[midPoint] How to blank out user properties?

Richard Frovarp richard.frovarp at ndsu.edu
Tue Jul 7 21:53:44 CEST 2020 

The value wasn't being reapplied. It looks like empty strings aren't null, and I am not quite able to get null to work. I need to come up with a more elegant solution, but I was able to find something that works:

<s:search xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
          xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
          xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><http://www.w3.org/2001/XMLSchema-instance>;
  <s:type>UserType</s:type>
  <s:searchFilter>
    <q:greater>
      <q:path>extension/ndsuPrimaryJobDepartment</q:path>
      <q:value></q:value>
    </q:greater>
  </s:searchFilter>
  <s:action>
    <s:type>execute-script</s:type>
    <s:parameter>
      <s:name>script</s:name>
      <c:value xsi:type="ScriptExpressionEvaluatorType">
        <c:code>
          import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType
          import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
          import com.evolveum.midpoint.prism.path.ItemPath

          refs = input?.getLinkRef()
          for (ref in refs) {
            try {
              shadow = midpoint.getObject(ShadowType.class, ref.getOid())
            } catch (Exception e) {
              log.info('DEAD SHADOW {}', input.name)
              continue
            }

            if (shadow.getResourceRef().getOid() == '5f1cc34a-2b27-4ae1-9989-3960e2e311f4') {
              return
            }
  }
          path = ItemPath.create(UserType.F_EXTENSION, 'ndsuPrimaryJobDepartment')
          delta = midpoint.prismContext.deltaFactory().object().createModificationDeleteProperty(UserType.class, input.getOid(), path, basic.getPropertyValue(input, "extension/ndsuPrimaryJobDepartment"))
          midpoint.executeChanges(delta)

          path = ItemPath.create(UserType.F_EXTENSION, 'ndsuPrimaryJobTitle')
          titleDelta = midpoint.prismContext.deltaFactory().object().createModificationDeleteProperty(UserType.class, input.getOid(), path, basic.getPropertyValue(input, "extension/ndsuPrimaryJobTitle"))
          midpoint.executeChanges(delta)

        </c:code>
      </c:value>
    </s:parameter>
  </s:action>
</s:search>

Feels like I'm doing things sub-optimal. Between your examples and the Grouper bits I was able to get enough figured out. Like I said, this works. They only way they disappear from the resource is on a reconcile, so having this run in a task later is fine. I think my dead shadows are from earlier tests where I didn't get the right synchronization for removal quickly enough.

Now I need to figure out how to turn this into a bulk action task of some sort.

On Thu, 2020-07-02 at 16:58 -0500, Jason Everling wrote:
Yep, my weekend starts here in a few! even though i've been working at home for 4 months now :D

You could be hitting my age old bug as well, check the history tab on the user to make sure the value isn't being re-applied, I was about right, the last time we used it was 3.2 and this was reported in 3.1 when it was doing the same thing for us,
https://jira.evolveum.com/browse/MID-2100




On Thu, Jul 2, 2020 at 4:27 PM Richard Frovarp <richard.frovarp at ndsu.edu<mailto:richard.frovarp at ndsu.edu>> wrote:
<mapping>
  <description>Clean out title</description>
  <strength>strong</strength>
  <target>
    <path>$user/extension/ndsuPrimaryJobTitle</path>
  </target>
  <expression>
    <script>
      <code>null</code>
    </script>
  </expression>
</mapping>

It's not clear how midPoint interprets empty strings to me. Hence using the script to do an explicit null.

I can give what you provided a try next week. I'm about to start the weekend. Thank you for the help. Thank you for providing your examples, they have been helpful to us getting going (I just found your bulk actions item, which is helpful). Once I have something more complicated than importing names, I'll start to try to contribute back with what we have working.

Have a great 4th!



On Thu, 2020-07-02 at 16:18 -0500, Jason Everling wrote:
So can you post what you have for the deleted template action? You also have that set under the resource for deleted? I just checked, and a long time ago we did something similar for accounts removed from a resource, although we don't anymore but that was on 3.2 and should still work, i don't see why not unless its bug, try the below, i pulled from an old 'delete' template on our private repo from an old resource we had years ago

<mapping>
     <authoritative>true</authoritative>
<strength>strong</strength>
        <expression>
            <value>''</value>
        </expression>
<target>
<path>extension/ndsuPrimaryJobTitle</path>
</target>
</mapping>




On Thu, Jul 2, 2020 at 4:09 PM Richard Frovarp <richard.frovarp at ndsu.edu<mailto:richard.frovarp at ndsu.edu>> wrote:
Thanks. I've started work down the bulk actions path. Which is perhaps less than ideal, but I think I understand it, and I will have operations later that will require it. I can follow your more elegant solution after I have something working. I don't quite have all of the affiliations populated yet right now. I figured that setting and clearing a single value attribute from a single source would be the easiest thing to start with. Affiliations come after I have this working.

