[midPoint] Automatically unassign requested roles when validTo is reached
Alcides Moraes
alcides.neto at gmail.com
Thu Mar 23 16:59:46 CET 2023
Hi Patrik,
We do something like what you need using a policyRule with scriptExecution policyAction
https://docs.evolveum.com/midpoint/reference/roles-policies/policy-rules/ <https://docs.evolveum.com/midpoint/reference/roles-policies/policy-rules/>
It’s a very little documented feature.
You can have a script executed when an assignment is added and/or deleted.
You can also have globalPolicies but I never tested these.
Example:
<assignment id=“8">
<policyRule>
<name>Remove all assignments that are not the archetype</name>
<policyConstraints>
<assignment id="9">
<operation>add</operation>
</assignment>
</policyConstraints>
<policyActions>
<scriptExecution id="10">
<executeScript xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
<s:pipeline list="true">
<s:action>
<s:type>execute-script</s:type>
<s:parameter xmlns:qn63="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<s:name>script</s:name>
<value>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
import com.evolveum.midpoint.prism.delta.builder.*
import com.evolveum.midpoint.model.api.*
import static com.evolveum.midpoint.schema.constants.SchemaConstants.C_ORG_TYPE
import javax.xml.namespace.QName
def assignmentsToDelete = []
user = midpoint.getObject(UserType.class, input.oid)
for (a in user.assignment) {
if (a.targetRef?.oid != "4b05bd96-1704-4ca9-8974-a34f9caebd0c") {
def removeAssignment = new AssignmentType()
removeAssignment.id = a.id
assignmentsToDelete.add removeAssignment.asPrismContainerValue()
}
}
if (!assignmentsToDelete.empty) {
log.info "Assignments to delete: " + assignmentsToDelete
def delta = prismContext.deltaFor(UserType.class).item(UserType.F_ASSIGNMENT).delete(assignmentsToDelete).asObjectDelta(user.oid)
log.info "Deleting"
midpoint.modifyObject(delta)
}
</code>
</value>
</s:parameter>
</s:action>
</s:pipeline>
</executeScript>
</scriptExecution>
</policyActions>
</policyRule>
<activation>
<effectiveStatus>enabled</effectiveStatus>
</activation>
</assignment>
> Em 23 de mar. de 2023, à(s) 12:40, Patrik Sidler via midPoint <midpoint at lists.evolveum.com> escreveu:
>
> Hi Community,
>
> I am looking for a way to unassign manually requested Roles from a midPoint user.
> The unassign should automatically be started when the administrativeStatus of this user changes to disabled (validTo is reached) or when the user is transferred from one Organisation to another for example (attribute change).
>
> I know it should be possible to do this with a scheduled bulkAction.
> But I really looking for another, easier way to solve this.
>
> Thank you in advance for your help
>
> Best regards,
> Patrik
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> https://lists.evolveum.com/mailman/listinfo/midpoint <https://lists.evolveum.com/mailman/listinfo/midpoint>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230323/f92e3e51/attachment-0001.htm>
More information about the midPoint
mailing list