[midPoint] notification with policyRule / policyActions

Yakov Revyakin yrevyakin at gmail.com
Thu Jun 29 15:06:18 CEST 2023


Hi Pavol,
I agree - looks really tricky. Till I'm trying to understand what
exactly happens there, could you answer another related question?

I found that there is <notify/> action under
policyActions/scriptExecution/executeScript which is configurable in a
clear way.
But found that I can't execute this correctly under a tenant user. To
execute notify action we need full access like superuser - see 1st
runAsRef. In this case recipientExpression ignores tenancy limitation
during user search in the script below. So, we need 2nd runAsRef to run the
script by the current logged in user which is a user of the current tenant.
In case of static oid of this user things work fine - the script returns
only users from this tenant. I simply can't write xml for dynamic case.
Could you help?

            <policyActions>
                <scriptExecution>
                    <runAsRef oid="00000000-0000-0000-0000-000000000002" />
                    <object>
                        <currentObject/>
                    </object>
                    <executeScript xmlns:s="
http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
                        <s:notify>
                            <s:handler>
                                <generalNotifier>
                                    <recipientExpression>
                                        <!-- static approach works - oid of
current logged in user -->
                                        <runAsRef
oid="d94e7fdc-0935-4b51-9205-6417a598f235" />

                                        <!-- but how to arrange dynamic?
                                        <runAsRef>
                                            <filter>
                                                <q:ref>
                                                    <q:path> ???????????
</q:path>
                                                    <expression>
                                                        <script>
                                                            <code>
                                                                import
com.evolveum.midpoint.schema.util.ObjectTypeUtil

                                                                return
[ObjectTypeUtil.createOidOnlyObjectRef(*actor*)]
                                                            </code>
                                                        </script>
                                                    </expression>
                                                </q:ref>
                                            </filter>
                                        </runAsRef>
                                        -->

                                        <script>
                                            <code>
                                                import ....

                                                HashSet notifyTo = new
HashSet()

                                                // look for admins with
tenant-based authorization role assigned
                                                ObjectQuery query =
midpoint.prismContext.queryFor(UserType.class)

.item(UserType.F_ROLE_MEMBERSHIP_REF).ref("00506aa0-b76c-42f8-b82c-43080f76c58a")
                                                        .build()
                                                // if search is running
under tenant user (current logged in user) returns users from this tenant
only
                                                for (UserType user:
midpoint.searchObjects(UserType.class, query)) {
                                                    String email =
user.getEmailAddress()
                                                    if (email != null) {
                                                        notifyTo.add(email)
                                                    }
                                                }

                                                return notifyTo
                                            </code>
                                        </script>
                                    </recipientExpression>

                                    <bodyExpression>
                                            ....
                                    </bodyExpression>

                                    <transport>file</transport>
                                </generalNotifier>
                            </s:handler>
                        </s:notify>
                    </executeScript>
                </scriptExecution>
            </policyActions>

On Thu, 29 Jun 2023 at 14:01, Pavol Mederly via midPoint <
midpoint at lists.evolveum.com> wrote:

> Hello Yakov,
>
> this one is highly experimental; and the documentation is probably waiting
> for a sponsor (i.e., a customer needing it).
>
> However, as usual, I'd suggest searching through midPoint test sources.
> Each feature (even experimental ones, at least majority of them) should
> have some tests created for it.
>
> This one is no exception, although more trickier than usual. It seems to
> me that TestRbac.test870AssignRoleScreaming would provide some hints.
>
> Regards,
>
> --
> Pavol Mederly
> Software developerevolveum.com
>
> On 27/06/2023 07:21, Yakov Revyakin via midPoint wrote:
>
> Any ideas?
>
> On Thu, 15 Jun 2023 at 09:54, Yakov Revyakin <yrevyakin at gmail.com> wrote:
>
>> Hi all,
>> It's not clear it is possible currently to use <notification> as policy
>> action.
>>
>>             <policyActions>
>>                 <notification>
>>                     <???????>
>>                 </notification>
>>             </policyActions>
>>
>> Is there any sample how to deal with this?
>>
>> Or, maybe, an alternative way? Actually, I'd like to notify if a
>> transition based on objectState is triggered.
>>
>> Thanks,
>> Yakov
>>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttps://lists.evolveum.com/mailman/listinfo/midpoint
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230629/cd5d11ad/attachment-0001.htm>


More information about the midPoint mailing list