[midPoint] Automatically unassign requested roles when validTo is reached
Patrik Sidler
patrik.sidler at itconcepts.ch
Mon Mar 27 14:44:41 CEST 2023
Hi,
Thank you very much for this peace of code.
I have a Role that is assigned to every active employee and a role that is assigned to every inactive employee.
I have assigned this policyRule to the role for active employees and now, whenever this role gets deleted, all roles expect the one for inactive employees well be unassigned.
Perfect way to solve this problem.
Thank you again. Best regards,
Patrik
Von: Alcides Moraes <alcides.neto at gmail.com>
Gesendet: Donnerstag, 23. März 2023 17:00
An: midPoint General Discussion <midpoint at lists.evolveum.com>
Cc: Patrik Sidler <patrik.sidler at itconcepts.ch>
Betreff: Re: [midPoint] Automatically unassign requested roles when validTo is reached
Hi Patrik,
We do something like what you need using a policyRule with scriptExecution policyAction
https://docs.evolveum.com/midpoint/reference/roles-policies/policy-rules/
It’s a very little documented feature.
You can have a script executed when an assignment is added and/or deleted.
You can also have globalPolicies but I never tested these.
Example:
<assignment id=“8">
<policyRule>
<name>Remove all assignments that are not the archetype</name>
<policyConstraints>
<assignment id="9">
<operation>add</operation>
</assignment>
</policyConstraints>
<policyActions>
<scriptExecution id="10">
<executeScript xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
<s:pipeline list="true">
<s:action>
<s:type>execute-script</s:type>
<s:parameter xmlns:qn63="http://midpoint.evolveum.com/xml/ns/public/common/common-3">
<s:name>script</s:name>
<value>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
import com.evolveum.midpoint.prism.delta.builder.*
import com.evolveum.midpoint.model.api.*
import static com.evolveum.midpoint.schema.constants.SchemaConstants.C_ORG_TYPE
import javax.xml.namespace.QName
def assignmentsToDelete = []
user = midpoint.getObject(UserType.class, input.oid)
for (a in user.assignment) {
if (a.targetRef?.oid != "4b05bd96-1704-4ca9-8974-a34f9caebd0c") {
def removeAssignment = new AssignmentType()
removeAssignment.id<http://removeAssignment.id> = a.id<http://a.id>
assignmentsToDelete.add removeAssignment.asPrismContainerValue()
}
}
if (!assignmentsToDelete.empty) {
log.info<http://log.info> "Assignments to delete: " + assignmentsToDelete
def delta = prismContext.deltaFor(UserType.class).item(UserType.F_ASSIGNMENT).delete(assignmentsToDelete).asObjectDelta(user.oid)
log.info<http://log.info> "Deleting"
midpoint.modifyObject(delta)
}
</code>
</value>
</s:parameter>
</s:action>
</s:pipeline>
</executeScript>
</scriptExecution>
</policyActions>
</policyRule>
<activation>
<effectiveStatus>enabled</effectiveStatus>
</activation>
</assignment>
Em 23 de mar. de 2023, à(s) 12:40, Patrik Sidler via midPoint <midpoint at lists.evolveum.com<mailto:midpoint at lists.evolveum.com>> escreveu:
Hi Community,
I am looking for a way to unassign manually requested Roles from a midPoint user.
The unassign should automatically be started when the administrativeStatus of this user changes to disabled (validTo is reached) or when the user is transferred from one Organisation to another for example (attribute change).
I know it should be possible to do this with a scheduled bulkAction.
But I really looking for another, easier way to solve this.
Thank you in advance for your help
Best regards,
Patrik
_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com<mailto:midPoint at lists.evolveum.com>
https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20230327/599f6e66/attachment-0001.htm>
More information about the midPoint
mailing list