<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Can you share with us the create and update scripts ?</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#444444">Regards</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br><br><font color="#444444">Ing Nicolás Rossi</font><br><font color="#999999">Identicum S.A.</font><br><font color="#999999">Jorge Newbery 3226</font><br><font color="#999999">Tel: +54 (11) 4552-3050</font><br><font color="#999999"><a href="http://www.identicum.com" target="_blank">www.identicum.com</a></font></font><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">On Thu, Dec 15, 2016 at 5:15 AM, Wojciech Staszewski <span dir="ltr"><<a href="mailto:wojciech.staszewski@diagnostyka.pl" target="_blank">wojciech.staszewski@diagnostyka.pl</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've done it with joins instead "where .. and .. and", and it works, but<br>
now I my account appears multiple times on the resource (the number of<br>
accounts = the number of groups). This is definitely not a simple thing<br>
and the documentation is weak. :(<br>
<br>
W dniu 15.12.2016 o 02:34, Nicolas Rossi pisze:<br>
<span class="">> The Search script should return the ID, Name and Members of the group.<br>
> It doesn't matter if you use 1, 2 or more queries but you should return<br>
> an array with one row for each group where the members attribute is an<br>
> array too.<br>
><br>
> Can you copy the sql error of the query with the where filter?<br>
><br>
> Regards,<br>
><br>
><br>
> Nicolás<br>
><br>
><br>
> El El mié, 14 de dic. de 2016 a las 09:12, Wojciech Staszewski<br>
> <<a href="mailto:wojciech.staszewski@diagnostyka.pl">wojciech.staszewski@<wbr>diagnostyka.pl</a><br>
</span>> <mailto:<a href="mailto:wojciech.staszewski@diagnostyka.pl">wojciech.staszewski@<wbr>diagnostyka.pl</a>>> escribió:<br>
<span class="">><br>
> Just 4 more questions.<br>
><br>
><br>
><br>
> I have a little trouble with search script.<br>
><br>
><br>
><br>
> 1. Searching associated groups: can it be in a separate sql query in<br>
><br>
> __ACCOUNT__ case?<br>
><br>
> 2. It must return: "__UID__", "__NAME__" and "groups" attributes, right?<br>
><br>
> (the list of groups)<br>
><br>
> 3. Or it must be one single guery returning all attributes including<br>
><br>
> group membership? But then it will return more than one row...<br>
><br>
><br>
><br>
> 4. How to construct the SQL query using "where" template?<br>
><br>
> I tried to put something like this:<br>
><br>
><br>
><br>
</span>> "select <a href="http://g.name" rel="noreferrer" target="_blank">g.name</a> <<a href="http://g.name" rel="noreferrer" target="_blank">http://g.name</a>> as name, u.alias from users_groups<br>
<div><div class="h5">> ug, usrgrp g, users u"<br>
><br>
> + where + " AND g.usrgrpid = ug.usrgrpid and u.userid = ug.userid"<br>
><br>
><br>
><br>
> (msg:Search WHERE clause is: WHERE u.userid = 1)<br>
><br>
><br>
><br>
> But i got SQL syntax error. I log this query, Ctrl+C from log, Ctrl+V in<br>
><br>
> SQL console and it works.<br>
><br>
><br>
><br>
> Thanks,<br>
><br>
> Best regards, WS<br>
><br>
><br>
><br>
> W dniu 13.12.2016 o 18:30, Wojciech Staszewski pisze:<br>
><br>
> > Thank you very much!<br>
><br>
> > Regards, WS<br>
><br>
> ><br>
><br>
> > Dnia poniedziałek, 12 grudnia 2016 21:45:00 CET Nicolas Rossi pisze:<br>
><br>
> >> Hi, you have to add the association between Users and Groups. It's<br>
><br>
> >> something like that:<br>
><br>
> >><br>
><br>
> >> <association><br>
><br>
> >> <ref>ri:GroupObjectClass</ref><br>
><br>
> >> <kind>entitlement</kind><br>
><br>
> >> <intent>default</intent><br>
><br>
> >> <tolerant>false</tolerant><br>
><br>
> >> <direction>subjectToObject</<wbr>direction><br>
><br>
> >> <associationAttribute>ri:<wbr>groups</associationAttribute><br>
><br>
> >> <valueAttribute>icfs:uid</<wbr>valueAttribute><br>
><br>
> >><br>
> <shortcutAssociationAttribute><wbr>ri:members</<wbr>shortcutAssociationAttribute><br>
><br>
> >> <shortcutValueAttribute>icfs:<wbr>uid</shortcutValueAttribute><br>
><br>
> >> </association><br>
><br>
> >><br>
><br>
> >> You can find more information about the association and the tolerant<br>
><br>
> >> parameter here:<br>
><br>
> >><br>
> <a href="https://wiki.evolveum.com/display/midPoint/Entitlements#Entitlements-AssociationDefinition" rel="noreferrer" target="_blank">https://wiki.evolveum.com/<wbr>display/midPoint/Entitlements#<wbr>Entitlements-<wbr>AssociationDefinition</a><br>
><br>
> >><br>
><br>
> >> Inside your Update script the operation should be<br>
> ADD_ATTRIBUTE_VALUE for<br>
><br>
> >> objectClass __ACCOUNT__ and the attribute received should be<br>
> "groups":<br>
><br>
> >><br>
><br>
