[midPoint] automatically unassign all roles on disable

Thu Oct 31 12:16:06 CET 2024

Hi,

I re-visited this almost a year later.
The initial suggestion from Patrik was a much nicer solution.

Although not quite the same setup, but once the "employee-role" is unassigned, it cleans things up nicely.

Thanks again Patrik!

Markus Calmius
Proton AG

On Monday, 16 October 2023 at 08:12, midpoint-request at lists.evolveum.com <midpoint-request at lists.evolveum.com> wrote:

> Send midPoint mailing list submissions to
> midpoint at lists.evolveum.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.evolveum.com/mailman/listinfo/midpoint
> or, via email, send a message with subject or body 'help' to
> midpoint-request at lists.evolveum.com
> 
> You can reach the person managing the list at
> midpoint-owner at lists.evolveum.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of midPoint digest..."
> 
> 
> Today's Topics:
> 
> 1. Re: automatically unassign all roles on disable (Markus Calmius)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 16 Oct 2023 06:12:09 +0000
> From: Markus Calmius markus.calmius at proton.ch
> 
> To: Patrik Sidler patrik.sidler at itconcepts.ch
> 
> Cc: midPoint General Discussion midpoint at lists.evolveum.com
> 
> Subject: Re: [midPoint] automatically unassign all roles on disable
> Message-ID:
> YAM1jjz61RNQrRSm_EYaL7NEdii31n0soNPLthzEYlOtZi-u4sRBWpSxJBMOKG2E3PsD7cLKBuCPeVyT_Z6nRN_MeEHEkKes97HL9uorVs8=@proton.ch
> 
> 
> Content-Type: text/plain; charset="utf-8"
> 
> Hi,
> 
> thanks again Patrik. Your example gave me enough clues to be able to successfully implement the "hook".
> 
> Had a lot of debug-lines to figure out what was going on. And, well... the hook is definitely called a lot, so I think I'll take another look at the role-solution you included.
> 
> Anyway, this is what I ended up with and seems to be working fine:
> 
> <hook>
> 
> <name>Remove assignments from disabled users</name>
> 
> <state>final</state>
> 
> <focusType>c:UserType</focusType>
> 
> <script>
> 
> <code>
> 
> import com.evolveum.midpoint.xml.ns._public.common.common_3.*
> import com.evolveum.midpoint.prism.delta.builder.*
> 
> UserType user = (UserType) focus;
> ActivationStatusType administrativeStatus = user.getActivation().getEffectiveStatus();
> if (administrativeStatus == ActivationStatusType.DISABLED) {
> ArrayList assignmentsToDelete = []
> for (AssignmentType assign : user.getAssignment()) {
> if (assign.getTargetRef().getType().toString().toLowerCase().contains('roletype') ){
> AssignmentType removeAssignment = new AssignmentType()
> removeAssignment.id = assign.id
> assignmentsToDelete.add(removeAssignment.asPrismContainerValue())
> }
> }
> if (!assignmentsToDelete.empty){
> log.info("Assignments to delete because user is no longer ENABLED: " + assignmentsToDelete)
> def delta = prismContext.deltaFor(UserType.class).item(UserType.F_ASSIGNMENT).delete(assignmentsToDelete).asObjectDelta(user.oid)
> midpoint.modifyObject(delta)
> }
> }
> </code>
> 
> </script>
> 
> </hook>
> 
> 
> 
> Markus Calmius
> Proton AG
> 
> 
> 
> ------- Original Message -------
> On Thursday, October 12th, 2023 at 14:48, Patrik Sidler patrik.sidler at itconcepts.ch wrote:
> 
> > Hi Markus,
> > 
> > In our Environment, every user is either internal, external or disabled. We have created an Role for every Type of user.
> > 
> > The Role for Internal and External Employees induces the ArcheType and assigns a policy, that removes all assigned Roles if the Users moves from internal/external to disabled.
> > 
> > Here is the Role we assign to Internal Employees:
> > 
> > <role xmlns=http://midpoint.evolveum.com/xml/ns/public/common/common-3
> > 
> > xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3
> > 
> > xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
> > 
> > xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3
> > 
> > xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3
> > 
> > xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
> > 
> > xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3
> > 
> > xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance>
> > 
> > <name>Role for Internal Employee</name>
> > 
> > <description>This role is assigned to all enabled internal Employees</description>
> > 
> > <displayName> Role Internal Employee</displayName>
> > 
> > <indestructible>true</indestructible>
> > 
> > <requestable>false</requestable>
> > 
> > <inducement id="3">
> > 
> > <!--assign ArcheType for Internal Employee-->
> > 
> > <targetRef oid="333c8ef8-f58a-4550-8a31-b68e3a4c320a" relation="org:default" type="c:RoleType"/>
> > 
> > </inducement>
> > 
> > <assignment>
> > 
> > <policyRule>
> > 
> > <name>This assignment is to remove all assignments expect "Archetype Disabled Employee" and "Role Disabled Employee" </name>
> > 
> > <policyConstraints>
