[midPoint] Auto-assign role when disabling user and unassign (if assigned) on enable.
Martin Lízner - AMI Praha a.s.
martin.lizner at ami.cz
Wed Sep 6 20:10:20 CEST 2017
Hi, this sounds like something totally doable in midPoint. I suggest
creating mapping in user object template, make activation/effectiveStatus
as mapping source and then you can e.g. use assignmentTargetSearch to
assign/unassign the role. M.
Some similar code we use for end user role:
<mapping>
<name>End-User role</name>
<tolerant>true</tolerant>
<strength>strong</strength>
<source>
<c:path>$focus/activation/administrativeStatus</c:path>
</source>
<source>
<c:path>$focus/activation/disableTimestamp</c:path>
</source>
<source>
<c:path>$focus/extension/evidentiary_status</c:path>
</source>
<expression>
<assignmentTargetSearch xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:SearchObjectRefExpressionEvaluatorType">
<includeNullInputs>true</includeNullInputs>
<targetType>c:RoleType</targetType>
<oid>00000000-0000-0000-0000-000000000008</oid>
</assignmentTargetSearch>
</expression>
<target>
<c:path>assignment</c:path>
</target>
<condition>
<script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:ScriptExpressionEvaluatorType">
<includeNullInputs>true</includeNullInputs>
<code>
// stripped
</code>
</script>
</condition>
<evaluationPhase>beforeAssignments</evaluationPhase>
</mapping>
Martin Lízner
solution architect
gsm: [+420] 737 745 571
e-mail: martin.lizner at ami.cz
AMI Praha a.s.
Pláničkova 11
162 00 Praha 6
tel.: [+420] 274 783 239
web: www.ami.cz
[image: AMI Praha a.s.] <http://www.skyidentity.com/>
Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za
společnost AMI Praha a.s.
jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně
písemnou formu.
2017-09-01 16:26 GMT+02:00 Wojciech Staszewski <
wojciech.staszewski at diagnostyka.pl>:
> Hello!
>
> Is there a possibility to auto assign role when I disable user?
> And unassign this role on enable user (if the role is assigned)?
>
> I have a resource (scripted sql connector) where disabled users are
> members of group called "Disabled", and there is no special activation
> attribute except this.
>
> The resource has "enforcement policy: full" and "tolerant: false"
> (important!).
>
> The result:
> - When I disable user, my groovy script assign the user to the "Disabled"
> group,
> - This group is also visible in the Entitlements, because this is normal
> group among other groups,
> - On reconciliation midPoint removes the user from this group because
> there is no role assigning it. :)
>
> Concepts:
>
> 1) make an auto-assigned role: When user has account in the resource and
> is disabled - assign role "disabled group membership" to this user (and
> remove it on enable).
>
> 2) in the SearchScript.groovy change the group list selecting SQL to skip
> "Disabled" group (select ... from ... where ... and groupname <> 'Disabled'
> ...)
> and in the same way the SQL query selecting user group membership. In
> this case midPoint will not be able to manage this particular group.
>
> Second method is very easy but it's more like workaround, first sounds
> like challenge but is more proper (i think).
>
> Regards,
> Wojciech Staszewski
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20170906/150b4163/attachment.htm>
More information about the midPoint
mailing list