[midPoint] automatically unassign all roles on disable

Markus Calmius markus.calmius at proton.ch
Thu Oct 12 16:46:01 CEST 2023


Thank you Patrik and Pascal.
I will take a look at this next week.

Kind regards,
Markus

Sent from Proton Mail mobile

-------- Original Message --------
On 12 Oct 2023, 14:48, wrote:

> Send midPoint mailing list submissions to midpoint at lists.evolveum.com To subscribe or unsubscribe via the World Wide Web, visit https://lists.evolveum.com/mailman/listinfo/midpoint or, via email, send a message with subject or body 'help' to midpoint-request at lists.evolveum.com You can reach the person managing the list at midpoint-owner at lists.evolveum.com When replying, please edit your Subject line so it is more specific than "Re: Contents of midPoint digest..." Today's Topics: 1. Re: automatically unassign all roles on disable (Pascal PERICHON) 2. Re: automatically unassign all roles on disable (Patrik Sidler) ---------------------------------------------------------------------- Message: 1 Date: Thu, 12 Oct 2023 12:34:27 +0200 From: Pascal PERICHON  To: Markus Calmius via midPoint  Subject: Re: [midPoint] automatically unassign all roles on disable Message-ID:  Content-Type: text/plain; charset="utf-8"; Format="flowed" Hi, The documentation was not updated. Something like that : /assignmentDelta = midpoint.deltaFor(UserType.class) / //for (AssignmentType assign : user.getAssignment()) { ... / assignmentDelta = assignmentDelta.item(UserType.F_ASSIGNMENT).delete(assign) / / ... / /} / /myDeltas = assignmentDelta.asItemDeltas() modelContext.getFocusContext().swallowToSecondaryDelta(myDeltas)/ /modelContext.rot() / You should call only one time "swallowToSecondaryDelta()": put it out of the "for" iteration. Not sure that "assign.clone()" works: maybe (not sure) you should use only "assign". Best regards et bon courage :) Le 12/10/2023 à 11:58, Markus Calmius via midPoint a écrit : > Hi, > > I am trying to figure out how to make sure all roles are unassigned > when a user is removed or disabled from HR. > I've found: > https://docs.evolveum.com/midpoint/reference/concepts/clockwork/scripting-hooks/ which > contain Example 1 that should do the trick. > Although, it doesn't quite work on 4.7.2 it seems, I get: "Expression > error: Groovy Evaluation Failed: No such property: ContainerDelta for > class: (new)_" > > Two questions: > > 1. is there an easier way? > 2. trying to figure out what is wrong is not super easy, it's been > years since I actually coded. Any guidance is greatly appreciated. > I assume the createModificationDelete has changed some input > parameters > > > I'm testing the script in the query playground with one disabled user. >  >  >  > > Thanks in Advance > Markus > > _______________________________________________ > midPoint mailing list > midPoint at lists.evolveum.com > https://lists.evolveum.com/mailman/listinfo/midpoint -------------- next part -------------- An HTML attachment was scrubbed... URL:  ------------------------------ Message: 2 Date: Thu, 12 Oct 2023 12:48:21 +0000 From: Patrik Sidler  To: midPoint General Discussion  Cc: Markus Calmius  Subject: Re: [midPoint] automatically unassign all roles on disable Message-ID:  Content-Type: text/plain; charset="utf-8" Hi Markus, In our Environment, every user is either internal, external or disabled. We have created an Role for every Type of user. The Role for Internal and External Employees induces the ArcheType and assigns a policy, that removes all assigned Roles if the Users moves from internal/external to disabled. Here is the Role we assign to Internal Employees:  Role for Internal Employee This role is assigned to all enabled internal Employees  Role Internal Employee true false      This assignment is to remove all assignments expect "Archetype Disabled Employee" and "Role Disabled Employee"    delete      execute-script  script   import com.evolveum.midpoint.xml.ns._public.common.common_3.* import com.evolveum.midpoint.prism.delta.builder.* import com.evolveum.midpoint.model.api.* import static com.evolveum.midpoint.schema.constants.SchemaConstants.C_ORG_TYPE import javax.xml.namespace.QName log.info("Check if Assignments to delete because user is no longer an Internal Employee") def assignmentsToDelete = [] user = midpoint.getObject(UserType.class, input.oid) for (a in user.assignment) {  if (a.targetRef?.oid != "b72686bd-dcbd-4e9a-a5bb-15988b6a9a26" || a.targetRef?.oid != "78c3c3a9-6f8a-4876-9a21-b9a70ec1b8b1") { def removeAssignment = new AssignmentType() removeAssignment.id = a.id assignmentsToDelete.add(removeAssignment.asPrismContainerValue()) } } if (!assignmentsToDelete.empty) { log.info("Assignments to delete because user is no longer InternalEmployee: " + assignmentsToDelete) def delta = prismContext.deltaFor(UserType.class).item(UserType.F_ASSIGNMENT).delete(assignmentsToDelete).asObjectDelta(user.oid) midpoint.modifyObject(delta) }   enabled Maybe this code will help to solve your problem. Best Regards Patrik Von: midPoint  Im Auftrag von Markus Calmius via midPoint Gesendet: Donnerstag, 12. Oktober 2023 11:59 An: midPoint General Discussion  Cc: Markus Calmius  Betreff: [midPoint] automatically unassign all roles on disable Hi, I am trying to figure out how to make sure all roles are unassigned when a user is removed or disabled from HR. I've found: https://docs.evolveum.com/midpoint/reference/concepts/clockwork/scripting-hooks/ which contain Example 1 that should do the trick. Although, it doesn't quite work on 4.7.2 it seems, I get: "Expression error: Groovy Evaluation Failed: No such property: ContainerDelta for class: (new)_" Two questions: 1. is there an easier way? 2. trying to figure out what is wrong is not super easy, it's been years since I actually coded. Any guidance is greatly appreciated. I assume the createModificationDelete has changed some input parameters I'm testing the script in the query playground with one disabled user.   Thanks in Advance Markus -------------- next part -------------- An HTML attachment was scrubbed... URL:  ------------------------------ Subject: Digest Footer _______________________________________________ midPoint mailing list midPoint at lists.evolveum.com https://lists.evolveum.com/mailman/listinfo/midpoint ------------------------------ End of midPoint Digest, Vol 138, Issue 9 ****************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231012/200196c2/attachment.htm>


More information about the midPoint mailing list