<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Hi,<br>
      <br>
      When I think about it then this might be really useful. I have to
      think about it. One of the issues is that we want to keep midPoint
      mechanisms simple, elegant well integrated. As now all the
      automatic role assignments/unsassignment are done through mappings
      there is no simple and elegant place where to define this feature
      right now. But I'm sure we can find the proper place in the
      future. I have created a jira for it:<br>
      <br>
      <a class="moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-2375">https://jira.evolveum.com/browse/MID-2375</a><br>
      <br>
      However ... it will not fit into current roadmap unless someone
      sponsors this feature (<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a>)<br>
      <br>
      Anyway, thanks for the feedback and idea.<br>
      <br>
      <pre class="moz-signature" cols="72">-- 
Radovan Semancik
Software Architect
evolveum.com
</pre>
      <br>
      <br>
      On 05/19/2015 04:27 PM, Илья Дорофеев wrote:<br>
    </div>
    <blockquote
      cite="mid:F82253638486D44DABA51EC404D48AF3846713@EX-MB1.solar.local"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <div style="direction: ltr;font-family: Tahoma;color:
        #000000;font-size: 10pt;">
        <p>Hi,</p>
        <p> </p>
        <p>You understood my case correctly as well as the solution you
          provided seems reasonable. However it would have been nice if
          you had some sort of prohibiting policy. ))</p>
        <p>In any way, thanks for the thorough reply!</p>
        <div>
          <p> </p>
          <div style="FONT-SIZE: 13px; FONT-FAMILY: Tahoma">
            <p>Ilya Dorofeev</p>
            <p>Software Architect</p>
            <p>Solar Security</p>
          </div>
        </div>
        <div style="FONT-SIZE: 16px; FONT-FAMILY: Times New Roman;
          COLOR: #000000">
          <hr tabindex="-1">
          <div id="divRpF776707" style="DIRECTION: ltr"><font size="2"
              color="#000000" face="Tahoma"><b>От:</b> midPoint
              [<a class="moz-txt-link-abbreviated" href="mailto:midpoint-bounces@lists.evolveum.com">midpoint-bounces@lists.evolveum.com</a>] от имени Radovan
              Semancik [<a class="moz-txt-link-abbreviated" href="mailto:radovan.semancik@evolveum.com">radovan.semancik@evolveum.com</a>]<br>
              <b>Отправлено:</b> 19 мая 2015 г. 15:57<br>
              <b>Кому:</b> <a class="moz-txt-link-abbreviated" href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a><br>
              <b>Тема:</b> Re: [midPoint] HA: Prohibit having particular
              assignments<br>
            </font><br>
          </div>
          <div>
            <div class="moz-cite-prefix">Hi,<br>
              <br>
              I'm not sure that I understand your user case. But if you
              want to remove all the assignments when a user is fired
              regardless of how they were assigned then this cannot be
              done in a purely declarative way. E.g. there can be an
              assignment that was assigned by IDM admin without any
              mapping or any other "habeas corpus" in midPoint.<br>
              <br>
              But ... although this cannot be done in a declarative way
              it can be done in an algorithmic way. Your best option is
              to use Scripting hooks (<a moz-do-not-send="true"
                class="moz-txt-link-freetext"
                href="https://wiki.evolveum.com/display/midPoint/Scripting+Hooks"
                target="_blank">https://wiki.evolveum.com/display/midPoint/Scripting+Hooks</a>):

              Write a piece of groovy code as a scripting hook. It will
              be executed after every change in midPoint. In this code
              create a condition ("if" statement) that checks for the
              attribute change in primary deltas in model context (<a
                moz-do-not-send="true" class="moz-txt-link-freetext"
                href="https://wiki.evolveum.com/display/midPoint/Model+Context"
                target="_blank">https://wiki.evolveum.com/display/midPoint/Model+Context</a>).

              If that condition triggers then use a loop to iterate over
              all existing user assignments and create a secondary
              unassign delta for each one. This is not a very
              straightforward way, but it should work. And it is a
              reasonably clean way.<br>
              <br>
              If you do not like groovy you can do the same thing in
              Java. But that will require a custom build of midPoint.
              Groovy (or Python or JavaScript) scripting hook is
              probably the right way for you.<br>
              <br>
              <pre class="moz-signature" cols="72">-- 