> > 
> > <assignment>
> > 
> > <operation>delete</operation>
> > 
> > </assignment>
> > 
> > </policyConstraints>
> > 
> > <policyActions>
> > 
> > <scriptExecution>
> > 
> > <executeScript xmlns:s=http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
> > 
> > <s:pipeline list="true">
> > 
> > <s:action>
> > 
> > <s:type>execute-script</s:type>
> > 
> > <s:parameter xmlns:qn63=http://midpoint.evolveum.com/xml/ns/public/common/common-3>
> > 
> > <s:name>script</s:name>
> > 
> > <c:value xsi:type="c:ScriptExpressionEvaluatorType">
> > 
> > <c:code>
> > 
> > import com.evolveum.midpoint.xml.ns._public.common.common_3.*
> > 
> > import com.evolveum.midpoint.prism.delta.builder.*
> > 
> > import com.evolveum.midpoint.model.api.*
> > 
> > import static com.evolveum.midpoint.schema.constants.SchemaConstants.C_ORG_TYPE
> > 
> > import javax.xml.namespace.QName
> > 
> > log.info("Check if Assignments to delete because user is no longer an Internal Employee")
> > 
> > def assignmentsToDelete = []
> > 
> > user = midpoint.getObject(UserType.class, input.oid)
> > 
> > for (a in user.assignment) {
> > 
> > <!-- check if assigned role is "Role Disabled Employee" or "Archetype Disabled Employee" -->
> > 
> > if (a.targetRef?.oid != "b72686bd-dcbd-4e9a-a5bb-15988b6a9a26" ||
> > 
> > a.targetRef?.oid != "78c3c3a9-6f8a-4876-9a21-b9a70ec1b8b1") {
> > 
> > def removeAssignment = new AssignmentType()
> > 
> > removeAssignment.id = a.id
> > 
> > assignmentsToDelete.add(removeAssignment.asPrismContainerValue())
> > 
> > }
> > 
> > }
> > 
> > if (!assignmentsToDelete.empty) {
> > 
> > log.info("Assignments to delete because user is no longer InternalEmployee: " + assignmentsToDelete)
> > 
> > def delta = prismContext.deltaFor(UserType.class).item(UserType.F_ASSIGNMENT).delete(assignmentsToDelete).asObjectDelta(user.oid)
> > 
> > midpoint.modifyObject(delta)
> > 
> > }
> > 
> > </c:code>
> > 
> > </c:value>
> > 
> > </s:parameter>
> > 
> > </s:action>
> > 
> > </s:pipeline>
> > 
> > </executeScript>
> > 
> > </scriptExecution>
> > 
> > </policyActions>
> > 
> > </policyRule>
> > 
> > <activation>
> > 
> > <effectiveStatus>enabled</effectiveStatus>
> > 
> > </activation>
> > 
> > </assignment>
> > 
> > </role>
> > 
> > Maybe this code will help to solve your problem.
> > 
> > Best Regards
> > 
> > Patrik
> > 
> > Von: midPoint midpoint-bounces at lists.evolveum.com Im Auftrag von Markus Calmius via midPoint
> > Gesendet: Donnerstag, 12. Oktober 2023 11:59
> > An: midPoint General Discussion midpoint at lists.evolveum.com
> > Cc: Markus Calmius markus.calmius at proton.ch
> > Betreff: [midPoint] automatically unassign all roles on disable
> > 
> > Hi,
> > 
> > I am trying to figure out how to make sure all roles are unassigned when a user is removed or disabled from HR.
> > 
> > I've found: https://docs.evolveum.com/midpoint/reference/concepts/clockwork/scripting-hooks/ which contain Example 1 that should do the trick.
> > 
> > Although, it doesn't quite work on 4.7.2 it seems, I get: "Expression error: Groovy Evaluation Failed: No such property: ContainerDelta for class: (new)_"
> > 
> > Two questions:
> > 
> > - is there an easier way?
> > - trying to figure out what is wrong is not super easy, it's been years since I actually coded. Any guidance is greatly appreciated. I assume the createModificationDelete has changed some input parameters
> > 
> > I'm testing the script in the query playground with one disabled user.
> > 
> > <expression>
> > 
> > <script>
> > 
> > <code>
> > 
> > import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
> > 
> > import com.evolveum.midpoint.prism.*;
> > 
> > UserType user = (UserType) midpoint.searchObjectByName(UserType.class, '<redacted username>');
> > 
> > ActivationStatusType administrativeStatus = user.getActivation().getEffectiveStatus();
> > 
> > if (administrativeStatus == ActivationStatusType.DISABLED) {
> > 
> > for (AssignmentType assign : user.getAssignment()) {
> > 
> > changed = false;
> > 
> > assignmentDelta = ContainerDelta.createModificationDelete(UserType.F_ASSIGNMENT, UserType.class, prismContext, assign.clone());
> > 
> > modelContext.getFocusContext().swallowToSecondaryDelta(assignmentDelta);
> > 
> > changed = true;
> > 
> > }
> > 
> > if (changed) {
> > 
> > modelContext.rot(); // this makes Projector to recompute the model context
> > 
> > }
> > 
> > }
> > 
> > </code>
> > 
> > </script>
> > 
> > </expression>
> > 
> > Thanks in Advance
> > 
> > Markus
> 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.evolveum.com/pipermail/midpoint/attachments/20231016/02dc444d/attachment.htm
> 
> 
> ------------------------------
> 
> Subject: Digest Footer
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
> 
> 
> ------------------------------
> 
> End of midPoint Digest, Vol 138, Issue 12
> *****************************************