<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
I'm not sure that I understand your user case. But if you want to
remove all the assignments when a user is fired regardless of how
they were assigned then this cannot be done in a purely
declarative way. E.g. there can be an assignment that was assigned
by IDM admin without any mapping or any other "habeas corpus" in
midPoint.<br>
<br>
But ... although this cannot be done in a declarative way it can
be done in an algorithmic way. Your best option is to use
Scripting hooks
(<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Scripting+Hooks">https://wiki.evolveum.com/display/midPoint/Scripting+Hooks</a>):
Write a piece of groovy code as a scripting hook. It will be
executed after every change in midPoint. In this code create a
condition ("if" statement) that checks for the attribute change in
primary deltas in model context
(<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Model+Context">https://wiki.evolveum.com/display/midPoint/Model+Context</a>). If
that condition triggers then use a loop to iterate over all
existing user assignments and create a secondary unassign delta
for each one. This is not a very straightforward way, but it
should work. And it is a reasonably clean way.<br>
<br>
If you do not like groovy you can do the same thing in Java. But
that will require a custom build of midPoint. Groovy (or Python or
JavaScript) scripting hook is probably the right way for you.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<br>
On 05/19/2015 03:30 PM, Илья Дорофеев wrote:<br>
</div>
<blockquote
cite="mid:F82253638486D44DABA51EC404D48AF38466EE@EX-MB1.solar.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<p>Hi Radovan,</p>
<p> </p>
<p>I saw the solution exactly as you have specified in your
reply. Just wanted to make sure there's no other option to
tackle this issue in other way. The downside of this approach
is the necessity of specifying the same condition for all the
roles created in the system, whether they are business roles
created by users manually or roles which are being created
during the entitlements synchronization process.</p>
<p> </p>
<div>
<div style="FONT-SIZE: 13px; FONT-FAMILY: Tahoma">
<p>Ilya Dorofeev</p>
<p>Software Architect</p>
<p>Solar Security</p>
</div>
</div>
<div style="FONT-SIZE: 16px; FONT-FAMILY: Times New Roman;
COLOR: #000000">
<hr tabindex="-1">
<div id="divRpF439344" style="DIRECTION: ltr"><font
color="#000000" face="Tahoma" size="2"><b>От:</b> midPoint
[<a class="moz-txt-link-abbreviated" href="mailto:midpoint-bounces@lists.evolveum.com">midpoint-bounces@lists.evolveum.com</a>] от имени Radovan
Semancik [<a class="moz-txt-link-abbreviated" href="mailto:radovan.semancik@evolveum.com">radovan.semancik@evolveum.com</a>]<br>
<b>Отправлено:</b> 19 мая 2015 г. 15:01<br>
<b>Кому:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Тема:</b> Re: [midPoint] Prohibit having particular
assignments<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">Hi Ilya,<br>
<br>
This works a bit differently in midPoint. We do not have
separate policies for automatic assignment and
unassignemnt. These are the same. Therefore simply use
mapping in user template that automatically adds an
assignment. And specify a condition when user should have
such an assignment. E.g.<br>
<br>
<objectTemplate><br>
...<br>
<mapping><br>
<expression> .... assignment here ...
</expression><br>
<target><path>assignment</path></target><br>
<condition><br>
<script><br>
<code>employeeType ==
'active'</code><br>
</script><br>
</condition><br>
</mapping><br>
<br>
Now, this works both for assignment and unassignment. If
this user does not have such assignment and his
employeeType changes to 'active' then the assignment will
be added. But if user already has employeeType='active'
and this changes to something else then the assignment
will be removed.<br>
<br>
MidPoint works with relative changes. This means that
after every change in user attributes midPoint recomputes
all the mappings and figures out what are the resulting
(secondary) changes. E.g. if employeeType attribute
changes from 'active' to 'inactive' then midPoint realizes
that the condition in this particular mapping changes from
true to false. Which means that the user should have the
assignment given by this mapping before the change, but
this user should NOT have the assignment after the change.
Therefore midPoint removes the assignment.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<br>
On 05/18/2015 01:02 PM, Илья Дорофеев wrote:<br>
</div>
<blockquote type="cite">
<style id="owaParaStyle">P {
MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px
}
P {
MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px
}
</style>
<div style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma; COLOR:
#000000; DIRECTION: ltr">
<div>
<p>Hi,</p>
<p> </p>
<p>I would like to adjust a policy that will
automatically revoke all user's assignments (or just
some of them selected by a rule) in accordance with
particular values of some user properties. For
instance, I would like all the fired users have
their assignments revoked. I didn't find any
mentions in docs of how it is supposed to be
configured.</p>
<p> </p>
<p>Thanks in advance,</p>
<p>Ilya Dorofeev</p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader" target="_blank"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>