From mani.pasarla at h-kare.com  Mon May  5 05:59:54 2025
From: mani.pasarla at h-kare.com (Mani Pasarla)
Date: Mon, 5 May 2025 03:59:54 +0000
Subject: [midPoint] Midpoint - Entitlement Level Request Access
Message-ID: <PN3P287MB03214D5D7D51EA66746314DDB48D2@PN3P287MB0321.INDP287.PROD.OUTLOOK.COM>

Hi ,

Can you please help to confirm on the following questions?

Midpoint Version: 4.9.2
AD Connector Version: 3.9.1


  1.
Requesting at Entitlement level instead of the role - Is this approach recommended in MidPoint? Compared to other IGA solutions, which typically support entitlement-level access requests out of the box. Does MidPoint require additional configuration to achieve similar functionality?. Is there a way to enable entitlement-level access requests in MidPoint?
  2.
We've explored using Application Roles as an alternative to direct Entitlement Access Requests, where relevant entitlements are grouped under a role. Is this considered a recommended approach over requesting individual entitlements?
Additionally, we're facing an issue with our Active Directory application?we're unable to add entitlements to an Application Role. When attempting to add them as inducements, the option to select entitlements doesn't appear. Could you provide any references or suggestions to help resolve this?


Regards,

Manikanta


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20250505/38f00523/attachment.htm>

From dakle at evolveum.com  Mon May  5 15:21:29 2025
From: dakle at evolveum.com (David Klement)
Date: Mon, 5 May 2025 15:21:29 +0200 (CEST)
Subject: [midPoint] searching by date in a task
In-Reply-To: <CH0PR11MB55229E97B782BACCC7852B12D9832@CH0PR11MB5522.namprd11.prod.outlook.com>
References: <mailman.716.1742217320.871.midpoint@lists.evolveum.com>
 <CH0PR11MB552291A342185E4426912237D9832@CH0PR11MB5522.namprd11.prod.outlook.com>
 <CH0PR11MB55229E97B782BACCC7852B12D9832@CH0PR11MB5522.namprd11.prod.outlook.com>
Message-ID: <242825649.17113014.1746451289401.JavaMail.zimbra@evolveum.com>

Hi Steven,

regarding your question about log level - could the following possibly help?

- Logging Configuration : https://docs.evolveum.com/midpoint/reference/support-4.8/diag/logging/configuration/
- Understanding Logging: Loggers, Levels and Appenders : https://docs.evolveum.com/midpoint/guides/admin-gui-user-guide/#understanding-logging-loggers-levels-and-appenders

You could set log level for tasks indirectly by defining log level for task-related packages like this:

        <classLogger>
            <level>DEBUG</level>
            <appender>MIDPOINT_LOG</appender>
            <package>com.evolveum.midpoint.task.quartzimpl</package>
        </classLogger>

`quartzimpl` is the task package name as it appears in the code (e.g. in /repo/task-quartz-impl/src/main/java/com/evolveum/midpoint/task/quartzimpl/TaskBeans.java)
Hope it helps, I didn't directly test this, though - sorry for possible inaccuracies.

Best regards,

David Klement | Technical Writer
Evolveum, s. r. o.
dakle at evolveum.com | www.evolveum.com

----- Original Message -----
From: "midPoint General Discussion" <midpoint at lists.evolveum.com>
To: "midPoint General Discussion" <midpoint at lists.evolveum.com>
Cc: "Ashwill, Steven L" <sashwill at uillinois.edu>
Sent: Wednesday, April 30, 2025 3:47:40 PM
Subject: Re: [midPoint] searching by date in a task

