;
>                 import javax.xml.datatype.XMLGregorianCalendar;
>                 import com.evolveum.midpoint.xml.ns._
> public.common.common_3.ActivationStatusType;
> if (validFrom==null || administrativeStatus ==null ||
> administrativeStatus==ActivationStatusType.DISABLED){
> //log.info("XXXX Effective Status code res. "+ActivationStatusType.
> DISABLED);
> return ActivationStatusType.DISABLED;
> }
>             //log.info("XXXX Effective Status code - validFrom:
> ["+validFrom+"] adminStatus: ["+administrativeStatus+"]");
>
>                 boolean isDisabled = ActivationStatusType.ENABLED !=
> administrativeStatus;
>
>                 XMLGregorianCalendar now = (new Clock()).
> currentTimeXMLGregorianCalendar();
>                 boolean isFuture = DatatypeConstants.LESSER ==
> now.compare(validFrom)
>
>                 //log.info("XXXX Effective Status code res.
> "+((isDisabled || isFuture)?ActivationStatusType.DISABLED:
> ActivationStatusType.ENABLED));
>
>                 return (isDisabled || isFuture)?
> ActivationStatusType.DISABLED:ActivationStatusType.ENABLED;
>             </code>
> </script>
> </expression>
> <target>
> <c:path>$focus/activation/effectiveStatus</c:path>
> </target>
> <evaluationPhase>beforeAssignments</evaluationPhase>
> </mapping>
>
> Martin Lízner
> solution architect
>
> gsm: [+420] 737 745 571
> e-mail: martin.lizner at ami.cz
>
>
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz
>
>
>
> [image: AMI Praha a.s.] <http://www.skyidentity.com/>
>
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
> společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
> písemnou formu.
>
>
> 2017-01-24 13:52 GMT+01:00 Nicolas Rossi <nrossi at identicum.com>:
>
>> Ok, I opened it on JIRA: https://jira.evolveum.co
>> m/projects/MID/issues/MID-3695
>>
>> Regards,
>>
>>
>>
>> Ing Nicolás Rossi
>> Identicum S.A.
>> Jorge Newbery 3226
>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>> www.identicum.com
>>
>> On Tue, Jan 24, 2017 at 6:23 AM, Radovan Semancik <
>> radovan.semancik at evolveum.com> wrote:
>>
>>> Hi,
>>>
>>> You are right. You should not change validityStatus or effectiveStatus.
>>> MidPoint should recompute that automatically. I haven't had chance to have
>>> a closer look at the issue. But it looks like a bug. Could you create a
>>> jira for that please? Please compile the information in the jira
>>> description or just point to the relevant mailing list messages. I will
>>> look at that issue as soon as I can find a bit of time.
>>>
>>> --
>>> Radovan Semancik
>>> Software Architectevolveum.com
>>>
>>>
>>>
>>> On 01/23/2017 10:31 PM, Nicolas Rossi wrote:
>>>
>>> Maybe this could help to the midPoint developers: we added some logs to
>>> the ActivationComputer class. We have a disabled user and when we change
>>> the validTo value from the User Template, the *getEffectiveStatus()
>>> returns ENABLED*
>>>  but the user is still disabled.
>>>
>>> Current value:
>>>    <activation>
>>>       <effectiveStatus>disabled</effectiveStatus>
>>>       <validTo>2016-04-30T00:00:00.000-03:00</validTo>
>>>       <validityStatus>after</validityStatus>
>>>       <disableTimestamp>2017-01-23T16:49:49.776-03:00</disableTimestamp>
>>>       <enableTimestamp>2017-01-23T16:49:09.338-03:00</enableTimestamp>
>>>       <validityChangeTimestamp>2017-01-23T16:49:49.776-03:00</vali
>>> dityChangeTimestamp>
>>>    </activation>
>>>
>>> After modification
>>>
>>>    <activation>
>>>       <effectiveStatus>disabled</effectiveStatus>
>>>       <validTo>2017-02-01T00:00:00.000-03:00</validTo>
>>>       <validityStatus>after</validityStatus>
>>>       <disableTimestamp>2017-01-23T16:49:49.776-03:00</disableTimestamp>
>>>       <enableTimestamp>2017-01-23T16:49:09.338-03:00</enableTimestamp>
>>>       <validityChangeTimestamp>2017-01-23T16:49:49.776-03:00</vali
>>> dityChangeTimestamp>
>>>    </activation>
>>>
>>> It sounds like a bug. Should I open it on JIRA ?
>>> 
>>>
>>>
>>> Ing Nicolás Rossi
>>> Identicum S.A.
>>> Jorge Newbery 3226
>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>> <http://www.identicum.com>www.identicum.com
>>>
>>> On Mon, Jan 23, 2017 at 4:46 PM, Rodrigo Yanis < <ryanis at identicum.com>
>>> ryanis at identicum.com> wrote:
>>>
>>>> Hello everyone,
>>>>
>>>> Extending the case exposed by Nicolás, we also added a mapping on the
>>>> User Template to target on the administrativeStatus attribute the following
>>>> way (simplified):
>>>>
>>>> <mapping>
>>>>>         ...
>>>>>         <expression>
>>>>>            <script>
>>>>>               <language>
>>>>> <http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy>
>>>>> http://midpoint.evolveum.com/xml/ns/public/express
>>>>> ion/language#Groovy</language>
>>>>>               <code>
>>>>>               import com.evolveum.midpoint.xml.ns._
>>>>> public.common.common_3.ActivationStatusType;
>>>>>
>>>>>           ...
