[midPoint] Autounassign not applied
Joachim Kruth
jkruth at aip.de
Tue Oct 7 13:00:23 CEST 2025
Hello
We are currently facing a problem with the role autoassign feature.
We tried to find a solution for a while now, but to no avail.
We hope someone already solved this or can spot the mistake in our
current implementation.
Problem:
We want to automatically assign a role to users, if and only if they
have an account on a certain resource and the user is activated.
Situation:
Autoassign feature is enabled in midpoint.
When an account of that certain resource gets linked to an active user,
the role is automatically assigned.
When the user gets deactivated, the role is automatically unassigned.
However, if the account gets unlinked the role is not unassigned.
Also, deactivating the user after unlinking does not unassign as well.
Expected behavior:
When unlinking the account from the user, the role should be unassigned.
Current implementation:
The "focus" tag of the "autoassign" role tag contains the following
code:
<mapping id="1">
<authoritative>true</authoritative>
<strength>strong</strength>
<source>
<path>activation/effectiveStatus</path>
</source>
<source>
<path>linkRef</path>
</source>
<condition>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
// unassign if user is deactivated
if (!midpoint.isEffectivelyEnabled(focus)) {
return false;
}
// tried to do the same as above
// the condition is always true, don't know why yet
/*if (effectiveStatus != "enabled") {
return false;
}*/
UserType ut = focus as UserType;
linkRefs = ut.getLinkRef();
containsAccount = false;
// iterate over linked references
for (linkRef in linkRefs) {
try {
shadow = midpoint.resolveReference(linkRef)
// check account for specific resource
if (shadow != null && shadow.getResourceRef() != null && "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa".equals(shadow.getResourceRef().getOid())) {
containsAccount = true;
}
} catch (Exception e) {
}
}
return containsAccount;
</code>
</script>
</condition>
</mapping>
<selector>
<type>UserType</type>
</selector>
--
Mit freundlichen Grüßen,
Joachim Kruth
IT-Support
--
Leibniz-Institut für Astrophysik Potsdam (AIP),
An der Sternwarte 16, 14482 Potsdam
Tel:0331-7499534 - Fax:0331-7499309 - Mail: jkruth at aip.de
-----------------------------------------------------------
Vorstand: Prof. Dr. Matthias Steinmetz, Wolfram Rosenbach
Stiftung bürgerlichen Rechts
Stiftungsverzeichnis Brandenburg: 26 742-00/7026
-----------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5937 bytes
Desc: not available
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20251007/5a7172fd/attachment.bin>
More information about the midPoint
mailing list