[midPoint] Script Query to Discover all Users with no roles
Markus Calmius
markus.calmius at proton.ch
Thu Jan 25 13:30:00 CET 2024
Hi,
not sure if this will help you or not. As we are running 4.8 I couldn't test it properly, but anyway...
So, in 4.8, this seems to work using the Query language:
"roleMembershipRef not matches (targetType = RoleType)"
I tried to translate some XML queries to see if I could get to that query, but I wasn't 100% successful, this is the closet one:
<query xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3"
xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3">
<filter>
<q:not>
<q:ref>
<q:path>c:roleMembershipRef</q:path>
<q:value>
<q:type>c:RoleType</q:type>
</q:value>
</q:ref>
</q:not>
</filter>
</query>
which translates to:
c:roleMembershipRef not matches (type not = c:RoleType)
The two "not" is weird though.
Markus
On Tuesday, 23 January 2024 at 21:43, midpoint-request at lists.evolveum.com <midpoint-request at lists.evolveum.com> wrote:
> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
> 1. LiveSync stopped working after upgrading to smart
> correlation/sync (Markus Calmius)
> 2. Re: Correlation v 4.8 (Markus Calmius)
> 3. Re: LiveSync stopped working after upgrading to smart
> correlation/sync (Markus Calmius)
> 4. Re: Script Query to Discover all Users with no roles -
> midPoint Digest, Vol 141, Issue 24 (Lagger, Scott)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 23 Jan 2024 11:15:42 +0000
> From: Markus Calmius markus.calmius at proton.ch
>
> To: midPoint General Discussion midpoint at lists.evolveum.com
>
> Subject: [midPoint] LiveSync stopped working after upgrading to smart
> correlation/sync
> Message-ID:
> pbG_AcBmbYfi53-O5LhEf4Km2GTF8CmDjlj-0QuSMBq-Vzv-0xHVC6arFhE_MAa6opioSrFf2X6m4Rx5Lgw8MoqUpfFCJB6B7LeuOoJ-Dm0=@proton.ch
>
>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> One thing that I haven't been able to figure out when it comes to the new way of doing correlation and synchronizations it how to get the livesync to work.
>
> I have an object template that assigns an archetype to a user depending on the lifecycleState. It is mainly used to differentiate (visually) the users.
> A livesync task is running and updating the users if there is a change to the livecycleState it would assign the correct archetype.
> It works fine when using the old/deprecated way of configuring correlation and synchronization.
>
> Earlier you had the synchronization-tag after the object-types and one part of it was:
>
> <synchronization>
>
>
> <objectSynchronization>
>
>
> <enabled>true</enabled>
>
>
> <correlation>
>
>
> .....
>
> <reaction>
>
>
> <situation>linked</situation>
>
>
> <synchronize>true</synchronize>
>
>
> </reaction>
>
>
> Now, after the update I add this:
>
> <
>
> synchronization
>
>
> <
>
> reaction
>
>
> <
>
> name
>
>
> Link User
>
> </
>
> name
>
>
> <
>
> situation
>
>
> unlinked
>
> </
>
> situation
>
>
> <
>
> actions
>
>
> <
>
> link
>
>
> <
>
> synchronize
>
>
> true
>
> </
>
> synchronize
>
>
> <
>
> reconcile
>
>
> true
>
> </
>
> reconcile
>
>
> </
>
> link
>
>
> </
>
> actions
>
>
> </
>
> reaction
>
>
> .....
>
> <
>
> reaction
>
>
> <
>
> situation
>
>
> linked
>
> </
>
> situation
>
>
> <
>
> actions
>
>
> <
>
> synchronize
>
> />
>
>
> </
>
> actions
>
>
> </
>
> reaction
>
>
> But live sync does not work.
> All imports and linking seems to work and if I add a reconciliation task, that works.
>
> Any ideas what I'm missing here?
>
> I guess I can change the LiveSync-task to just use a reconciliation-task, but livesync is a lot faster...
