[midPoint] automatically unassign all roles on disable

Markus Calmius markus.calmius at proton.ch
Mon Oct 16 08:12:09 CEST 2023 

Hi,

thanks again Patrik. Your example gave me enough clues to be able to successfully implement the "hook".

Had a lot of debug-lines to figure out what was going on. And, well... the hook is definitely called a lot, so I think I'll take another look at the role-solution you included.

Anyway, this is what I ended up with and seems to be working fine:

<hook>
<name>Remove assignments from disabled users</name>
<state>final</state>
<focusType>c:UserType</focusType>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
import com.evolveum.midpoint.prism.delta.builder.*

UserType user = (UserType) focus;
ActivationStatusType administrativeStatus = user.getActivation().getEffectiveStatus();
if (administrativeStatus == ActivationStatusType.DISABLED) {
ArrayList assignmentsToDelete = []
for (AssignmentType assign : user.getAssignment()) {
if (assign.getTargetRef().getType().toString().toLowerCase().contains('roletype') ){
AssignmentType removeAssignment = new AssignmentType()
removeAssignment.id = assign.id
assignmentsToDelete.add(removeAssignment.asPrismContainerValue())
}
}
if (!assignmentsToDelete.empty){
log.info("Assignments to delete because user is no longer ENABLED: " + assignmentsToDelete)
def delta = prismContext.deltaFor(UserType.class).item(UserType.F_ASSIGNMENT).delete(assignmentsToDelete).asObjectDelta(user.oid)
midpoint.modifyObject(delta)
}
}
</code>
</script>
</hook>

Markus Calmius
Proton AG

------- Original Message -------
On Thursday, October 12th, 2023 at 14:48, Patrik Sidler <patrik.sidler at itconcepts.ch> wrote:

