[midPoint] How to blank out user properties?
Pálos Gustáv
gustav.palos at gmail.com
Tue Jan 19 17:06:15 CET 2021
Hi All,
we found a solution over global user object template like this:
<mapping>
<name>cleaning attribute after source shadow is dead/missing</name>
<strength>strong</strength>
<expression>
<script>
<code>
return null;
</code>
</script>
</expression>
<target>
<c:path>$focus/extension/attributeToClean</c:path>
<set>
<condition>
<runAsRef oid="00000000-0000-0000-0000-000000000002"/>
<script>
<code>
shadow = midpoint.getLinkedShadow(user,
"bd573a6b-fb00-433b-8d4e-532422bc6487", true);
if (shadow != null && shadow?.exists) {
return false;
}
return true;
</code>
</script>
</condition>
</set>
</target>
</mapping>
Best regards,
Gustav
st 8. 7. 2020 o 15:40 Jason Everling <jeverling at bshp.edu> napísal(a):
> I guess it goes, every environment is different, just a little additions
> to turn it into a task, see attached, the formatting kept going screwy if I
> pasted. You can go in and schedule it after you import or add the schedule
> info to the xml.
>
>
> On Tue, Jul 7, 2020 at 2:53 PM Richard Frovarp <richard.frovarp at ndsu.edu>
> wrote:
>
>> The value wasn't being reapplied. It looks like empty strings aren't
>> null, and I am not quite able to get null to work. I need to come up with a
>> more elegant solution, but I was able to find something that works:
>>
>> <s:search xmlns:s="
>> http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
>> xmlns:c="
>> http://midpoint.evolveum.com/xml/ns/public/common/common-3"
>> xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>> <http://www.w3.org/2001/XMLSchema-instance>;
>> <s:type>UserType</s:type>
>> <s:searchFilter>
>> <q:greater>
>> <q:path>extension/ndsuPrimaryJobDepartment</q:path>
>> <q:value></q:value>
>> </q:greater>
>> </s:searchFilter>
>> <s:action>
>> <s:type>execute-script</s:type>
>> <s:parameter>
>> <s:name>script</s:name>
>> <c:value xsi:type="ScriptExpressionEvaluatorType">
>> <c:code>
>> import
>> com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowType
>> import
>> com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
>> import com.evolveum.midpoint.prism.path.ItemPath
>>
>> refs = input?.getLinkRef()
>> for (ref in refs) {
>> try {
>> shadow = midpoint.getObject(ShadowType.class, ref.getOid())
>> } catch (Exception e) {
>> log.info('DEAD SHADOW {}', input.name)
>> continue
>> }
>>
>> if (shadow.getResourceRef().getOid() ==
>> '5f1cc34a-2b27-4ae1-9989-3960e2e311f4') {
>> return
>> }
>> }
>> path = ItemPath.create(UserType.F_EXTENSION,
>> 'ndsuPrimaryJobDepartment')
>> delta =
>> midpoint.prismContext.deltaFactory().object().createModificationDeleteProperty(UserType.class,
>> input.getOid(), path, basic.getPropertyValue(input,
>> "extension/ndsuPrimaryJobDepartment"))
>> midpoint.executeChanges(delta)
>>
>> path = ItemPath.create(UserType.F_EXTENSION,
>> 'ndsuPrimaryJobTitle')
>> titleDelta =
>> midpoint.prismContext.deltaFactory().object().createModificationDeleteProperty(UserType.class,
>> input.getOid(), path, basic.getPropertyValue(input,
>> "extension/ndsuPrimaryJobTitle"))
>> midpoint.executeChanges(delta)
>>
>> </c:code>
>> </c:value>
>> </s:parameter>
>> </s:action>
>> </s:search>
>>
>> Feels like I'm doing things sub-optimal. Between your examples and the
>> Grouper bits I was able to get enough figured out. Like I said, this works.
>> They only way they disappear from the resource is on a reconcile, so having
>> this run in a task later is fine. I think my dead shadows are from earlier
>> tests where I didn't get the right synchronization for removal quickly
>> enough.
>>
>> Now I need to figure out how to turn this into a bulk action task of some
>> sort.
>>
>> On Thu, 2020-07-02 at 16:58 -0500, Jason Everling wrote:
>>
>> Yep, my weekend starts here in a few! even though i've been working at
>> home for 4 months now :D
>>
>> You could be hitting my age old bug as well, check the history tab on the
>> user to make sure the value isn't being re-applied, I was about right, the
>> last time we used it was 3.2 and this was reported in 3.1 when it was doing
>> the same thing for us,
>> https://jira.evolveum.com/browse/MID-2100
>>
>>
>>
>>
>> On Thu, Jul 2, 2020 at 4:27 PM Richard Frovarp <richard.frovarp at ndsu.edu>
>> wrote:
>>
>> <mapping>
>> <description>Clean out title</description>
>> <strength>strong</strength>
>> <target>
>> <path>$user/extension/ndsuPrimaryJobTitle</path>
>> </target>
>> <expression>
>> <script>
>> <code>null</code>
>> </script>
>> </expression>
>> </mapping>
>>
>> It's not clear how midPoint interprets empty strings to me. Hence using
>> the script to do an explicit null.