>
> Thanks
>
> Markus
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20240123/99a045e9/attachment-0001.htm
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 23 Jan 2024 11:18:39 +0000
> From: Markus Calmius markus.calmius at proton.ch
>
> To: midpoint at lists.evolveum.com
> Subject: Re: [midPoint] Correlation v 4.8
> Message-ID:
> yQwPJyX_6Kz_6ZCQ0xUuePYImpwtjSl5GxKddaoGNTvRaqtwYXCxDtOBwo7SBOBL9UpIwB1ImZ9iOUkxZrDlP-KMZR_NeiBu5jtkHossdOc=@proton.ch
>
>
> Content-Type: text/plain; charset=utf-8
>
>
> I answered directly that the <correlation> -section should be removed when using the attribute-based <correlator/>-tag.
>
>
> That seemed to have resolved the issue.
>
> Markus
>
> On Tuesday, 23 January 2024 at 12:00, midpoint-request at lists.evolveum.com midpoint-request at lists.evolveum.com wrote:
>
> > Send midPoint mailing list submissions to
> > midpoint at lists.evolveum.com
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> > https://lists.evolveum.com/mailman/listinfo/midpoint
> > or, via email, send a message with subject or body 'help' to
> > midpoint-request at lists.evolveum.com
> >
> > You can reach the person managing the list at
> > midpoint-owner at lists.evolveum.com
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of midPoint digest..."
> >
> > Today's Topics:
> >
> > 1. Re: Correlation v 4.8 (Michal Sakac)
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Tue, 23 Jan 2024 10:14:46 +0100
> > From: Michal Sakac seky at civ.zcu.cz
> >
> > To: midPoint General Discussion midpoint at lists.evolveum.com
> >
> > Cc: markus.calmius at proton.ch
> > Subject: Re: [midPoint] Correlation v 4.8
> > Message-ID: 10AC3209-AFA8-443B-8F71-DBA9F602ADCD at civ.zcu.cz
> >
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi thank you but now I get error with confict
> >
> > Too many iterations (100) for focus(user:null(GOL)): cannot determine values that satisfy constraints: Found conflicting existing object with property name = PP({.../common/common-3}name):[PPV(PolyString:GOL)]: user:(GOL)
> > My configuration is
> >
> > <schemaHandling>
> >
> > <objectType id="4">
> >
> > <kind>account</kind>
> >
> > <intent>default</intent>
> >
> > <displayName>Account_hadnling</displayName>
> >
> > <default>true</default>
> >
> > <defaultForKind>true</defaultForKind>
> >
> > <defaultForObjectClass>true</defaultForObjectClass>
> >
> > <objectClass>ri:AccountObjectClass</objectClass>
> >
> > <delineation>
> >
> > <objectClass>ri:AccountObjectClass</objectClass>
> >
> > </delineation>
> >
> > <focus>
> >
> > <type>c:UserType</type>
> >
> > </focus>
> >
> > <attribute id="6">
> >
> > <ref>ri:kodpra</ref>
> >
> > <correlator/>
> >
> > <inbound id="7">
> >
> > <name>KOD_PRA</name>
> >
> > <authoritative>true</authoritative>
> >
> > <strength>strong</strength>
> >
> > <target>
> >
> > <path>$focus/name</path>
> >
> > </target>
> >
> > <use>all</use>
> >
> > </inbound>
> >
> > </attribute>
> >
> > <correlation>
> >
> > <correlators>
> >
> > <items id="45">
> >
> > <name>name corelation</name>
> >
> > <enabled>true</enabled>
> >
> > <item id="46">
> >
> > <ref>name</ref>
> >
> > </item>
> >
> > </items>
> >
> > </correlators>
> >
> > </correlation>
> >
> > <synchronization>
> >
> > <reaction id="10">
> >
> > <name>Create Identity</name>
> >
> > <situation>unmatched</situation>
> >
> > <actions>
> >
> > <addFocus id="36"/>
> >
> > </actions>
> >
> > </reaction>
> >
> > <reaction id="13">
> >
> > <name>Link Identity</name>
> >
> > <situation>unlinked</situation>
> >
> > <actions>
> >
> > <link id="14"/>
> >
> > </actions>
> >
> > </reaction>
> >
> > </synchronization>
> >
> > </objectType>
> >
> > </schemaHandling>
> >
> > But this identity is in state UNMATCHED.
> >
> > Can you look at this configuration and if you found some wrong configuration tell me pls what is wrong?
