[midPoint] ?==?utf-8?q? Automatically disable users outside the validity range
Luca Verardo
luca at verardo.ch
Thu Feb 24 13:43:42 CET 2022
Thank you everyone, it worked by replacing administrativeStatus with effectiveStatus. It is indeed computed automatically!
Have a great day!
Best regards,
Luca
Le Jeudi, Février 24, 2022 12:56 CET, "Rainer Herbst" <rainer.herbst at aip.de> a écrit:
Yes, I think if you replace the administrativeStatus by efectiveStatus in
the activation section of your resource description, it should work.
In my LDAP resource (DS389), I have two outbound mappings for disabled and
enabled users, so it looks a little bit complicated:
<activation>
<administrativeStatus>
<outbound>
<strength>strong</strength>
<name>Disable</name>
<expression>
<script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:ScriptExpressionEvaluatorType">
<code>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
ActivationStatusType.DISABLED;
</code>
</script>
</expression>
<condition>
<variable>
<name>identityEffectiveStatus</name>
<c:path>$focus/activation/effectiveStatus</c:path>
</variable>
<script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:ScriptExpressionEvaluatorType">
<code>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
// disabled identity must always have all linked accounts DISABLED
(strong)
identityEffectiveStatus != ActivationStatusType.ENABLED;
</code>
</script>
</condition>
</outbound>
<outbound>
<strength>strong</strength>
<name>Enable</name>
<expression>
<script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:ScriptExpressionEvaluatorType">
<code>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
ActivationStatusType.ENABLED;
</code>
</script>
</expression>
<condition>
<variable>
<name>identityEffectiveStatus</name>
<c:path>$focus/activation/effectiveStatus</c:path>
</variable>
<script xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="c:ScriptExpressionEvaluatorType">
<code>
import
com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
// disabled identity must always have all linked accounts DISABLED
(strong)
identityEffectiveStatus == ActivationStatusType.ENABLED;
</code>
</script>
</condition>
</outbound>
</administrativeStatus>
</activation>
On Do, 24 Feb 2022 12:11:53 +0100
Luca Verardo <luca at verardo.ch> wrote:
> Hello!
>
> Thank you for your answer.
>
> Currently I use the administrativeStatus to enable or disable the
>user (it is synced to an LDAP backend)
>
> Therefore, if I understood correctly, I should also sync
>effectiveStatus to the LDAP backend, is that correct ?
>
>
> Best regards,
> Luca Verardo
>
>> Le 24 févr. 2022 à 12:06, Rainer Herbst <rainer.herbst at aip.de> a
>>écrit :
>>
>> Hi!
>>
>> In my understanding, midpoint handles the "effectiveStatus"
>>automatically - i. e. if a user has reached his "validTo", the
>>effectiveStatus is calculated.
>>
>> If you set the "adminstrativeStatus", it will overcome the validTo
>>rule, i.e. even after validTo, the user will be valid. You should not
>>set this adminstrativeStatus without need.
>>
>> HTH!
>> Rainer
>>
>>> On Do, 24 Feb 2022 11:30:24 +0100
>>> Luca Verardo via midPoint <midpoint at lists.evolveum.com> wrote:
>>> Dear Evolveum community,
>>> I'm looking to execute a recurring task that will check the user's
>>>validity range (Valid To or Valid From) and disable users accordingly
>>>using today's date.
>>> I've searched for some examples, but I was unable in succeeding with
>>>the implementation.
>>> Are tasks the correct direction ? If yes, does someone have an
>>>example of how I could do it ?
>>> Thanks a lot in advance.
>>> Best regards,
>>
>> Viele Grüße
>>
>> Rainer Herbst
>> Leiter IT-Service
>> Phone: +49 331 7499-257
>> e-mail: rainer.herbst at aip.de
>> https://www.aip.de
>>
>> -----------------------------------------------------------------------------------------------
>> Leibniz-Institut für Astrophysik Potsdam (AIP)
>> An der Sternwarte 16, 14482 Potsdam
>>
>> Vorstand: Prof. Dr. Matthias Steinmetz, Wolfram Rosenbach
>> Stiftung bürgerlichen Rechts
>> Stiftungsverzeichnis Brandenburg: 26 742-00/7026
>> -----------------------------------------------------------------------------------------------
>
Viele Grüße
Rainer Herbst
Leiter IT-Service
Phone: +49 331 7499-257
e-mail: rainer.herbst at aip.de
https://www.aip.de
-----------------------------------------------------------------------------------------------
Leibniz-Institut für Astrophysik Potsdam (AIP)
An der Sternwarte 16, 14482 Potsdam
Vorstand: Prof. Dr. Matthias Steinmetz, Wolfram Rosenbach
Stiftung bürgerlichen Rechts
Stiftungsverzeichnis Brandenburg: 26 742-00/7026
-----------------------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20220224/13eafb70/attachment-0001.htm>
More information about the midPoint
mailing list