I think I found a solution to my filter issue but I still am curious about the logging. This is what I ended up doing to filter: 
activation/validTo lessOrEqual `basic.addDuration(basic.currentDateTime(), "P21D")` 
and activation/validTo greaterOrEqual `basic.addDuration(basic.currentDateTime(), "P15D")` 
and extension/lastPasswordExpirationNotification less `basic.addDuration(basic.currentDateTime(), "-P21D")` 
_____________________________________________ 
From: Ashwill, Steven L 
Sent: Wednesday, April 30, 2025 7:39 AM 
To: midpoint at lists.evolveum.com 
Subject: searching by date in a task 
This task(below)I have running in 4.8.7 works, however I need to be able to change the dates in the search objects. I can't figure out how to put a scripting section in for the filter. Also, It creates a lot of logging in the task, is there a way to turn that off? 
<task xmlns=" [ http://midpoint.evolveum.com/xml/ns/public/common/common-3 | http://midpoint.evolveum.com/xml/ns/public/common/common-3 ] " xmlns:c=" [ http://midpoint.evolveum.com/xml/ns/public/common/common-3 | http://midpoint.evolveum.com/xml/ns/public/common/common-3 ] " xmlns:icfs=" [ http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 | http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3 ] " xmlns:org=" [ http://midpoint.evolveum.com/xml/ns/public/common/org-3 | http://midpoint.evolveum.com/xml/ns/public/common/org-3 ] " xmlns:q=" [ http://prism.evolveum.com/xml/ns/public/query-3 | http://prism.evolveum.com/xml/ns/public/query-3 ] " xmlns:ri=" [ http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 | http://midpoint.evolveum.com/xml/ns/public/resource/instance-3 ] " xmlns:t=" [ http://prism.evolveum.com/xml/ns/public/types-3 | http://prism.evolveum.com/xml/ns/public/types-3 ] " xmlns:xsi=" [ http://www.w3.org/2001/XMLSchema-instance | http://www.w3.org/2001/XMLSchema-instance ] " oid="c784c44a-e457-4b61-b261-524f140d20e0" version="729"> 
<name>Set PasswordResetNotification value</name> 
<assignment id="4"> 
<metadata> 
<requestTimestamp>2025-04-29T13:09:41.930-05:00</requestTimestamp> 
<requestorRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType"> 
<!-- administrator --> 
</requestorRef> 
<createTimestamp>2025-04-29T13:09:42.036-05:00</createTimestamp> 
<creatorRef oid="00000000-0000-0000-0000-000000000002" relation="org:default" type="c:UserType"> 
<!-- administrator --> 
</creatorRef> 
<createChannel> [ http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest%3C/createChannel | http://midpoint.evolveum.com/xml/ns/public/common/channels-3#rest</createChannel ] > 
</metadata> 
<targetRef oid="00000000-0000-0000-0000-000000000509" relation="org:default" type="c:ArchetypeType"> 
<!-- Iterative bulk action task --> 
</targetRef> 
<activation> 
<effectiveStatus>enabled</effectiveStatus> 
</activation> 
</assignment> 
<iteration>0</iteration> 
<iterationToken/> 
<archetypeRef oid="00000000-0000-0000-0000-000000000509" relation="org:default" type="c:ArchetypeType"> 
<!-- Iterative bulk action task --> 
</archetypeRef> 
<roleMembershipRef oid="00000000-0000-0000-0000-000000000509" relation="org:default" type="c:ArchetypeType"> 
<!-- Iterative bulk action task --> 
<_metadata> 
<storage> 
<createTimestamp>2025-04-29T13:03:51.267-05:00</createTimestamp> 
</storage> 
<provenance> 
<assignmentPath> 
<sourceRef oid="c784c44a-e457-4b61-b261-524f140d20e0" relation="org:default" type="c:TaskType"/> 
<segment> 
<segmentOrder>1</segmentOrder> 
<assignmentId>4</assignmentId> 
<targetRef oid="00000000-0000-0000-0000-000000000509" relation="org:default" type="c:ArchetypeType"/> 
<matchingOrder>true</matchingOrder> 
</segment> 
</assignmentPath> 
</provenance> 
</_metadata> 
</roleMembershipRef> 
<taskIdentifier>1745930885838-1939-1</taskIdentifier> 
<ownerRef oid="88044814-4124-4383-b119-b93a80bc9bb9" relation="org:default" type="c:UserType"> 
<!-- sashwill --> 
</ownerRef> 
<binding>loose</binding> 
<threadStopAction>reschedule</threadStopAction> 
<activity> 
<work> 
<iterativeScripting> 
<objects> 
<type>UserType</type> 
<query> 
<q:filter> 
<q:text>activation/validTo greaterOrEqual "2025-05-14" and activation/validTo less "2025-05-20" and extension/lastPasswordExpirationNotification less "2025-04-08" </q:text> 
</q:filter> 
</query> 
</objects> 
<scriptExecutionRequest xmlns:s=" [ http://midpoint.evolveum.com/xml/ns/public/model/scripting-3 | http://midpoint.evolveum.com/xml/ns/public/model/scripting-3 ] "> 
<s:action> 
<s:type>execute-script</s:type> 
<s:parameter> 
<s:name>script</s:name> 
<s:value xsi:type="c:ScriptExpressionEvaluatorType"> 
<code> 
import com.evolveum.midpoint.xml.ns._public.common.common_3.* 
import javax.xml.datatype.DatatypeFactory; 
import javax.xml.namespace.QName; 
import javax.xml.datatype.XMLGregorianCalendar; 
XMLGregorianCalendar xmldate = basic.currentDateTime() as XMLGregorianCalendar; 
def deltas = midpoint.deltaFor(UserType.class) 
.item(UserType.F_EXTENSION, new QName(" [ http://illinois.edu/application | http://illinois.edu/application ] ", "lastPasswordExpirationNotification")) 
.replace(xmldate) 
.item(UserType.F_EXTENSION, new QName(" [ http://illinois.edu/application | http://illinois.edu/application ] ", "sendPasswordResetNotification")) 
.replace(true) 
.asObjectDeltas(input.oid) 
midpoint.executeChanges(deltas, null) 
</code> 
</s:value> 
</s:parameter> 
</s:action> 
</scriptExecutionRequest> 
</iterativeScripting> 
</work> 
</activity> 
<affectedObjects> 
<activity id="1"> 
<activityType>c:iterativeScripting</activityType> 
<objects> 
<type>c:UserType</type> 
</objects> 
<executionMode>full</executionMode> 
<predefinedConfigurationToUse>production</predefinedConfigurationToUse> 
</activity> 
</affectedObjects> 
</task> 
STEVEN L ASHWILL 
Software Engineer Coordinator 
Administrative Information Technology Services 
University of Illinois at Urbana-Champaign 
50 Gerty Drive | M/C 673 
Champaign, IL 61820 
217.265.6337 | [ mailto:sashwill at uillinois.edu | sashwill at uillinois.edu ] 
[ http://www.aits.uillinois.edu/ | www.aits.uillinois.edu ] 
Under the Illinois Freedom of Information Act any written communication to or from university employees regarding university business is a public record and may be subject to public disclosure. 

_______________________________________________
midPoint mailing list
midPoint at lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint