[midPoint] Auto-assign role when disabling user and unassign (if assigned) on enable.

[Wojciech Staszewski]

Hello!

Is there a possibility to auto assign role when I disable user?
And unassign this role on enable user (if the role is assigned)?

I have a resource (scripted sql connector) where disabled users are members of group called "Disabled", and there is no special activation attribute except this.

The resource has "enforcement policy: full" and "tolerant: false" (important!).

The result:
- When I disable user, my groovy script assign the user to the "Disabled" group,
- This group is also visible in the Entitlements, because this is normal group among other groups,
- On reconciliation midPoint removes the user from this group because there is no role assigning it. :)

Concepts:

1) make an auto-assigned role: When user has account in the resource and is disabled - assign role "disabled group membership" to this user (and remove it on enable).

2) in the SearchScript.groovy change the group list selecting SQL to skip "Disabled" group (select ... from ... where ... and groupname <> 'Disabled' ...)
   and in the same way the SQL query selecting user group membership. In this case midPoint will not be able to manage this particular group.

Second method is very easy but it's more like workaround, first sounds like challenge but is more proper (i think).

Regards,
Wojciech Staszewski