[midPoint] notification with policyRule / policyActions
Pavol Mederly
mederly at evolveum.com
Thu Jun 29 15:15:00 CEST 2023
Yakov,
I am sorry, but - in general - we developers do not answer questions
here on the list. I try to give general answers where I can do that
quickly, or where it is well-aligned with my daily development work.
So, unfortunately, I cannot help you with your further questions.
I hope someone from the community could do that; ... or, our
professional consultancy services would welcome you :)
Best regards,
--
Pavol Mederly
Software developer
evolveum.com
On 29/06/2023 15:06, Yakov Revyakin via midPoint wrote:
> Hi Pavol,
> I agree - looks really tricky. Till I'm trying to understand what
> exactly happens there, could you answer another related question?
>
> I found that there is <notify/> action under
> policyActions/scriptExecution/executeScript which is configurable in a
> clear way.
> But found that I can't execute this correctly under a tenant user. To
> execute notify action we need full access like superuser - see 1st
> runAsRef. In this case recipientExpression ignores tenancy limitation
> during user search in the script below. So, we need 2nd runAsRef to
> run the script by the current logged in user which is a user of the
> current tenant. In case of static oid of this user things work fine -
> the script returns only users from this tenant. I simply can't write
> xml for dynamic case. Could you help?
>
> <policyActions>
> <scriptExecution>
> <runAsRef
> oid="00000000-0000-0000-0000-000000000002" />
> <object>
> <currentObject/>
> </object>
> <executeScript
> xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
> <s:notify>
> <s:handler>
> <generalNotifier>
> <recipientExpression>
> <!-- static approach works -
> oid of current logged in user -->
> <runAsRef
> oid="d94e7fdc-0935-4b51-9205-6417a598f235" />
>
> <!-- but how to arrange dynamic?
> <runAsRef>
> <filter>
> <q:ref>
> <q:path> ??????????? </q:path>
> <expression>
> <script>
> <code>
> import com.evolveum.midpoint.schema.util.ObjectTypeUtil
>
> return [ObjectTypeUtil.createOidOnlyObjectRef(*actor*)]
> </code>
> </script>
> </expression>
> </q:ref>
> </filter>
> </runAsRef>
> -->
>
> <script>
> <code>
> import ....
> HashSet notifyTo = new
> HashSet()
>
> // look for admins
> with tenant-based authorization role assigned
> ObjectQuery query =
> midpoint.prismContext.queryFor(UserType.class)
> .item(UserType.F_ROLE_MEMBERSHIP_REF).ref("00506aa0-b76c-42f8-b82c-43080f76c58a")
> .build()
> // if search is
> running under tenant user (current logged in user) returns users from
> this tenant only
> for (UserType user:
> midpoint.searchObjects(UserType.class, query)) {
> String email =
> user.getEmailAddress()
> if (email != null) {
> notifyTo.add(email)
> }
> }
>
> return notifyTo
> </code>
> </script>
> </recipientExpression>
>
> <bodyExpression>
> ....
> </bodyExpression>
>
> <transport>file</transport>
> </generalNotifier>
> </s:handler>
> </s:notify>
> </executeScript>
> </scriptExecution>
> </policyActions>
>
> On Thu, 29 Jun 2023 at 14:01, Pavol Mederly via midPoint
> <midpoint at lists.evolveum.com> wrote:
>
> Hello Yakov,
>
> this one is highly experimental; and the documentation is probably
> waiting for a sponsor (i.e., a customer needing it).
>
> However, as usual, I'd suggest searching through midPoint test
> sources. Each feature (even experimental ones, at least majority
> of them) should have some tests created for it.
>
> This one is no exception, although more trickier than usual. It
> seems to me that TestRbac.test870AssignRoleScreaming would provide
> some hints.
>
> Regards,
>
> --
> Pavol Mederly
> Software developer
> evolveum.com <http://evolveum.com>
>
> On 27/06/2023 07:21, Yakov Revyakin via midPoint wrote:
>> Any ideas?
>>
>> On Thu, 15 Jun 2023 at 09:54, Yakov Revyakin
>> <yrevyakin at gmail.com> wrote:
>>
>> Hi all,
>> It's not clear it is possible currently to use <notification>
>> as policy action.
>>
>> <policyActions>
>> <notification>
>> <???????>
>> </notification>
>> </policyActions>
>>
>> Is there any sample how to deal with this?
>>
>> Or, maybe, an alternative way? Actually, I'd like to
>> notify if a transition based on objectState is triggered.
>>
>> Thanks,
>> Yakov
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> https://lists.evolveum.com/mailman/listinfo/midpoint
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230629/5b60e18e/attachment-0001.htm>
More information about the midPoint
mailing list