>>
>> I can give what you provided a try next week. I'm about to start the
>> weekend. Thank you for the help. Thank you for providing your examples,
>> they have been helpful to us getting going (I just found your bulk actions
>> item, which is helpful). Once I have something more complicated than
>> importing names, I'll start to try to contribute back with what we have
>> working.
>>
>> Have a great 4th!
>>
>>
>>
>> On Thu, 2020-07-02 at 16:18 -0500, Jason Everling wrote:
>>
>> So can you post what you have for the deleted template action? You also
>> have that set under the resource for deleted? I just checked, and a long
>> time ago we did something similar for accounts removed from a resource,
>> although we don't anymore but that was on 3.2 and should still work, i
>> don't see why not unless its bug, try the below, i pulled from an old
>> 'delete' template on our private repo from an old resource we had years ago
>>
>> <mapping>
>> <authoritative>true</authoritative>
>> <strength>strong</strength>
>> <expression>
>> <value>''</value>
>> </expression>
>> <target>
>> <path>extension/ndsuPrimaryJobTitle</path>
>> </target>
>> </mapping>
>>
>>
>>
>>
>> On Thu, Jul 2, 2020 at 4:09 PM Richard Frovarp <richard.frovarp at ndsu.edu>
>> wrote:
>>
>> Thanks. I've started work down the bulk actions path. Which is perhaps
>> less than ideal, but I think I understand it, and I will have operations
>> later that will require it. I can follow your more elegant solution after I
>> have something working. I don't quite have all of the affiliations
>> populated yet right now. I figured that setting and clearing a single value
>> attribute from a single source would be the easiest thing to start with.
>> Affiliations come after I have this working.
>>
>> On Thu, 2020-07-02 at 15:55 -0500, Jason Everling wrote:
>>
>> :/ ive been updating some of our logstash stuff, should be != faculty and
>> != staff
>> JASON
>>
>>
>> On Thu, Jul 2, 2020 at 3:49 PM Jason Everling <jeverling at bshp.edu> wrote:
>>
>> Gotcha, I just put together a quick example for an idea, you can also go
>> with if affiliation == student && not == faculty || affiliation == student
>> && not == staff || etc...
>>
>> for the assignments, you would write the script to get all assignments
>> then if your resource doesn't exist apply mapping, there is a midpoint
>> function for it, we used something similar for a bulk task, ill find it on
>> my prod git repo, its back there in time,
>>
>> someone else might be able to chime in sooner
>>
>>
>>
>> On Thu, Jul 2, 2020 at 2:13 PM Richard Frovarp <richard.frovarp at ndsu.edu>
>> wrote:
>>
>> But students can be employed. I need it so that if they aren't in that
>> resource, they are removed. You're earlier example makes some sense, but I
>> don't have a deep enough understanding of midPoint to fully implement it.
>> Error complains about the source of $user/assignments. I'm on 4.1 and it
>> looks like that may have changed some, but I can't quite figure out how.
>>
>> Kind of frustrated as this seems like it should be a basic operation, and
>> it's the one thing stopping me from going further. I don't want a mess of
>> stale data in a brand new system a day after it goes up.
>>
>> I've been looking at queries and bulk actions, but I can't figure out how
>> to find all users that aren't referenced by a resource. I can find all in
>> the resource, and all that have a resource that isn't it (which is all of
>> the users as names are pulled in from a different resource). What is a one
>> minute query in raw SQL is beyond my understanding here right now.
>>
>> On Thu, 2020-07-02 at 13:15 -0500, Jason Everling wrote:
>>
>> Also this in the default template, if return null; doesn’t work you could
>> also go with return ‘’; . So many different ways to do it without relying
>> on a deleted template
>>
>>
>>
>> <mapping>
>>
>> <description>Clean out department</description>
>>
>> <strength>strong</strength>
>>
>> <source>
>>
>> <path>$user/extension/your_affiliation</path>
>>
>> </source>
>>
>> <target>
>>
>> <path>$user/extension/ndsuPrimaryJobTitle</path>
>>
>> </target>
>>
>> <expression>
>>
>> <script>
>>
>> <code>
>>
>> if (affiliation == ‘student’) {
>>
>> return null;
>>
>> }
>>
>> </code>
>>
>> </script>
>>
>> </expression>
>>
>> </mapping>
>>
>>
>>
>>
>>
>> *From: *Jason Everling <jeverling at bshp.edu>
>> *Sent: *Thursday, July 2, 2020 1:06 PM
>> *To: *midPoint General Discussion <midpoint at lists.evolveum.com>
>> *Subject: *RE: [midPoint] How to blank out user properties?
>>
>>
>>
>> ** only if the resource isn’t assigned?*
>>
>>
>>
>> *From: *Jason Everling <jeverling at bshp.edu>
>> *Sent: *Thursday, July 2, 2020 1:04 PM
>> *To: *midPoint General Discussion <midpoint at lists.evolveum.com>
>> *Subject: *RE: [midPoint] How to blank out user properties?