> Hi Markus,
>
> In our Environment, every user is either internal, external or disabled. We have created an Role for every Type of user.
>
> The Role for Internal and External Employees induces the ArcheType and assigns a policy, that removes all assigned Roles if the Users moves from internal/external to disabled.
>
> Here is the Role we assign to Internal Employees:
>
> <role xmlns=http://midpoint.evolveum.com/xml/ns/public/common/common-3
>
> xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3
>
> xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
>
> xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3
>
> xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3
>
> xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
>
> xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3
>
> xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance>
>
> <name>Role for Internal Employee</name>
>
> <description>This role is assigned to all enabled internal Employees</description>
>
> <displayName> Role Internal Employee</displayName>
>
> <indestructible>true</indestructible>
>
> <requestable>false</requestable>
>
> <inducement id="3">
>
> <!--assign ArcheType for Internal Employee-->
>
> <targetRef oid="333c8ef8-f58a-4550-8a31-b68e3a4c320a" relation="org:default" type="c:RoleType"/>
>
> </inducement>
>
> <assignment>
>
> <policyRule>
>
> <name>This assignment is to remove all assignments expect "Archetype Disabled Employee" and "Role Disabled Employee" </name>
>
> <policyConstraints>
>
> <assignment>
>
> <operation>delete</operation>
>
> </assignment>
>
> </policyConstraints>
>
> <policyActions>
>
> <scriptExecution>
>
> <executeScript xmlns:s=http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
>
> <s:pipeline list="true">
>
> <s:action>
>
> <s:type>execute-script</s:type>
>
> <s:parameter xmlns:qn63=http://midpoint.evolveum.com/xml/ns/public/common/common-3>
>
> <s:name>script</s:name>
>
> <c:value xsi:type="c:ScriptExpressionEvaluatorType">
>
> <c:code>
>
> import com.evolveum.midpoint.xml.ns._public.common.common_3.*
>
> import com.evolveum.midpoint.prism.delta.builder.*
>
> import com.evolveum.midpoint.model.api.*
>
> import static com.evolveum.midpoint.schema.constants.SchemaConstants.C_ORG_TYPE
>
> import javax.xml.namespace.QName
>
> log.info("Check if Assignments to delete because user is no longer an Internal Employee")
>
> def assignmentsToDelete = []
>
> user = midpoint.getObject(UserType.class, input.oid)
>
> for (a in user.assignment) {
>
> <!-- check if assigned role is "Role Disabled Employee" or "Archetype Disabled Employee" -->
>
> if (a.targetRef?.oid != "b72686bd-dcbd-4e9a-a5bb-15988b6a9a26" ||
>
> a.targetRef?.oid != "78c3c3a9-6f8a-4876-9a21-b9a70ec1b8b1") {
>
> def removeAssignment = new AssignmentType()
>
> removeAssignment.id = a.id
>
> assignmentsToDelete.add(removeAssignment.asPrismContainerValue())
>
> }
>
> }
>
> if (!assignmentsToDelete.empty) {
>
> log.info("Assignments to delete because user is no longer InternalEmployee: " + assignmentsToDelete)
>
> def delta = prismContext.deltaFor(UserType.class).item(UserType.F_ASSIGNMENT).delete(assignmentsToDelete).asObjectDelta(user.oid)
>
> midpoint.modifyObject(delta)
>
> }
>
> </c:code>
>
> </c:value>
>
> </s:parameter>
>
> </s:action>
>
> </s:pipeline>
>
> </executeScript>
>
> </scriptExecution>
>
> </policyActions>
>
> </policyRule>
>
> <activation>
>
> <effectiveStatus>enabled</effectiveStatus>
>
> </activation>
>
> </assignment>
>
> </role>
>
> Maybe this code will help to solve your problem.
>
> Best Regards
>
> Patrik
>
> Von: midPoint <midpoint-bounces at lists.evolveum.com> Im Auftrag von Markus Calmius via midPoint
> Gesendet: Donnerstag, 12. Oktober 2023 11:59
> An: midPoint General Discussion <midpoint at lists.evolveum.com>
> Cc: Markus Calmius <markus.calmius at proton.ch>
> Betreff: [midPoint] automatically unassign all roles on disable
>
> Hi,
>
> I am trying to figure out how to make sure all roles are unassigned when a user is removed or disabled from HR.
>
> I've found: https://docs.evolveum.com/midpoint/reference/concepts/clockwork/scripting-hooks/ which contain Example 1 that should do the trick.
>
> Although, it doesn't quite work on 4.7.2 it seems, I get: "Expression error: Groovy Evaluation Failed: No such property: ContainerDelta for class: (new)_"
>
> Two questions:
>
> -  is there an easier way?
> -  trying to figure out what is wrong is not super easy, it's been years since I actually coded. Any guidance is greatly appreciated. I assume the createModificationDelete has changed some input parameters
>
> I'm testing the script in the query playground with one disabled user.
>
> <expression>
>
> <script>
>
> <code>
>
> import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
>
> import com.evolveum.midpoint.prism.*;
>
> UserType user = (UserType) midpoint.searchObjectByName(UserType.class, '<redacted username>');
>
> ActivationStatusType administrativeStatus = user.getActivation().getEffectiveStatus();
>
> if (administrativeStatus == ActivationStatusType.DISABLED) {
>
> for (AssignmentType assign : user.getAssignment()) {
>
> changed = false;
>
> assignmentDelta = ContainerDelta.createModificationDelete(UserType.F_ASSIGNMENT, UserType.class, prismContext, assign.clone());
>
> modelContext.getFocusContext().swallowToSecondaryDelta(assignmentDelta);
>
> changed = true;
>
> }
>
> if (changed) {
>
> modelContext.rot(); // this makes Projector to recompute the model context
>
> }
>
> }
>
> </code>
>
> </script>
>
> </expression>
>
> Thanks in Advance
>
> Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231016/02dc444d/attachment-0001.htm>

More information about the midPoint mailing list