> >
> > THX
> >
> > --
> >
> > Michal Sakáč
> >
> > > 23. 1. 2024 v 9:49, Markus Calmius via midPoint midpoint at lists.evolveum.com:
> > >
> > > <correlator/>
> >
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20240123/ea123e98/attachment-0001.htm
> >
> > ------------------------------
> >
> > Subject: Digest Footer
> >
> > _______________________________________________
> > midPoint mailing list
> > midPoint at lists.evolveum.com
> > https://lists.evolveum.com/mailman/listinfo/midpoint
> >
> > ------------------------------
> >
> > End of midPoint Digest, Vol 141, Issue 27
> > *****************************************
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 23 Jan 2024 13:09:22 +0000
> From: Markus Calmius markus.calmius at proton.ch
>
> To: midPoint General Discussion midpoint at lists.evolveum.com
>
> Subject: Re: [midPoint] LiveSync stopped working after upgrading to
> smart correlation/sync
> Message-ID:
> 8kUyLA94HhUnE2uA-dAuJCYISv0rO9yx2vvg-0rWPmV6KxWloz0Yc8LoPZf2gx40T2IBPRgeAz24UQQfSmL8SJnwVN2TaZqoV3SmP5aDtW8=@proton.ch
>
>
> Content-Type: text/plain; charset="utf-8"
>
> Ignore my last message, it now looks like it's working...
>
> Markus
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20240123/564b723f/attachment-0001.htm
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 23 Jan 2024 20:43:05 +0000
> From: "Lagger, Scott" slagger at uic.edu
>
> To: "midpoint at lists.evolveum.com" midpoint at lists.evolveum.com
>
> Subject: Re: [midPoint] Script Query to Discover all Users with no
> roles - midPoint Digest, Vol 141, Issue 24
> Message-ID:
> DM6PR13MB25053B5445E04B1F0144279EB6742 at DM6PR13MB2505.namprd13.prod.outlook.com
>
>
> Content-Type: text/plain; charset="us-ascii"
>
> Any takers on my question; anyone?
>
>
> -----Original Message-----
> From: midPoint midpoint-bounces at lists.evolveum.com On Behalf Of midpoint-request at lists.evolveum.com
>
> Sent: Saturday, January 20, 2024 5:00 AM
> To: midpoint at lists.evolveum.com
> Subject: midPoint Digest, Vol 141, Issue 24
>
> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
>
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
>
> When replying, please edit your Subject line so it is more specific than "Re: Contents of midPoint digest..."
>
>
> Today's Topics:
>
> 1. Script Query to Discover all Users with no roles (Lagger, Scott)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 20 Jan 2024 00:32:30 +0000
> From: "Lagger, Scott" slagger at uic.edu
>
> To: "midpoint at lists.evolveum.com" midpoint at lists.evolveum.com
>
> Subject: [midPoint] Script Query to Discover all Users with no roles
> Message-ID:
> DM6PR13MB25051CBA41D92312209DF37DB6772 at DM6PR13MB2505.namprd13.prod.outlook.com
>
>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> I have searched online for weeks and in the list emails that I have received, and I can't find the answer. I'm sure this is an easy one for the pros out there.
>
> I started learning MidPoint (4.1) in my new role since July. I have learned a lot, but I have a long way to go. This is XML query language before MidPoint Query Language.
>
> I need a query to discover all users in the system that have no roles.
>
> Once I learn the scope of the users, then I will need an action to set the validTo date on their record to a past date.
>
> Can anyone assist?
>
> Thanks,
>
>
>
> Scott A Lagger, MS Cybersecurity, HCISPP, ITILv4 Associate Director, Identity and Access Management
>
> Technology Solutions
> University of Illinois Chicago
>
> E: slagger at uic.edumailto:slagger at uic.edu
>
> P: 312-413-3128
> 728 W Roosevelt St, RRB 2nd Floor, Chicago, IL 60607 slagger at uic.edumailto:slagger at uic.edu
>
>
> [cid:image001.png at 01DA4B05.DB615640]
> it.uic.eduhttps://it.uic.edu/
>
>
> Visit the UIC Help Center at help.uic.eduhttp://help.uic.edu/ to find IT Services, Answers, and Support!
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20240120/9cda001e/attachment-0001.htm
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image001.png
> Type: image/png
> Size: 11068 bytes
> Desc: image001.png
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20240120/9cda001e/attachment-0001.png
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 141, Issue 24
> *****************************************
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> ------------------------------
>
> End of midPoint Digest, Vol 141, Issue 28
> *****************************************
More information about the midPoint
mailing list