[midPoint] automatically unassign all roles on disable
Patrik Sidler
patrik.sidler at itconcepts.ch
Thu Oct 12 14:48:21 CEST 2023
Hi Markus,
In our Environment, every user is either internal, external or disabled. We have created an Role for every Type of user.
The Role for Internal and External Employees induces the ArcheType and assigns a policy, that removes all assigned Roles if the Users moves from internal/external to disabled.
Here is the Role we assign to Internal Employees:
<role xmlns=http://midpoint.evolveum.com/xml/ns/public/common/common-3
xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3
xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3
xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3
xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance>
<name>Role for Internal Employee</name>
<description>This role is assigned to all enabled internal Employees</description>
<displayName> Role Internal Employee</displayName>
<indestructible>true</indestructible>
<requestable>false</requestable>
<inducement id="3">
<!--assign ArcheType for Internal Employee-->
<targetRef oid="333c8ef8-f58a-4550-8a31-b68e3a4c320a" relation="org:default" type="c:RoleType"/>
</inducement>
<assignment>
<policyRule>
<name>This assignment is to remove all assignments expect "Archetype Disabled Employee" and "Role Disabled Employee" </name>
<policyConstraints>
<assignment>
<operation>delete</operation>
</assignment>
</policyConstraints>
<policyActions>
<scriptExecution>
<executeScript xmlns:s=http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
<s:pipeline list="true">
<s:action>
<s:type>execute-script</s:type>
<s:parameter xmlns:qn63=http://midpoint.evolveum.com/xml/ns/public/common/common-3>
<s:name>script</s:name>
<c:value xsi:type="c:ScriptExpressionEvaluatorType">
<c:code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
import com.evolveum.midpoint.prism.delta.builder.*
import com.evolveum.midpoint.model.api.*
import static com.evolveum.midpoint.schema.constants.SchemaConstants.C_ORG_TYPE
import javax.xml.namespace.QName
log.info("Check if Assignments to delete because user is no longer an Internal Employee")
def assignmentsToDelete = []
user = midpoint.getObject(UserType.class, input.oid)
for (a in user.assignment) {
<!-- check if assigned role is "Role Disabled Employee" or "Archetype Disabled Employee" -->
if (a.targetRef?.oid != "b72686bd-dcbd-4e9a-a5bb-15988b6a9a26" ||
a.targetRef?.oid != "78c3c3a9-6f8a-4876-9a21-b9a70ec1b8b1") {
def removeAssignment = new AssignmentType()
removeAssignment.id = a.id
assignmentsToDelete.add(removeAssignment.asPrismContainerValue())
}
}
if (!assignmentsToDelete.empty) {
log.info("Assignments to delete because user is no longer InternalEmployee: " + assignmentsToDelete)
def delta = prismContext.deltaFor(UserType.class).item(UserType.F_ASSIGNMENT).delete(assignmentsToDelete).asObjectDelta(user.oid)
midpoint.modifyObject(delta)
}
</c:code>
</c:value>
</s:parameter>
</s:action>
</s:pipeline>
</executeScript>
</scriptExecution>
</policyActions>
</policyRule>
<activation>
<effectiveStatus>enabled</effectiveStatus>
</activation>
</assignment>
</role>
Maybe this code will help to solve your problem.
Best Regards
Patrik
Von: midPoint <midpoint-bounces at lists.evolveum.com> Im Auftrag von Markus Calmius via midPoint
Gesendet: Donnerstag, 12. Oktober 2023 11:59
An: midPoint General Discussion <midpoint at lists.evolveum.com>
Cc: Markus Calmius <markus.calmius at proton.ch>
Betreff: [midPoint] automatically unassign all roles on disable
Hi,
I am trying to figure out how to make sure all roles are unassigned when a user is removed or disabled from HR.
I've found: https://docs.evolveum.com/midpoint/reference/concepts/clockwork/scripting-hooks/ which contain Example 1 that should do the trick.
Although, it doesn't quite work on 4.7.2 it seems, I get: "Expression error: Groovy Evaluation Failed: No such property: ContainerDelta for class: (new)_"
Two questions:
1. is there an easier way?
2. trying to figure out what is wrong is not super easy, it's been years since I actually coded. Any guidance is greatly appreciated. I assume the createModificationDelete has changed some input parameters
I'm testing the script in the query playground with one disabled user.
<expression>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
import com.evolveum.midpoint.prism.*;
UserType user = (UserType) midpoint.searchObjectByName(UserType.class, '<redacted username>');
ActivationStatusType administrativeStatus = user.getActivation().getEffectiveStatus();
if (administrativeStatus == ActivationStatusType.DISABLED) {
for (AssignmentType assign : user.getAssignment()) {
changed = false;
assignmentDelta = ContainerDelta.createModificationDelete(UserType.F_ASSIGNMENT, UserType.class, prismContext, assign.clone());
modelContext.getFocusContext().swallowToSecondaryDelta(assignmentDelta);
changed = true;
}
if (changed) {
modelContext.rot(); // this makes Projector to recompute the model context
}
}
</code>
</script>
</expression>
Thanks in Advance
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231012/f9283c63/attachment-0001.htm>
More information about the midPoint
mailing list