<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
When I think about it then this might be really useful. I have to
think about it. One of the issues is that we want to keep midPoint
mechanisms simple, elegant well integrated. As now all the
automatic role assignments/unsassignment are done through mappings
there is no simple and elegant place where to define this feature
right now. But I'm sure we can find the proper place in the
future. I have created a jira for it:<br>
<br>
<a class="moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-2375">https://jira.evolveum.com/browse/MID-2375</a><br>
<br>
However ... it will not fit into current roadmap unless someone
sponsors this feature (<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a>)<br>
<br>
Anyway, thanks for the feedback and idea.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
On 05/19/2015 04:27 PM, Илья Дорофеев wrote:<br>
</div>
<blockquote
cite="mid:F82253638486D44DABA51EC404D48AF3846713@EX-MB1.solar.local"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<p>Hi,</p>
<p> </p>
<p>You understood my case correctly as well as the solution you
provided seems reasonable. However it would have been nice if
you had some sort of prohibiting policy. ))</p>
<p>In any way, thanks for the thorough reply!</p>
<div>
<p> </p>
<div style="FONT-SIZE: 13px; FONT-FAMILY: Tahoma">
<p>Ilya Dorofeev</p>
<p>Software Architect</p>
<p>Solar Security</p>
</div>
</div>
<div style="FONT-SIZE: 16px; FONT-FAMILY: Times New Roman;
COLOR: #000000">
<hr tabindex="-1">
<div id="divRpF776707" style="DIRECTION: ltr"><font size="2"
color="#000000" face="Tahoma"><b>От:</b> midPoint
[<a class="moz-txt-link-abbreviated" href="mailto:midpoint-bounces@lists.evolveum.com">midpoint-bounces@lists.evolveum.com</a>] от имени Radovan
Semancik [<a class="moz-txt-link-abbreviated" href="mailto:radovan.semancik@evolveum.com">radovan.semancik@evolveum.com</a>]<br>
<b>Отправлено:</b> 19 мая 2015 г. 15:57<br>
<b>Кому:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
<b>Тема:</b> Re: [midPoint] HA: Prohibit having particular
assignments<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">Hi,<br>
<br>
I'm not sure that I understand your user case. But if you
want to remove all the assignments when a user is fired
regardless of how they were assigned then this cannot be
done in a purely declarative way. E.g. there can be an
assignment that was assigned by IDM admin without any
mapping or any other "habeas corpus" in midPoint.<br>
<br>
But ... although this cannot be done in a declarative way
it can be done in an algorithmic way. Your best option is
to use Scripting hooks (<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://wiki.evolveum.com/display/midPoint/Scripting+Hooks"
target="_blank">https://wiki.evolveum.com/display/midPoint/Scripting+Hooks</a>):
Write a piece of groovy code as a scripting hook. It will
be executed after every change in midPoint. In this code
create a condition ("if" statement) that checks for the
attribute change in primary deltas in model context (<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://wiki.evolveum.com/display/midPoint/Model+Context"
target="_blank">https://wiki.evolveum.com/display/midPoint/Model+Context</a>).
If that condition triggers then use a loop to iterate over
all existing user assignments and create a secondary
unassign delta for each one. This is not a very
straightforward way, but it should work. And it is a
reasonably clean way.<br>
<br>
If you do not like groovy you can do the same thing in
Java. But that will require a custom build of midPoint.
Groovy (or Python or JavaScript) scripting hook is
probably the right way for you.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<br>
On 05/19/2015 03:30 PM, Илья Дорофеев wrote:<br>
</div>
<blockquote type="cite">
<div style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma; COLOR:
#000000; DIRECTION: ltr">
<p>Hi Radovan,</p>
<p> </p>
<p>I saw the solution exactly as you have specified in
your reply. Just wanted to make sure there's no other
option to tackle this issue in other way. The downside
of this approach is the necessity of specifying the
same condition for all the roles created in the
system, whether they are business roles created by
users manually or roles which are being created during
the entitlements synchronization process.</p>
<p> </p>
<div>
<div style="FONT-SIZE: 13px; FONT-FAMILY: Tahoma">
<p>Ilya Dorofeev</p>
<p>Software Architect</p>
<p>Solar Security</p>
</div>
</div>
<div style="FONT-SIZE: 16px; FONT-FAMILY: Times New
Roman; COLOR: #000000">
<hr tabindex="-1">
<div id="divRpF439344" style="DIRECTION: ltr"><font
size="2" color="#000000" face="Tahoma"><b>От:</b>
midPoint [<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:midpoint-bounces@lists.evolveum.com"
target="_blank">midpoint-bounces@lists.evolveum.com</a>]
от имени Radovan Semancik [<a
moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:radovan.semancik@evolveum.com"
target="_blank">radovan.semancik@evolveum.com</a>]<br>
<b>Отправлено:</b> 19 мая 2015 г. 15:01<br>
<b>Кому:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:midpoint@lists.evolveum.com"
target="_blank">
midpoint@lists.evolveum.com</a><br>
<b>Тема:</b> Re: [midPoint] Prohibit having
particular assignments<br>
</font><br>
</div>
<div>
<div class="moz-cite-prefix">Hi Ilya,<br>
<br>
This works a bit differently in midPoint. We do
not have separate policies for automatic
assignment and unassignemnt. These are the same.
Therefore simply use mapping in user template that
automatically adds an assignment. And specify a
condition when user should have such an
assignment. E.g.<br>
<br>
<objectTemplate><br>
...<br>
<mapping><br>
<expression> .... assignment here ...
</expression><br>
<target><path>assignment</path></target><br>
<condition><br>
<script><br>
<code>employeeType ==
'active'</code><br>
</script><br>
</condition><br>
</mapping><br>
<br>
Now, this works both for assignment and
unassignment. If this user does not have such
assignment and his employeeType changes to
'active' then the assignment will be added. But if
user already has employeeType='active' and this
changes to something else then the assignment will
be removed.<br>
<br>
MidPoint works with relative changes. This means
that after every change in user attributes
midPoint recomputes all the mappings and figures
out what are the resulting (secondary) changes.
E.g. if employeeType attribute changes from
'active' to 'inactive' then midPoint realizes that
the condition in this particular mapping changes
from true to false. Which means that the user
should have the assignment given by this mapping
before the change, but this user should NOT have
the assignment after the change. Therefore
midPoint removes the assignment.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
<br>
On 05/18/2015 01:02 PM, Илья Дорофеев wrote:<br>
</div>
<blockquote type="cite">
<style id="owaParaStyle">P {
MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px
}
P {
MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px
}
</style>
<div style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma;
COLOR: #000000; DIRECTION: ltr">
<div>
<p>Hi,</p>
<p> </p>
<p>I would like to adjust a policy that will
automatically revoke all user's
assignments (or just some of them selected
by a rule) in accordance with particular
values of some user properties. For
instance, I would like all the fired users
have their assignments revoked. I didn't
find any mentions in docs of how it is
supposed to be configured.</p>
<p> </p>
<p>Thanks in advance,</p>
<p>Ilya Dorofeev</p>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"
target="_blank"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader" target="_blank"></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>