[midPoint] Auto-assign role when disabling user and unassign (if assigned) on enable.

Wojciech Staszewski wojciech.staszewski at diagnostyka.pl
Fri Sep 8 13:55:26 CEST 2017 

Thank you very much!

I confess that I followed the path of least resistance and modified the scripts. Shame on me. :(
But certainly I'll ctrl+c this example and ctrl+v it into my "midPoint useful tips and howtos" doc for further analysis.

Best regards!
Wojciech Staszewski

W dniu 06.09.2017 o 20:10, Martin Lízner - AMI Praha a.s. pisze:
> Hi, this sounds like something totally doable in midPoint. I suggest creating mapping in user object template, make activation/effectiveStatus as mapping source and then you can e.g. use assignmentTargetSearch to assign/unassign the role. M. 
> 
> Some similar code we use for end user role:
> 
>    <mapping>
>       <name>End-User role</name>
>       <tolerant>true</tolerant>
>       <strength>strong</strength>
>       <source>
>          <c:path>$focus/activation/administrativeStatus</c:path>
>       </source>
>       <source>
>          <c:path>$focus/activation/disableTimestamp</c:path>
>       </source>
>       <source>
>          <c:path>$focus/extension/evidentiary_status</c:path>
>       </source>
>       <expression>
>          <assignmentTargetSearch xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                                  xsi:type="c:SearchObjectRefExpressionEvaluatorType">
>             <includeNullInputs>true</includeNullInputs>
>             <targetType>c:RoleType</targetType>
>             <oid>00000000-0000-0000-0000-000000000008</oid>
>          </assignmentTargetSearch>
>       </expression>
>       <target>
>          <c:path>assignment</c:path>
>       </target>
>       <condition>
>          <script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                  xsi:type="c:ScriptExpressionEvaluatorType">
>             <includeNullInputs>true</includeNullInputs>
>             <code>
> // stripped
>        </code>
>          </script>
>       </condition>
>       <evaluationPhase>beforeAssignments</evaluationPhase>
>    </mapping>
> 
> Martin Lízner
> solution architect
> 
> gsm: [+420] 737 745 571
> e-mail: martin.lizner at ami.cz <mailto:martin.lizner at ami.cz>
> 
> 	   	   	
> 
> AMI Praha a.s.
> Pláničkova 11
> 162 00 Praha 6
> tel.: [+420] 274 783 239
> web: www.ami.cz <http://www.ami.cz/>
> 
> 	   	   	
> 
> 
> AMI Praha a.s. <http://www.skyidentity.com/>
> 
> Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.
> jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.
> 
> 
> 
> 2017-09-01 16:26 GMT+02:00 Wojciech Staszewski <wojciech.staszewski at diagnostyka.pl <mailto:wojciech.staszewski at diagnostyka.pl>>:
> 
>     Hello!
> 
>     Is there a possibility to auto assign role when I disable user?
>     And unassign this role on enable user (if the role is assigned)?
> 
>     I have a resource (scripted sql connector) where disabled users are members of group called "Disabled", and there is no special activation attribute except this.
> 
>     The resource has "enforcement policy: full" and "tolerant: false" (important!).
> 
>     The result:
>     - When I disable user, my groovy script assign the user to the "Disabled" group,
>     - This group is also visible in the Entitlements, because this is normal group among other groups,
>     - On reconciliation midPoint removes the user from this group because there is no role assigning it. :)
> 
>     Concepts:
> 
>     1) make an auto-assigned role: When user has account in the resource and is disabled - assign role "disabled group membership" to this user (and remove it on enable).
> 
>     2) in the SearchScript.groovy change the group list selecting SQL to skip "Disabled" group (select ... from ... where ... and groupname <> 'Disabled' ...)
>        and in the same way the SQL query selecting user group membership. In this case midPoint will not be able to manage this particular group.
> 
>     Second method is very easy but it's more like workaround, first sounds like challenge but is more proper (i think).
> 
>     Regards,
>     Wojciech Staszewski
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint <http://lists.evolveum.com/mailman/listinfo/midpoint>
> 
> 
> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>

More information about the midPoint mailing list