[midPoint] Alert when role reaches max number of (indirect) members

[Robbe Van Biervliet]

Hello midPoint Community,

I am facing an issue that I cannot seem to solve myself. First some context.
We use roles to repesent software that requires licenses. So if a user has this role that means they are using a license for this software. These licenses are finite and we would like to receive an alert by mail when we have used up the last available license.

The current plan is to extend the schema of roles with an "upperbound" attribute that holds an integer representing the number of licenses we own. I am now trying to implement the alert. My idea is to have a single bulk action task that queries for RoleTypes where the number of users is equal to the upperbound and then sends an email about this role. It is useful to know that these roles are indirectly assigned to the users. To fetch the number of users with the role, I try to make the collection of all these users and then take its size.

My current attempt looks like this:

<activity>
        <work>
            <nonIterativeScripting>
                <scriptExecutionRequest xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
                    <s:pipeline list="true">
                        <s:expression xsi:type="s:SearchExpressionType">
                            <s:type>RoleType</s:type>
                            <s:searchFilter>
                                <q:text>extension/Upperbound = ```import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
                                import java.util.*;
                                import com.evolveum.midpoint.prism.query.builder.QueryBuilder;
                                query = midpoint.queryFor(UserType.class, "roleMembershipRef/@/name = " + object.getName());
                                collection = midpoint.searchObjects(query);
                                return collection.size();```
                               </q:text>
                            </s:searchFilter>
                        </s:expression>
                        <s:expression xsi:type="s:ActionExpressionType">
                            <s:type>notify</s:type>
                            <s:parameter>
                                <s:name>handler</s:name>
                                <s:value xsi:type="c:EventHandlerType">
                                    <generalNotifier>
...

Which is followed by code that sends out the email.

I am relatively new to midPoint so it is very possible that this attempt does not make much sense but it is what I have pieced together from other threads and google searches so far.
If anyone knows a way to fix the code or could think of a more efficient way to implement this your help would be very much appreciated.

Thanks in advance,
Robbe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240405/77c7409d/attachment.htm>