[midPoint] notification with policyRule / policyActions
Yakov Revyakin
yrevyakin at gmail.com
Wed Jul 5 22:02:36 CEST 2023
Pavol, no problems.
I implemented what I needed, but I think the approach is not ideal. I can't
change runAsRef dynamically to run expression under a tenant user. So, I
filter users programmatically in the script. The code below is a part of
the user archetype. The policyRule is triggered by transition of unknown
administrativeStatus to enabled/disabled.
<inducement>
<policyRule>
<policyConstraints>
<transition>
<stateBefore>false</stateBefore>
<stateAfter>true</stateAfter>
<constraints>
<objectState>
<filter>
<q:not>
<q:equal>
<q:path>activation/administrativeStatus</q:path>
</q:equal>
</q:not>
</filter>
</objectState>
</constraints>
</transition>
</policyConstraints>
<policyActions>
<scriptExecution>
<runAsRef oid="00000000-0000-0000-0000-000000000002" />
<object>
<currentObject/>
</object>
<executeScript xmlns:s="
http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
<s:notify>
<s:handler>
<generalNotifier>
<recipientExpression>
<script>
<code>
import
com.evolveum.midpoint.prism.PrismObjectValue
import
com.evolveum.midpoint.prism.query.ObjectQuery
import
com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
HashSet<String> notifyTo =
new HashSet()
ObjectQuery query =
midpoint.prismContext.queryFor(UserType.class)
.item(UserType.F_ROLE_MEMBERSHIP_REF).ref("00506aa0-b76c-42f8-b82c-43080f76c58a")
.build()
for (UserType user:
midpoint.searchObjects(UserType.class, query)) {
String email =
user.getEmailAddress()
if (user.getTenantRef()
!= null && email != null &&
user.getTenantRef().getOid() ==
((UserType)((PrismObjectValue)event.object).asObjectable()).getTenantRef().getOid())
{
notifyTo.add(email)
}
}
return notifyTo
</code>
</script>
</recipientExpression>
<bodyExpression>
<script>
<language>
http://midpoint.evolveum.com/xml/ns/public/expression/language#velocity
</language>
<code>$event.object acquired a
direct Administrative status</code>
</script>
</bodyExpression>
<transport>file</transport>
<transport>mail</transport>
</generalNotifier>
</s:handler>
</s:notify>
</executeScript>
</scriptExecution>
</policyActions>
</policyRule>
<focusType>UserType</focusType>
</inducement>
On Thu, 29 Jun 2023 at 16:15, Pavol Mederly via midPoint <
midpoint at lists.evolveum.com> wrote:
> Yakov,
>
> I am sorry, but - in general - we developers do not answer questions here
> on the list. I try to give general answers where I can do that quickly, or
> where it is well-aligned with my daily development work.
>
> So, unfortunately, I cannot help you with your further questions.
>
> I hope someone from the community could do that; ... or, our professional
> consultancy services would welcome you :)
>
> Best regards,
>
> --
> Pavol Mederly
> Software developerevolveum.com
>
> On 29/06/2023 15:06, Yakov Revyakin via midPoint wrote:
>
> Hi Pavol,
> I agree - looks really tricky. Till I'm trying to understand what
> exactly happens there, could you answer another related question?
>
> I found that there is <notify/> action under
> policyActions/scriptExecution/executeScript which is configurable in a
> clear way.
> But found that I can't execute this correctly under a tenant user. To
> execute notify action we need full access like superuser - see 1st
> runAsRef. In this case recipientExpression ignores tenancy limitation
> during user search in the script below. So, we need 2nd runAsRef to run the
> script by the current logged in user which is a user of the current tenant.
> In case of static oid of this user things work fine - the script returns
> only users from this tenant. I simply can't write xml for dynamic case.
> Could you help?
>
> <policyActions>
> <scriptExecution>
> <runAsRef oid="00000000-0000-0000-0000-000000000002" />
> <object>
> <currentObject/>
> </object>
> <executeScript xmlns:s="
> http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
> <s:notify>
> <s:handler>
> <generalNotifier>
> <recipientExpression>
> <!-- static approach works - oid
> of current logged in user -->
> <runAsRef
> oid="d94e7fdc-0935-4b51-9205-6417a598f235" />
>
> <!-- but how to arrange dynamic?
> <runAsRef>
> <filter>
> <q:ref>
> <q:path> ???????????
> </q:path>
> <expression>
> <script>
> <code>
> import
> com.evolveum.midpoint.schema.util.ObjectTypeUtil
>
> return
> [ObjectTypeUtil.createOidOnlyObjectRef(*actor*)]
> </code>
> </script>
> </expression>
> </q:ref>
> </filter>
> </runAsRef>
> -->
>
> <script>
> <code>
> import ....
>
> HashSet notifyTo = new
> HashSet()
>
> // look for admins with
> tenant-based authorization role assigned
> ObjectQuery query =
> midpoint.prismContext.queryFor(UserType.class)
>
> .item(UserType.F_ROLE_MEMBERSHIP_REF).ref("00506aa0-b76c-42f8-b82c-43080f76c58a")
> .build()
> // if search is running
> under tenant user (current logged in user) returns users from this tenant
> only
> for (UserType user:
> midpoint.searchObjects(UserType.class, query)) {
> String email =
> user.getEmailAddress()
> if (email != null) {
> notifyTo.add(email)
> }
> }
>
> return notifyTo
> </code>
> </script>
> </recipientExpression>
>
> <bodyExpression>
> ....
> </bodyExpression>
>
> <transport>file</transport>
> </generalNotifier>
> </s:handler>
> </s:notify>
> </executeScript>
> </scriptExecution>
> </policyActions>
>
> On Thu, 29 Jun 2023 at 14:01, Pavol Mederly via midPoint <
> midpoint at lists.evolveum.com> wrote:
>
>> Hello Yakov,
>>
>> this one is highly experimental; and the documentation is probably
>> waiting for a sponsor (i.e., a customer needing it).
>>
>> However, as usual, I'd suggest searching through midPoint test sources.
>> Each feature (even experimental ones, at least majority of them) should
>> have some tests created for it.
>>
>> This one is no exception, although more trickier than usual. It seems to
>> me that TestRbac.test870AssignRoleScreaming would provide some hints.
>>
>> Regards,
>>
>> --
>> Pavol Mederly
>> Software developerevolveum.com
>>
>> On 27/06/2023 07:21, Yakov Revyakin via midPoint wrote:
>>
>> Any ideas?
>>
>> On Thu, 15 Jun 2023 at 09:54, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>>
>>> Hi all,
>>> It's not clear it is possible currently to use <notification> as policy
>>> action.
>>>
>>> <policyActions>
>>> <notification>
>>> <???????>
>>> </notification>
>>> </policyActions>
>>>
>>> Is there any sample how to deal with this?
>>>
>>> Or, maybe, an alternative way? Actually, I'd like to notify if a
>>> transition based on objectState is triggered.
>>>
>>> Thanks,
>>> Yakov
>>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
>>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230705/c8986c58/attachment-0001.htm>
More information about the midPoint
mailing list