[midPoint] User activation by HR data with manual override possibility

Pálos Gustáv gustav.palos at evolveum.com
Thu Jan 26 09:51:09 CET 2017


Hi Aivo,

can you please test your test cases again, but please put to object
template also this?

<mapping>
<name>Override effective status if needed</name>
<strength>strong</strength>
<source>
<path>$user/activation/administrativeStatus</path>
</source>
<source>
<path>$user/extension/overrideAdministrativeStatus</path>
</source>
<expression>
<script>
<code>
                if (overrideAdministrativeStatus!=null) {
                return overrideAdministrativeStatus;
                }
                    return administrativeStatus;
                </code>
</script>
</expression>
<target> <!-- need both administrativeStatus & effectiveStatus also -->
<path>$user/activation/effectiveStatus</path>
</target>
<condition>
<script>
<language>
http://midpoint.evolveum.com/xml/ns/public/expression/language#Groovy
</language>
<code>overrideAdministrativeStatus !=null</code>
</script>
</condition>
</mapping>

(and also keep old one)

Best regards

Gustav


2017-01-18 13:23 GMT+01:00 Aivo Kuhlberg <aivo.kuhlberg at rmit.ee>:

> Hi Gustav
> I set up now MidPoint 3.5 test environment and did some testing with your
> scripts. They work much better in 3.5 but I still noticed wrong behavior in
> certain situations:
> For testing purpose I added also scriptedSQL resource to my test
> environment to see if the resource status is as it should be when user's
> administrativeStatus is changing.
>
> I played with Override Administrative status (OAS) and Administrative
> status (AS) values. Here are 2 scenarios where the user icon did not
> indicate the correct state and at the same time scriptedSQL resource was
> not enabled/disabeled to correct state:
>
> Initial values for all tests: Override Administrative status (OAS) =
> Administrative status (AS) = Undefined
>
>
> Test1:
>
>     Step 1: OAS is set to Disabled -> Result: user icon is normal (Not OK),
> scriptedSQL resource is not disabled (Not OK)
>     Step 2: OAS is set to Undefined -> Result: user icon is not grayed (OK),
> scriptedSQL resource is not disabled (OK)
>
> Test2:
>
>     Step 1: AS is set to Disabled -> Result: user icon is grayed (OK),
> scriptedSQL resource is disabled (OK)
>     Step 2: OAS is set to Enabled -> Result: user icon stays grayed (Not
> OK), scriptedSQL resource stays disabled (Not OK)
>     Step 3: OAS is set to Undefined -> Result: user icon stays gray (Not
> OK), scriptedSQL resource stays disabled (Not OK)
>
> Regards,
> Aivo
>
>
> Aivo Kuhlberg        Telefon: (+372) 671 3984
> Rahandusministeeriumi Infotehnoloogiakeskus
> ------------------------------
> *Saatja:* Pálos Gustáv <gustav.palos at evolveum.com>
> *Saadetud:* 16. jaanuar 2017 16:35
> *Adressaat:* Aivo Kuhlberg
> *Koopia:* midPoint General Discussion
>
> *Teema:* Re: [midPoint] User activation by HR data with manual override
> possibility
>
> do you use midPoing 3.5?
> We has a bug with this problem in older versions...
>
>
> 2017-01-16 15:33 GMT+01:00 Aivo Kuhlberg <aivo.kuhlberg at rmit.ee>:
>
>> Hi Gustav,
>> import namespace statement solved the problem. Now the attribute is
>> loaded but I am facing next problem - I see in GUI attribute
>> overrideAdministrativeStatus and I can change its values but it does not
>> show the correct values in user GUI. When I look at the database then I see
>> that the value has changed (eg 'disabled') but in GUI it shows always the
>> value "Undefined":
>>
>>
>>
>>
>> I tried to create manually the lookup table for that attribute and link
>> it in user template with valueEnumerationRef but seems that it does not
>> work this way either.
>>
>>
>> Best regards,
>>
>> Aivo
>> ------------------------------
>> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelPálos
>> Gustáv <gustav.palos at evolveum.com>
>> *Saadetud:* 16. jaanuar 2017 11:42
>>
>> *Adressaat:* midPoint General Discussion
>> *Teema:* Re: [midPoint] User activation by HR data with manual override
>> possibility
>>
>> Hi,
>>
>> please check your schema if has this at the beginning:
>>
>> <xsd:schema elementFormDefault="qualified"
>>             targetNamespace="http://evolveum.com/evolutiongaming"
>>             xmlns:tns="http://evolveum.com/evolutiongaming"
>>             xmlns:a="http://prism.evolveum.com/xml/ns/public/annotation-3
>> "
>> *
>> xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"*
>>             xmlns:xsd="http://www.w3.org/2001/XMLSchema">
>> *<xsd:import
>> namespace="http://midpoint.evolveum.com/xml/ns/public/common/common-3
>> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>"/>*
>> ...
>>
>> Best regards,
>>
>> Gustav
>>
>> 2017-01-16 10:18 GMT+01:00 Aivo Kuhlberg <aivo.kuhlberg at rmit.ee>:
>>
>>> Hi Gustav,
>>>
>>> That is very compact and elegant solution. Unfortunately when I tried to
>>> implement that by adding first parameter overrideAdministrativeStatus to
>>> userExtension.xsd file I ran into the schema extension error:
>>>
>>>
>>> 2017-01-16 11:09:06,737 [] [localhost-startStop-1] ERROR
>>> (com.evolveum.midpoint.prism.schema.SchemaHandler): Error occured
>>> during schema parsing: [Error] on line 120 at file:///home/mpdev/SystemId,
>>> null undefined simple or complex type 'c:ActivationStatusType'
>>> 2017-01-16 11:09:06,738 [] [localhost-startStop-1] WARN
>>> (org.springframework.web.context.support.XmlWebApplicationContext):
>>> Exception encountered during context initialization - cancelling refresh
>>> attempt: org.springframework.beans.factory.BeanCreationException: Error
>>> creating bean with name 'repositoryFactory': Injection of autowired
>>> dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException:
>>> Could not autowire field: private com.evolveum.midpoint.prism.PrismContext
>>> com.evolveum.midpoint.init.RepositoryFactory.prismContext; nested
>>> exception is org.springframework.beans.factory.BeanCreationException:
>>> Error creating bean with name 'prismContext' defined in class path resource
>>> [ctx-configuration.xml]: Bean instantiation via factory method failed;
>>> nested exception is org.springframework.beans.BeanInstantiationException:
>>> Failed to instantiate [com.evolveum.midpoint.prism.PrismContext]:
>>> Factory method 'createInitializedPrismContext' threw exception; nested
>>> exception is com.evolveum.midpoint.util.exception.SchemaException: XML
>>> error during XSD schema parsing: undefined simple or complex type
>>> 'c:ActivationStatusType'(embedded exception null) in file
>>> /home/mpdev/midpoint-data/schema/userExtension.xsd
>>> 2017-01-16 11:09:06,760 [] [localhost-startStop-1] ERROR
>>> (org.springframework.web.context.ContextLoader): Context initialization
>>> failed
>>> org.springframework.beans.factory.BeanCreationException: Error creating
>>> bean with name 'repositoryFactory': Injection of autowired dependencies
>>> failed; nested exception is org.springframework.beans.factory.BeanCreationException:
>>> Could not autowire field: private com.evolveum.midpoint.prism.PrismContext
>>> com.evolveum.midpoint.init.RepositoryFactory.prismContext; nested
>>> exception is org.springframework.beans.factory.BeanCreationException:
>>> Error creating bean with name 'prismContext' defined in class path resource
>>> [ctx-configuration.xml]: Bean instantiation via factory method failed;
>>> nested exception is org.springframework.beans.BeanInstantiationException:
>>> Failed to instantiate [com.evolveum.midpoint.prism.PrismContext]:
>>> Factory method 'createInitializedPrismContext' threw exception; nested
>>> exception is com.evolveum.midpoint.util.exception.SchemaException: XML
>>> error during XSD schema parsing: undefined simple or complex type
>>> 'c:ActivationStatusType'(embedded exception null) in file
>>> /home/mpdev/midpoint-data/schema/userExtension.xsd
>>>
>>> I think the parameter type="c:ActivationStatusType" is causing this
>>> error. I tried to change it to type="xsd:ActivationStatusType" but this
>>> did not help either. Do you have any ideas how to fix that?
>>>
>>>
>>> Best regards,
>>>
>>> Aivo
>>> ------------------------------
>>> *Saatja:* midPoint <midpoint-bounces at lists.evolveum.com> nimelPálos
>>> Gustáv <gustav.palos at evolveum.com>
>>> *Saadetud:* 16. jaanuar 2017 9:41
>>> *Adressaat:* midPoint General Discussion
>>> *Teema:* Re: [midPoint] User activation by HR data with manual override
>>> possibility
>>>
>>> Hi Aivo,
>>>
>>> I created in one project extension/overrideAdministrativeStatus user
>>> schema extension and when it is enabled or disabled, I use this value over
>>> object template user, elsewhere keep as is from
>>> activation/administrativeStatus.
>>>
>>>             <xsd:element name="overrideAdministrativeStatus"
>>> type="c:ActivationStatusType" minOccurs="0">
>>>                 <xsd:annotation>
>>>                     <xsd:appinfo>
>>>                         <a:indexed>true</a:indexed>
>>>                         <a:displayName>Override Administrative
>>> status</a:displayName>
>>>                         <a:displayOrder>900</a:displayOrder>
>>>                     </xsd:appinfo>
>>>                     <xsd:documentation>
>>>                         If this is filled, override administrative
>>> status from HR calculated from status.
>>>                         If you use this, please write to description a
>>> reason, why you do this (for example: She works on maternity leave).
>>>                     </xsd:documentation>
>>>                 </xsd:annotation>
>>>             </xsd:element>
>>>
>>> <mapping>
>>> <name>Override administrative status if needed</name>
>>> <strength>strong</strength>
>>> <source>
>>> <path>$user/activation/administrativeStatus</path>
>>> </source>
>>> <source>
>>> <path>$user/extension/overrideAdministrativeStatus</path>
>>> </source>
>>> <expression>
>>> <script>
>>> <code>
>>>                  if (overrideAdministrativeStatus!=null) {
>>>                  return overrideAdministrativeStatus;
>>>                  }
>>>                     return administrativeStatus;
>>>                 </code>
>>> </script>
>>> </expression>
>>> <target> <!-- need both administrativeStatus & effectiveStatus also -->
>>> <path>$user/activation/administrativeStatus</path>
>>> </target>
>>> <condition>
>>> <script>
>>> <language>http://midpoint.evolveum.com/xml/ns/public/express
>>> ion/language#Groovy</language>
>>> <code>overrideAdministrativeStatus !=null</code>
>>> </script>
>>> </condition>
>>> </mapping>
>>>
>>>
>>> Best regards,
>>>
>>> Gustav
>>>
>>> 2017-01-16 8:32 GMT+01:00 Aivo Kuhlberg <aivo.kuhlberg at rmit.ee>:
>>>>
>>>>> Hi,
>>>>>
>>>>> I want to implement midPoint user activation mechanism based on HR
>>>>> resource user account field value with manual GUI override possibility.
>>>>> When the HR resource field "status" has value "WRS" (work relationship
>>>>> stopped) then the midPoint user should be disabled, otherwise user should
>>>>> be enabled. However, I need also possibility to manually override current
>>>>> midPoint user activation value.
>>>>> I tried implemented inbound activation for HR resource (like
>>>>> https://github.com/Evolveum/midpoint/blob/master/samples/demo/hr.xml)
>>>>> and it works - When I set HR user status to value "WRS" then midPoint
>>>>> user's administrative status is changed to state Disabled. I can also
>>>>> manually enable disabled user if needed in administration GUI. But the
>>>>> problem here is that both HR resource and admin gui have the same access to
>>>>> user's administrativeStatus value - I can change the user status in GUI but
>>>>> whenever the HR user data is changed then it changes also
>>>>> administrativeStatus back to value depanding on status field. Any ideas,
>>>>> how should I implement disabling/enabling of user based on HR data with
>>>>> manual user activation override possibility?
>>>>> Thanks,
>>>>> Aivo Kuhlberg
>>>>>
>>>>> ------------------------------
>>>>> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks
>>>>> tunnistatud teavet.
>>>>> This e-mail may contain information which is classified for official
>>>>> use.
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> s pozdravom
>>>>
>>>> Gustáv Pálos
>>>>
>>>
>>>
>>>
>>> --
>>> Gustáv Pálos
>>> Identity Engineer
>>> evolveum.com
>>>
>>> ------------------------------
>>> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud
>>> teavet.
>>> This e-mail may contain information which is classified for official use.
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>> --
>> Gustáv Pálos
>> Identity Engineer
>> evolveum.com
>>
>> ------------------------------
>> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud
>> teavet.
>> This e-mail may contain information which is classified for official use.
>>
>
>
>
> --
> Gustáv Pálos
> Identity Engineer
> evolveum.com
>
> ------------------------------
> Käesolev e-kiri võib sisaldada asutusesiseseks kasutamiseks tunnistatud
> teavet.
> This e-mail may contain information which is classified for official use.
>



-- 
Gustáv Pálos
Identity Engineer
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170126/8f1be29c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OAS_values.png
Type: image/png
Size: 3637 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170126/8f1be29c/attachment.png>


More information about the midPoint mailing list