[midPoint] How to unassign assignment with effectiveStatus="disabled" and propagate this change to AD
Lubomir Odlevak
odlevak.lubomir at gmail.com
Fri Oct 30 10:19:29 CET 2020
Pascal thanks for the task, but I can unassign the role in mP. The problem
is that change (unassignment) is not propagated into AD for role assignment
with effectiveStatus = "disabled".
My case:
The role is assigned to the user and valid-to parameter is set on
assignment and is propagated to AD (assigned to the user in AD). At
valid-to time mP set effectiveStatus = "disabled" for this
assignment automatically, and the role is still assigned in mP and AD.
Now if I manually or with the hook unassign that role from mP, then it is
not propagated to AD and the user has still assigned the AD group.
I want to achieve that mP valid-to role will be unassigned both from mP
and AD after valid-to parameter is exceeded.
Regards
Lubomir
pi 16. 10. 2020 o 13:16 Pascal PÉRICHON via midPoint <
midpoint at lists.evolveum.com> napísal(a):
> this task could be a good start :
>
>
> <task>
> <name>task suppress Assignement ETUDIANT-LICENCE</name>
> <extension>
> <scext:executeScript xmlns:scext=
> "http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3"
> <http://midpoint.evolveum.com/xml/ns/public/model/scripting/extension-3>
> xmlns:s=
> "http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
> <http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
> xmlns:c=
> "http://midpoint.evolveum.com/xml/ns/public/common/common-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> xmlns:t=
> "http://prism.evolveum.com/xml/ns/public/types-3"
> <http://prism.evolveum.com/xml/ns/public/types-3>
> xmlns:xsi=
> "http://www.w3.org/2001/XMLSchema-instance"
> <http://www.w3.org/2001/XMLSchema-instance>
> xmlns:api=
> "http://midpoint.evolveum.com/xml/ns/public/common/api-types-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/api-types-3>
> xmlns:q=
> "http://prism.evolveum.com/xml/ns/public/query-3"
> <http://prism.evolveum.com/xml/ns/public/query-3>
> xmlns:xsd=
> "http://www.w3.org/2001/XMLSchema" <http://www.w3.org/2001/XMLSchema>
> xmlns:org=
> "http://midpoint.evolveum.com/xml/ns/public/common/org-3"
> <http://midpoint.evolveum.com/xml/ns/public/common/org-3>>
> <s:search>
> <s:type>c:UserType</s:type>
> <s:query>
> <q:filter>
> <q:and>
> <q:equal>
> <q:path>subtype</q:path>
> <q:value>ETUDIANT-DOCTORAT</q:value>
> </q:equal>
> <q:substring>
> <q:matching>polyStringNorm</q:matching>
> <q:path>name</q:path>
> <q:value>a</q:value>
> <q:anchorStart>true</q:anchorStart>
> </q:substring>
> <q:equal>
>
> <q:path>c:assignment/targetRef/@/name</q:path>
>
> <q:value>etudiants-cursus-doctorat</q:value>
> </q:equal>
> <!--q:org>
> <q:orgRef>
>
> <q:oid>u75-etudiants-cursus-licence</q:oid-->
>
> <!--q:oid>u75-etudiants-cursus-master</q:oid-->
>
> <!--q:oid>u75-etudiants-cursus-doctorat</q:oid-->
> <!--/q:orgRef>
> <q:maxDepth>unbounded</q:maxDepth>
> </q:org-->
> </q:and>
> </q:filter>
> </s:query>
>
> <s:action>
> <s:type>modify</s:type>
> <s:parameter>
> <s:name>delta</s:name>
> <c:value xsi:type="t:ObjectDeltaType">
> <t:changeType>modify</t:changeType>
> <t:itemDelta>
>
> <t:modificationType>delete</t:modificationType>
> <t:path>c:assignment</t:path>
> <t:value xsi:type="c:AssignmentType">
> <targetRef
> oid="u75-etudiants-cursus-doctorat" relation="org:default"
> type="c:RoleType"/>
> <!--targetRef
> oid="u75-etudiants-cursus-doctorat" relation="org:default"
> type="c:OrgType"/-->
> </t:value>
> </t:itemDelta>
> </c:value>
> </s:parameter>
> </s:action>
>
> </s:search>
> </scext:executeScript>
> </extension>
> <ownerRef oid="00000000-0000-0000-0000-000000000002"/>
> <executionStatus>runnable</executionStatus>
>
> <category>BulkActions</category>
> <handlerUri>
> http://midpoint.evolveum.com/xml/ns/public/model/scripting/handler-3
> </handlerUri>
> <recurrence>single</recurrence>
> </task>
>
> Le 16/10/2020 à 12:46, Lubomir Odlevak via midPoint a écrit :
>
> Hello all,
>
> I have assigned role to MP user and set Activation valid on this
> assignment. Role has been assigned in MP and AD successfully.
> When valid-to-time has been exceeded,i have run user reconcilation (or
> validity task) and effectiveStatus has been set to "disable" for the
> assignment.
> Both mP role and AD role are still assigned. Now, I'm trying unassign role
> assignment from MP user (manually or with hook), but it is not removed in
> AD and user is still member of that AD group. How can I achieve it ?
> How to unassign assignment with effectiveStatus="disabled" and propagate
> this change to AD and remove user from the AD group?
>
> btw: The unassigment with effective status set to "enabled" are unassigned
> properly in AD.
> Tested on mp 3.8 and 4.1.
>
> Regards
> Lubomir Odlevak
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20201030/f3b05bfd/attachment.htm>
More information about the midPoint
mailing list