> >> case "ADD_ATTRIBUTE_VALUES":<br>
><br>
> >><br>
><br>
> >> if(objectClass == "__ACCOUNT__")<br>
><br>
> >> {<br>
><br>
> >> for(String group : attributes.get("groups"))<br>
><br>
> >> {<br>
><br>
> >> def existingEntitlement = sql.rows("SELECT 1 FROM<br>
><br>
> >> UserGroups WHERE user_id=? AND group_id=?",[uid as String, group as<br>
><br>
> >> String]);<br>
><br>
> >> if(existingEntitlement.<wbr>isEmpty())<br>
><br>
> >> {<br>
><br>
</div></div>> >> <a href="http://log.info" rel="noreferrer" target="_blank">log.info</a> <<a href="http://log.info" rel="noreferrer" target="_blank">http://log.info</a>>("Sample - Adding<br>
<span class="">> entitlement ${group} to user<br>
><br>
> >> ${uid}");<br>
><br>
> >> sql.execute("insert into UserGroups (user_id,<br>
> group_id)<br>
><br>
> >> values (" + uid + "," + group + ")");<br>
><br>
> >> }<br>
><br>
> >> else<br>
><br>
> >> {<br>
><br>
</span>> >> <a href="http://log.info" rel="noreferrer" target="_blank">log.info</a> <<a href="http://log.info" rel="noreferrer" target="_blank">http://log.info</a>>("Sample - Skipping<br>
<span class="">> assignment because user<br>
><br>
> >> ${uid} already has group ${group}");<br>
><br>
> >> }<br>
><br>
> >> }<br>
><br>
> >> }<br>
><br>
> >><br>
><br>
> >> You should also handle the REMOVE_ATTRIBUTE_VALUES with the same<br>
> logic.<br>
><br>
> >> Radovan and Ivan have helped us few weeks ago with the ScriptedSQL<br>
><br>
> >> resource. You can find the conversation in the mailing list. I am<br>
> sure it<br>
><br>
> >> will help you too.<br>
><br>
> >><br>
><br>
> >> Regards,<br>
><br>
> >><br>
><br>
> >><br>
><br>
> >><br>
><br>
> >><br>
><br>
> >><br>
><br>
> >> Ing Nicolás Rossi<br>
><br>
> >> Identicum S.A.<br>
><br>
> >> Jorge Newbery 3226<br>
><br>
> >> Tel: +54 (11) 4552-3050<br>
><br>
</span>> >> <a href="http://www.identicum.com" rel="noreferrer" target="_blank">www.identicum.com</a> <<a href="http://www.identicum.com" rel="noreferrer" target="_blank">http://www.identicum.com</a>><br>
<span class="">><br>
> >><br>
><br>
> >> On Mon, Dec 12, 2016 at 7:11 PM, Wojciech Staszewski <<br>
><br>
> >> <a href="mailto:wojciech.staszewski@diagnostyka.pl">wojciech.staszewski@<wbr>diagnostyka.pl</a><br>
</span><span class="">> <mailto:<a href="mailto:wojciech.staszewski@diagnostyka.pl">wojciech.staszewski@<wbr>diagnostyka.pl</a>>> wrote:<br>
><br>
> >><br>
><br>
> >>> Hello,<br>
><br>
> >>><br>
><br>
> >>> I'm playing with ScriptedSQL resource, based on Evolveum example<br>
> from<br>
><br>
> >>> Github.<br>
><br>
> >>> I'm able to list/add/remove users/groups and enable/disable<br>
> accounts.<br>
><br>
> >>> Great.<br>
><br>
> >>> But now I want to apply an assignment (a group) to user.<br>
> Unfortunately<br>
><br>
> >>> "Update_Script.groovy" is incomplete,<br>
><br>
> >>> ADD_ATTRIBUTE_VALUES and REMOVE_ATTRIBUTE_VALUES cases are empty.<br>
><br>
> >>> Where can I find some examples?<br>
><br>
> >>><br>
><br>
> >>> Thanks a lot!<br>
><br>
> >>> WS<br>
><br>
> >>> ______________________________<wbr>_________________<br>
><br>
> >>> midPoint mailing list<br>
><br>
</span>> >>> <a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a> <mailto:<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.<wbr>evolveum.com</a>><br>
<span class="">><br>
> >>> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
><br>
> >>><br>
><br>
> >><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ______________________________<wbr>_________________<br>
><br>
> midPoint mailing list<br>
><br>
</span>> <a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a> <mailto:<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.<wbr>evolveum.com</a>><br>
<span class="">><br>
> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
><br>
><br>
><br>
> ______________________________<wbr>_________________<br>
> midPoint mailing list<br>
> <a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
> <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
><br>
<br>
</span><span class="">--<br>
Wojciech Staszewski<br>
Administrator Systemów Sieciowych<br>
</span><span class="">tel. kom: 663 680 236<br>
</span><a href="http://www.diagnostyka.pl" rel="noreferrer" target="_blank">www.diagnostyka.pl</a><br>
Diagnostyka Sp. z o. o.<br>
<span class="">ul. Prof. M. Życzkowskiego 16, 31-864 Kraków<br>
</span>Numer KRS: 0000381559 (Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie,<br>
XI Wydział Gospodarczy KRS)<br>
NIP: 675-12-65-009; REGON: 356366975<br>
Kapitał zakładowy: 33 756 500 zł.<br>
<br>
Pomyśl o środowisku zanim wydrukujesz ten e-mail.<br>
<div class="HOEnZb"><div class="h5">______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
</div></div></blockquote></div><br></div>