[midPoint] Entitlements and Object Templates
Hilmar Kistemaker
hilmar.kistemaker at mollie.com
Wed May 1 18:38:59 CEST 2024
Hi,
I'm encountering an issue with entitlements and object templates in
midPoint and could use some assistance in resolving it.
The condition in the object template checks the Team attribute on the
user's midPoint profile. If the condition is true, the expression searches
for an organization object that matches the display name and assigns the
correct organization object to the user. The organization object contains 2
inducements: 1 Google Group and 1 Okta group. The user does get added to
the groups in the systems when the Object Template assigns the organization
object to the user.
The problem arises during unassignment. When a user moves teams, the
organization object gets unassigned, and the new organization object gets
assigned. However, the user is not removed from the old team Google/Okta
group.
If I manually unassign an organization object, the user does get removed
from the Google/Okta groups.
This is the object template mapping I use:
<mapping>
<name>Team</name>
<source>
<path
xmlns:gen849="urlRedacted/xml/ns/extension">c:extension/gen849:team
</path>
</source>
<source>
<path
xmlns:gen569="urlRedacted/xml/ns/extension">c:extension/gen569:domain
</path>
</source>
<expression>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
import com.evolveum.midpoint.prism.delta.builder.*
import com.evolveum.midpoint.prism.query.ObjectFilter;
import com.evolveum.midpoint.schema.SelectorOptions;
import com.evolveum.midpoint.schema.GetOperationOptions;
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
import com.evolveum.midpoint.model.api.*
teamName = team
orgName = domain
if (orgName != null) {
ObjectFilter domainFilter = prismContext.queryFor(OrgType.class)
.item(OrgType.F_DISPLAY_NAME).eq(orgName)
.buildFilter();
fetchedOrgs = midpoint.searchObjects(OrgType.class,
prismContext.queryFactory().createQuery(domainFilter));
if (fetchedOrgs[0] != null) {
assignmentTargetOid = fetchedOrgs[0].getOid()
ObjectFilter teamFilter = prismContext.queryFor(OrgType.class)
.item(OrgType.F_DISPLAY_NAME).eq(teamName)
.and()
.item(OrgType.F_ASSIGNMENT,AssignmentType.F_TARGET_REF).ref(assignmentTargetOid)
.buildFilter();
fetchedTeams = midpoint.searchObjects(OrgType.class,
prismContext.queryFactory().createQuery(teamFilter));
if (fetchedTeams[0] != null) {
roleOrt = new ObjectReferenceType();
roleOrt.setOid(fetchedTeams[0].getOid());
roleOrt.setType(OrgType.COMPLEX_TYPE);
AssignmentType assignment = new AssignmentType();
assignment.asPrismContainerValue()
assignment.setTargetRef(roleOrt);
return assignment
} else {
log.warn("No Team orgs found!")
}
}
} else {
log.warn("No Domain set on user profile. Skipping Team assignment.")
}
</code>
</script>
</expression>
<target>
<path>c:assignment</path>
</target>
<condition>
<script>
<code>
fetchedTeam = team;
if (fetchedTeam != null) {
log.warn("Team not empty, try to assign OU in MP")
return true
} else {
log.warn("User has no team assigned!")
}
</code>
</script>
</condition>
<enabled>true</enabled>
</mapping>
Thanks,
Hilmar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20240501/58dbde48/attachment.htm>
More information about the midPoint
mailing list