>>>>>           return ActivationStatusType.DISABLED;
>>>>>  </code>
>>>>>            </script>
>>>>>         </expression>
>>>>>         <target>
>>>>>           * <c:path>$user/activation/administrativeStatus</c:path>*
>>>>>         </target>
>>>>>      </mapping>
>>>>
>>>>
>>>> When the user is imported disabled from HR, effectiveStatus remains
>>>> enabled even though validTo is expired and administrativeStatus is set to
>>>> disabled on UserTemplates' account.
>>>>
>>>> <activation>
>>>>>
>>>>> *     <administrativeStatus>disabled</administrativeStatus> **
>>>>>  <effectiveStatus>enabled</effectiveStatus>*
>>>>>      <validFrom>2013-07-20T00:00:00.000-03:00</validFrom>
>>>>>
>>>>> *   <validTo>2015-07-20T00:00:00.000-03:00</validTo> **
>>>>>  <validityStatus>in</validityStatus>*
>>>>>      <enableTimestamp>2017-01-23T16:17:36.013-03:00</enableTimestamp>
>>>>>      <validityChangeTimestamp>2017-01-23T16:17:36.013-03:00</val
>>>>> idityChangeTimestamp>
>>>>>   </activation>
>>>>
>>>>
>>>> Thankful for any advise,
>>>>
>>>>
>>>> *Rodrigo Yanis.*
>>>> Identicum S.A.
>>>> Jorge Newbery 3226
>>>> Tel: +54 (11) 4824-9971 <+54%2011%204824-9971>
>>>> ryanis at identicum.com
>>>> www.identicum.com
>>>>
>>>> 2017-01-23 10:21 GMT-03:00 Nicolas Rossi < <nrossi at identicum.com>
>>>> nrossi at identicum.com>:
>>>>
>>>>> Hi guys, we have reproduced this issue on a fresh install of midPoint
>>>>> 3.5. These are the steps to reproduce it:
>>>>>
>>>>>    1. Extended the schema with 2 attributes (a flag and a date) →
>>>>>    user.xsd
>>>>>    2. Created a UserTemplate mapping the custom date to the validTo
>>>>>    if the flag is active. → user_template.xml
>>>>>    3. Assigned the UserTemplate as the default template for users.
>>>>>    4. Create a user
>>>>>    5. Modify the user setting the flag and a date before today
>>>>>
>>>>> Result:
>>>>>
>>>>>    - The validTo date is mapped correctly
>>>>>    - The user is still enabled
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>>
>>>>> Ing Nicolás Rossi
>>>>> Identicum S.A.
>>>>> Jorge Newbery 3226
>>>>> Tel: +54 (11) 4552-3050
>>>>> <http://www.identicum.com>www.identicum.com
>>>>>
>>>>> On Sun, Jan 22, 2017 at 8:30 AM, Nicolas Rossi <
>>>>> <nrossi at identicum.com>nrossi at identicum.com> wrote:
>>>>>
>>>>>> Hi guys, we have a User Template that defines the validTo date
>>>>>> evaluating 2 different dates. When a user is active and the calculated
>>>>>> validTo date is before today the user is not being disabled by midpoint as
>>>>>> we expected. I found a little difference between this user and other one
>>>>>> not handled by the user template, on the activation node it has
>>>>>> validityStatus=in instead of validityStatus=after:
>>>>>>
>>>>>> User disabled OK (changed from GUI, not from the UserTemplate):
>>>>>>
>>>>>> <activation>
>>>>>>       *<effectiveStatus>disabled</effectiveStatus>*
>>>>>>       *<validTo>2017-01-15T00:00:00.000-03:00</validTo>*
>>>>>>       *<validityStatus>after</validityStatus>*
>>>>>>       <disableTimestamp>2017-01-22T08:24:48.970-03:00</disableTime
>>>>>> stamp>
>>>>>>       <enableTimestamp>2017-01-22T08:24:31.529-03:00</enableTimest
>>>>>> amp>
>>>>>>       <validityChangeTimestamp>2017-01-22T08:24:48.970-03:00</vali
>>>>>> dityChangeTimestamp>
>>>>>>    </activation>
>>>>>>
>>>>>> User not being disabled (changed from UserTemplate):
>>>>>>
>>>>>> <activation>
>>>>>>      * <effectiveStatus>enabled</effectiveStatus>*
>>>>>> *      <validTo>2017-01-15T00:00:00.000-03:00</validTo>*
>>>>>> *      <validityStatus>in</validityStatus>*
>>>>>>       <disableTimestamp>2017-01-22T08:13:40.530-03:00</disableTime
>>>>>> stamp>
>>>>>>       <enableTimestamp>2017-01-22T08:13:58.962-03:00</enableTimest
>>>>>> amp>
>>>>>>       <validityChangeTimestamp>2017-01-22T08:13:58.962-03:00</vali
>>>>>> dityChangeTimestamp>
>>>>>>  </activation>
>>>>>>
>>>>>> Should I set the validityStatus on the UserTemplate?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>> Ing Nicolás Rossi
>>>>>> Identicum S.A.
>>>>>> Jorge Newbery 3226
>>>>>> Tel: +54 (11) 4552-3050 <+54%2011%204552-3050>
>>>>>> www.identicum.com
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170124/19cb9901/attachment.htm>