[midPoint] Delete attribute from user account using "executeScript" in a "Policy Action"

Jean Michel jean.michel at ebz.tec.br
Wed Jul 10 19:04:11 CEST 2024 

Hello community,

I am trying to create a Policy Rule that triggers a Policy Action to 
delete a resource account attribute when the user's "title" change.

In the documentations and samples I've found some examples using 
"executeScript", but I still haven't been able to implement it in my 
case. I am struggling to determine the filter to find the account whose 
owner is the current user who had the "title" attribute changed.

This is my Policy Rule that I'm using for this case:

<policyRule>
     <name>Rule: User's title change</name>
     <policyConstraints>
         <modification id="2">
             <operation>modify</operation>
              <item>c:title</item>
         </modification>
     </policyConstraints>
     <policyActions>
         <scriptExecution id="4">
             <name>Script: delete attribute for his account on Resource 
Acme</name>
             <object>
                 <currentObject>
                     <type>c:UserType</type>
                 </currentObject>
             </object>
             <executeScript 
xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">
                    <s:search>
                        <s:type>ShadowType</s:type>
                         <s:searchFilter>
                             <q:text>
                                  resourceRef matches (oid = '<resource 
OID>' and type = ResourceType) and
                                  objectClass = ri:AccountObjectClass 
and attributes/icfs:name = '<user name>'
                             </q:text>
                         </s:searchFilter>
                         <s:action>
                             <s:modify>
                                 <s:delta>
<t:changeType>modify</t:changeType>
                                     <t:itemDelta>
<t:modificationType>delete</t:modificationType>
<t:path>attributes/acmeAccountAttribute</t:path>
                                     </t:itemDelta>
                                 </s:delta>
                             </s:modify>
                         </s:action>
                     </s:search>
             </executeScript>
         </scriptExecution>
     </policyActions>
</policyRule>

In "searchFilter", I need to search for the user account using his 
"Name" and then execute the action to delete the attribute on the 
account, but I don't know how to put the "Name" from the current object 
that triggered tje policy Rule there in the filter.

I hope that the community would help me to find the solution or provide 
a better approach for this case.

Thanks in advance.

Best Regards

-- 
Jean Michel S. A. dos Santos
+55 (51) 995-389-843 / +55 (51) 4042-8153
https://www.ebz.tec.br/

More information about the midPoint mailing list