On Thu, 2020-07-02 at 15:55 -0500, Jason Everling wrote:
:/ ive been updating some of our logstash stuff, should be != faculty and != staff
JASON


On Thu, Jul 2, 2020 at 3:49 PM Jason Everling <jeverling at bshp.edu<mailto:jeverling at bshp.edu>> wrote:
Gotcha, I just put together a quick example for an idea, you can also go with if affiliation == student && not == faculty ||  affiliation == student && not == staff || etc...

for the assignments, you would write the script to get all assignments then if your resource doesn't exist apply mapping, there is a midpoint function for it, we used something similar for a bulk task, ill find it on my prod git repo, its back there in time,

someone else might be able to chime in sooner



On Thu, Jul 2, 2020 at 2:13 PM Richard Frovarp <richard.frovarp at ndsu.edu<mailto:richard.frovarp at ndsu.edu>> wrote:
But students can be employed. I need it so that if they aren't in that resource, they are removed. You're earlier example makes some sense, but I don't have a deep enough understanding of midPoint to fully implement it. Error complains about the source of $user/assignments. I'm on 4.1 and it looks like that may have changed some, but I can't quite figure out how.

Kind of frustrated as this seems like it should be a basic operation, and it's the one thing stopping me from going further. I don't want a mess of stale data in a brand new system a day after it goes up.

I've been looking at queries and bulk actions, but I can't figure out how to find all users that aren't referenced by a resource. I can find all in the resource, and all that have a resource that isn't it (which is all of the users as names are pulled in from a different resource). What is a one minute query in raw SQL is beyond my understanding here right now.

On Thu, 2020-07-02 at 13:15 -0500, Jason Everling wrote:
Also this in the default template, if return null; doesn’t work you could also go with return ‘’; . So many different ways to do it without relying on a deleted template

<mapping>
  <description>Clean out department</description>
  <strength>strong</strength>
  <source>
    <path>$user/extension/your_affiliation</path>
  </source>
  <target>
    <path>$user/extension/ndsuPrimaryJobTitle</path>
  </target>
  <expression>
    <script>
      <code>
       if (affiliation == ‘student’) {
            return null;
        }
      </code>
    </script>
  </expression>
</mapping>


From: Jason Everling<mailto:jeverling at bshp.edu>
Sent: Thursday, July 2, 2020 1:06 PM
To: midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
Subject: RE: [midPoint] How to blank out user properties?

* only if the resource isn’t assigned?

From: Jason Everling<mailto:jeverling at bshp.edu>
Sent: Thursday, July 2, 2020 1:04 PM
To: midPoint General Discussion<mailto:midpoint at lists.evolveum.com>
Subject: RE: [midPoint] How to blank out user properties?

What about just a regular mapping in the default user template with a condition strong that gets applied and only if the resource is assigned?

<mapping>
  <description>Clean out department</description>
  <strength>strong</strength>
  <source>
    <path>$user/assignments</path>
  </source>
  <target>
    <path>$user/extension/ndsuPrimaryJobTitle</path>
  </target>
  <expression>
    <script>
      <code>
       if (assignment != your resource) {
            return null;
        }
      </code>
    </script>
  </expression>
</mapping>


From: Richard Frovarp<mailto:richard.frovarp at ndsu.edu>
Sent: Thursday, July 2, 2020 12:56 PM
To: midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>
Subject: Re: [midPoint] How to blank out user properties?

I've seen your archive example. I wasn't completely clear. I don't want to archive the old value. I just want it gone. I want to keep the user object though. So if I were to leave NDSU, we would want there to still be the name, employee number, etc to remain. But my title would no longer apply. A bigger deal if I were to become a student, we wouldn't want my job title applied to my AD object for instance as it wouldn't be applicable. Just trying to get the value back to null.

On Thu, 2020-07-02 at 12:22 -0500, Jason Everling wrote:
So what I can read from, you want to archive the old value? We do this for various attributes when they are changed, see here, I had added it to the midpoint samples a while back, it will take the old value which was previously set and then add it to a custom schema attribute for archival history, such as a username change, level change, affiliation, etc..

https://github.com/evolveum/midpoint-samples/blob/master/samples/contrib/bshp/objects/objectTemplates/Includes%20-%20Archiving.xml

From: Richard Frovarp<mailto:richard.frovarp at ndsu.edu>
Sent: Thursday, July 2, 2020 11:13 AM
Subject: [midPoint] How to blank out user properties?

I'm reading a list of our employees from a DB through a
DatabaseTableConnector resource. As part of that process I'm setting a
custom schema element that is their title. That's fine. However, when
they are no longer employed, they disappear from the database table.

So I'm trying to blank out the title property, since if they aren't
employed anymore, they don't have a title. We want to keep historic
records, and they may still be a student, which we wouldn't populate a
title.

How does one go about doing this? It was suggested using an object
template on the deleted situation, but that doesn't appear to be
working.

Resource:

<reaction>
  <situation>deleted</situation>
  <synchronize>true</synchronize>
  <action>
    <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action
-3#unlink</handlerUri>;
  </action>
  <objectTemplateRef oid="5b23b0d3-0740-47a1-932d-c5a4ab513bc4" />
</reaction>

User Template:

<mapping>
  <description>Clean out department</description>
  <strength>strong</strength>
  <target>
    <path>$user/extension/ndsuPrimaryJobTitle</path>
  </target>
  <expression>
    <script>
      <code>null</code>
    </script>
  </expression>
</mapping>

No errors are thrown, it's just that the title element remains populate
with the last know value when the user is deleted from the resource.

Thanks,
Richard
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint


_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint






_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint

_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint

_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint


_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint

_______________________________________________

midPoint mailing list

midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>

https://lists.evolveum.com/mailman/listinfo/midpoint

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200707/9e751bfa/attachment.htm>

More information about the midPoint mailing list