>>
>>
>>
>> What about just a regular mapping in the default user template with a
>> condition strong that gets applied and only if the resource is assigned?
>>
>>
>>
>> <mapping>
>>
>> <description>Clean out department</description>
>>
>> <strength>strong</strength>
>>
>> <source>
>>
>> <path>$user/assignments</path>
>>
>> </source>
>>
>> <target>
>>
>> <path>$user/extension/ndsuPrimaryJobTitle</path>
>>
>> </target>
>>
>> <expression>
>>
>> <script>
>>
>> <code>
>>
>> if (assignment != your resource) {
>>
>> return null;
>>
>> }
>>
>> </code>
>>
>> </script>
>>
>> </expression>
>>
>> </mapping>
>>
>>
>>
>>
>>
>> *From: *Richard Frovarp <richard.frovarp at ndsu.edu>
>> *Sent: *Thursday, July 2, 2020 12:56 PM
>> *To: *midpoint at lists.evolveum.com
>> *Subject: *Re: [midPoint] How to blank out user properties?
>>
>>
>>
>> I've seen your archive example. I wasn't completely clear. I don't want
>> to archive the old value. I just want it gone. I want to keep the user
>> object though. So if I were to leave NDSU, we would want there to still be
>> the name, employee number, etc to remain. But my title would no longer
>> apply. A bigger deal if I were to become a student, we wouldn't want my job
>> title applied to my AD object for instance as it wouldn't be applicable.
>> Just trying to get the value back to null.
>>
>>
>>
>> On Thu, 2020-07-02 at 12:22 -0500, Jason Everling wrote:
>>
>> So what I can read from, you want to archive the old value? We do this
>> for various attributes when they are changed, see here, I had added it to
>> the midpoint samples a while back, it will take the old value which was
>> previously set and then add it to a custom schema attribute for archival
>> history, such as a username change, level change, affiliation, etc..
>>
>>
>>
>>
>> https://github.com/evolveum/midpoint-samples/blob/master/samples/contrib/bshp/objects/objectTemplates/Includes%20-%20Archiving.xml
>>
>>
>>
>> *From: *Richard Frovarp <richard.frovarp at ndsu.edu>
>> *Sent: *Thursday, July 2, 2020 11:13 AM
>> *Subject: *[midPoint] How to blank out user properties?
>>
>>
>>
>> I'm reading a list of our employees from a DB through a
>>
>> DatabaseTableConnector resource. As part of that process I'm setting a
>>
>> custom schema element that is their title. That's fine. However, when
>>
>> they are no longer employed, they disappear from the database table.
>>
>>
>>
>> So I'm trying to blank out the title property, since if they aren't
>>
>> employed anymore, they don't have a title. We want to keep historic
>>
>> records, and they may still be a student, which we wouldn't populate a
>>
>> title.
>>
>>
>>
>> How does one go about doing this? It was suggested using an object
>>
>> template on the deleted situation, but that doesn't appear to be
>>
>> working.
>>
>>
>>
>> Resource:
>>
>>
>>
>> <reaction>
>>
>> <situation>deleted</situation>
>>
>> <synchronize>true</synchronize>
>>
>> <action>
>>
>> <handlerUri>http://midpoint.evolveum.com/xml/ns/public/model/action
>>
>> -3#unlink</handlerUri>;
>>
>> </action>
>>
>> <objectTemplateRef oid="5b23b0d3-0740-47a1-932d-c5a4ab513bc4" />
>>
>> </reaction>
>>
>>
>>
>> User Template:
>>
>>
>>
>> <mapping>
>>
>> <description>Clean out department</description>
>>
>> <strength>strong</strength>
>>
>> <target>
>>
>> <path>$user/extension/ndsuPrimaryJobTitle</path>
>>
>> </target>
>>
>> <expression>
>>
>> <script>
>>
>> <code>null</code>
>>
>> </script>
>>
>> </expression>
>>
>> </mapping>
>>
>>
>>
>> No errors are thrown, it's just that the title element remains populate
>>
>> with the last know value when the user is deleted from the resource.
>>
>>
>>
>> Thanks,
>>
>> Richard
>>
>> _______________________________________________
>>
>> midPoint mailing list
>>
>> midPoint at lists.evolveum.com
>>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>>
>> midPoint mailing list
>>
>> midPoint at lists.evolveum.com
>>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>>
>> midPoint mailing list
>>
>> midPoint at lists.evolveum.com
>>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>>
>> midPoint mailing list
>>
>> midPoint at lists.evolveum.com
>>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>>
>> midPoint mailing list
>>
>> midPoint at lists.evolveum.com
>>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>>
>> midPoint mailing list
>>
>> midPoint at lists.evolveum.com
>>
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
--
s pozdravom
Gustáv Pálos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20210119/c2ae34dd/attachment-0001.htm>
More information about the midPoint
mailing list