[midPoint] How to unassign assignment with effectiveStatus="disabled" and propagate this change to AD
Pascal PÉRICHON
pascal.perichon at u-paris.fr
Fri Oct 16 13:16:14 CEST 2020
this task could be a good start :
<task>
<name>task suppress Assignement ETUDIANT-LICENCE</name>
<extension>
<scext:executeScript
xmlns:scext="http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:api="http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3">
<s:search>
<s:type>c:UserType</s:type>
<s:query>
<q:filter>
<q:and>
<q:equal>
<q:path>subtype</q:path>
<q:value>ETUDIANT-DOCTORAT</q:value>
</q:equal>
<q:substring>
<q:matching>polyStringNorm</q:matching>
<q:path>name</q:path>
<q:value>a</q:value>
<q:anchorStart>true</q:anchorStart>
</q:substring>
<q:equal>
<q:path>c:assignment/targetRef/@/name</q:path>
<q:value>etudiants-cursus-doctorat</q:value>
</q:equal>
<!--q:org>
<q:orgRef>
<q:oid>u75-etudiants-cursus-licence</q:oid-->
<!--q:oid>u75-etudiants-cursus-master</q:oid-->
<!--q:oid>u75-etudiants-cursus-doctorat</q:oid-->
<!--/q:orgRef>
<q:maxDepth>unbounded</q:maxDepth>
</q:org-->
</q:and>
</q:filter>
</s:query>
<s:action>
<s:type>modify</s:type>
<s:parameter>
<s:name>delta</s:name>
<c:value xsi:type="t:ObjectDeltaType">
<t:changeType>modify</t:changeType>
<t:itemDelta>
<t:modificationType>delete</t:modificationType>
<t:path>c:assignment</t:path>
<t:value xsi:type="c:AssignmentType">
<targetRef
oid="u75-etudiants-cursus-doctorat" relation="org:default"
type="c:RoleType"/>
<!--targetRef
oid="u75-etudiants-cursus-doctorat" relation="org:default"
type="c:OrgType"/-->
</t:value>
</t:itemDelta>
</c:value>
</s:parameter>
</s:action>
</s:search>
</scext:executeScript>
</extension>
<ownerRef oid="00000000-0000-0000-0000-000000000002"/>
<executionStatus>runnable</executionStatus>
<category>BulkActions</category>
<handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3</handlerUri>
<recurrence>single</recurrence>
</task>
Le 16/10/2020 à 12:46, Lubomir Odlevak via midPoint a écrit :
> Hello all,
>
> I have assigned role to MP user and set Activation valid on this
> assignment. Role has been assigned in MP and AD successfully.
> When valid-to-time has been exceeded,i have run user reconcilation (or
> validity task) and effectiveStatus has been set to "disable" for the
> assignment.
> Both mP role and AD role are still assigned. Now, I'm trying unassign
> role assignment from MP user (manually or with hook), but it is not
> removed in AD and user is still member of that AD group. How can I
> achieve it ?
> How to unassign assignment with effectiveStatus="disabled" and
> propagate this change to AD and remove user from the AD group?
>
> btw: The unassigment with effective status set to "enabled" are
> unassigned properly in AD.
> Tested on mp 3.8 and 4.1.
>
> Regards
> Lubomir Odlevak
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201016/fc51c30b/attachment.htm>
More information about the midPoint
mailing list