                                           Radovan Semancik
                                          Software Architect
                                             evolveum.com
</pre>
              <br>
              <br>
              <br>
              On 05/19/2015 03:30 PM, Илья Дорофеев wrote:<br>
            </div>
            <blockquote type="cite">
              <div style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma; COLOR:
                #000000; DIRECTION: ltr">
                <p>Hi Radovan,</p>
                <p> </p>
                <p>I saw the solution exactly as you have specified in
                  your reply. Just wanted to make sure there's no other
                  option to tackle this issue in other way. The downside
                  of this approach is the necessity of specifying the
                  same condition for all the roles created in the
                  system, whether they are business roles created by
                  users manually or roles which are being created during
                  the entitlements synchronization process.</p>
                <p> </p>
                <div>
                  <div style="FONT-SIZE: 13px; FONT-FAMILY: Tahoma">
                    <p>Ilya Dorofeev</p>
                    <p>Software Architect</p>
                    <p>Solar Security</p>
                  </div>
                </div>
                <div style="FONT-SIZE: 16px; FONT-FAMILY: Times New
                  Roman; COLOR: #000000">
                  <hr tabindex="-1">
                  <div id="divRpF439344" style="DIRECTION: ltr"><font
                      size="2" color="#000000" face="Tahoma"><b>От:</b>
                      midPoint [<a moz-do-not-send="true"
                        class="moz-txt-link-abbreviated"
                        href="mailto:midpoint-bounces@lists.evolveum.com"
                        target="_blank">midpoint-bounces@lists.evolveum.com</a>]
                      от имени Radovan Semancik [<a
                        moz-do-not-send="true"
                        class="moz-txt-link-abbreviated"
                        href="mailto:radovan.semancik@evolveum.com"
                        target="_blank">radovan.semancik@evolveum.com</a>]<br>
                      <b>Отправлено:</b> 19 мая 2015 г. 15:01<br>
                      <b>Кому:</b> <a moz-do-not-send="true"
                        class="moz-txt-link-abbreviated"
                        href="mailto:midpoint@lists.evolveum.com"
                        target="_blank">
                        midpoint@lists.evolveum.com</a><br>
                      <b>Тема:</b> Re: [midPoint] Prohibit having
                      particular assignments<br>
                    </font><br>
                  </div>
                  <div>
                    <div class="moz-cite-prefix">Hi Ilya,<br>
                      <br>
                      This works a bit differently in midPoint. We do
                      not have separate policies for automatic
                      assignment and unassignemnt. These are the same.
                      Therefore simply use mapping in user template that
                      automatically adds an assignment. And specify a
                      condition when user should have such an
                      assignment. E.g.<br>
                      <br>
                      <objectTemplate><br>
                        ...<br>
                        <mapping><br>
                           <expression> .... assignment here ...
                      </expression><br>
                          
                      <target><path>assignment</path></target><br>
                           <condition><br>
                              <script><br>
                                  <code>employeeType ==
                      'active'</code><br>
                              </script><br>
                           </condition><br>
                        </mapping><br>
                      <br>
                      Now, this works both for assignment and
                      unassignment. If this user does not have such
                      assignment and his employeeType changes to
                      'active' then the assignment will be added. But if
                      user already has employeeType='active' and this
                      changes to something else then the assignment will
                      be removed.<br>
                      <br>
                      MidPoint works with relative changes. This means
                      that after every change in user attributes
                      midPoint recomputes all the mappings and figures
                      out what are the resulting (secondary) changes.
                      E.g. if employeeType attribute changes from
                      'active' to 'inactive' then midPoint realizes that
                      the condition in this particular mapping changes
                      from true to false. Which means that the user
                      should have the assignment given by this mapping
                      before the change, but this user should NOT have
                      the assignment after the change. Therefore
                      midPoint removes the assignment.<br>
                      <br>
                      <pre class="moz-signature" cols="72">-- 

                                           Radovan Semancik
                                          Software Architect
                                             evolveum.com
</pre>
                      <br>
                      <br>
                      <br>
                      On 05/18/2015 01:02 PM, Илья Дорофеев wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <style id="owaParaStyle">P {
        MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px
}
P {
        MARGIN-BOTTOM: 0px; MARGIN-TOP: 0px
}
</style>
                      <div style="FONT-SIZE: 10pt; FONT-FAMILY: Tahoma;
                        COLOR: #000000; DIRECTION: ltr">
                        <div>
                          <p>Hi,</p>
                          <p> </p>
                          <p>I would like to adjust a policy that will
                            automatically revoke all user's
                            assignments (or just some of them selected
                            by a rule) in accordance with particular
                            values of some user properties. For
                            instance, I would like all the fired users
                            have their assignments revoked. I didn't
                            find any mentions in docs of how it is
                            supposed to be configured.</p>
                          <p> </p>
                          <p>Thanks in advance,</p>
                          <p>Ilya Dorofeev</p>
                        </div>
                      </div>
                      <br>
                      <fieldset class="mimeAttachmentHeader"
                        target="_blank"></fieldset>
                      <br>
                      <pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                    </blockquote>
                    <br>
                    <br>
                  </div>
                </div>
              </div>
              <br>
              <fieldset class="mimeAttachmentHeader" target="_blank"></fieldset>
              <br>
              <pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
            </blockquote>
            <br>
            <br>
          </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    <br>
  </body>
</html>