<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">We have this working now, it was a bit tricky as we had to deal with null values from extension user attributes we use to store validity dates by role. we don’t exactly understand why, but it’s working.</div><div class=""><br class=""></div><div class="">The next step is updating validity dates of an assignment with the dates which could be updated upstreams, in our HR system for a reconduction of a staff contract for example.</div><div class=""><br class=""></div><div class="">For now, we use objectTemplate to assign role to user but as we understand, objectTemplates are useful only during the user creation time.</div><div class=""><br class=""></div><div class="">When the user already exists, could we update validity dates of an assignment when running a simple reconcile ? Do we have to write code in inbound mapping of the validity dates in order to retrieve the assignment for the current user and a specific role, and then update the dates ?</div><div class=""><br class=""></div><div class="">Thanks !</div><div class=""><br class=""></div><div class=""><br class=""></div>
<br class=""><div><blockquote type="cite" class=""><div class="">Le 20 déc. 2016 à 11:40, Pavol Mederly <<a href="mailto:mederly@evolveum.com" class="">mederly@evolveum.com</a>> a écrit :</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<div bgcolor="#FFFFFF" text="#000000" class=""><p class="">Vincent,</p><p class="">assignmentTargetSearch most probably does not allow to set the
dates. In the code it is quite straightforward:</p><p class=""><tt class="">ActivationType act = ...</tt><tt class=""><br class="">
</tt><tt class="">act.setValidFrom(...)</tt><tt class=""><br class="">
</tt><tt class="">act.setValidTo(...)</tt><tt class=""><br class="">
</tt><tt class="">assignment.setActivation(act)</tt><tt class=""><br class="">
</tt></p>
<pre class="moz-signature" cols="72">Pavol Mederly
Software developer
<a href="http://evolveum.com" class="">evolveum.com</a>
</pre>
<div class="moz-cite-prefix">On 20.12.2016 11:32, HURTEVENT VINCENT
wrote:<br class="">
</div>
<blockquote cite="mid:0B29FE34-EED1-4AAF-934D-8B45265C2A24@univ-lyon1.fr" type="cite" class="">
Hi Ivan,
<div class=""><br class="">
</div>
<div class="">Thank you for your answer,</div>
<div class=""><br class="">
</div>
<div class="">We would like to deal with account lifecycle with
the rules and validity dates applied to assignment.</div>
<div class="">How could we write our objectTemplate mapping to
apply these dates ?</div>
<div class=""><br class="">
</div>
<div class="">Could we do this directly using expression and
assignmentTargetSearch or do we have to do this with script code
as we begin to do in this snippet :</div>
<div class=""><br class="">
</div>
<div class=""><a moz-do-not-send="true" href="http://pastebin.com/ftsgzvZs" class="">http://pastebin.com/ftsgzvZs</a></div>
<div class=""><br class="">
</div>
<div class="">Is there a method to set the validity dates ? Like
assignment.setValidityFrom or something like that ?</div>
<div class=""><br class="">
</div>
<div class="">Thanks !</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
<br class="">
<div class="">
<blockquote type="cite" class="">
<div class="">Le 14 déc. 2016 à 11:42, Ivan Noris <<a moz-do-not-send="true" href="mailto:ivan.noris@evolveum.com" class="">ivan.noris@evolveum.com</a>>
a écrit :</div>
<br class="Apple-interchange-newline">
<div class="">
<div bgcolor="#FFFFFF" text="#000000" class=""><p class="">Hi,</p><p class="">by default, if you unassign (last) role
which represents the account, the account would be
deleted.</p><p class="">If you assign the roles automatically in
object templates, by some condition e.g. employee
status, it would work automatically.</p><p class="">On the other way midPoint can be configured
to unassign roles, but not to delete the accounts, but
disable them. Or disable them and delete later (in 30
days for example). See here:
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation">https://wiki.evolveum.com/display/midPoint/Resource+Schema+Handling%3A+Activation</a></p><p class="">But if you wish to unassign all roles
(regardless if they were assigned automatically by
template or manually), this could be more complicated.</p><p class="">Ivan<br class="">
</p>
<div class="moz-cite-prefix">On 12/14/2016 11:04 AM,
HURTEVENT VINCENT wrote:<br class="">
</div>
<blockquote cite="mid:0E125049-578B-415E-B525-4FCDCBD2564E@univ-lyon1.fr" type="cite" class="">
<pre class="" wrap="">Hello,
We’re working on a PoC for our university with the creation of directories accounts with the informations provided by our upstream ressources (HR and student information systems).
As many of our people have several profiles, mainly staff and student, it appears that working with intent is a good solution. So we began to write our process : one user, several intent, and objectTemplates which define assignments which induce accounts in downstream directories.
When a people comes from upstream with a specific profile, for the exemple staff and student, we assign the staff Role and the student Role and the 2 accounts are well created in the downstream directories.
Now, we would like in reaction to a deleted situation in a specific upstream ressources, to keep the user in Midpoint but unassign roles and potentially assign specific roles which could lead to specific manipulation on accounts (disable on AD, modify attributes, etc).
We look at activation status but we don’t really understand how to use it with specific intent. Validity dates will be different between the staff contract dates and the student registration dates for example.
Is there a simple way to define in ressources, an unassign action in reaction to a deleted situation ?
Thank you,</pre>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="" wrap="">_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br class="">
<pre class="moz-signature" cols="72">--
Ivan Noris
Senior Identity Engineer
<a moz-do-not-send="true" href="http://evolveum.com/" class="">evolveum.com</a>
</pre>
</div>
_______________________________________________<br class="">
midPoint mailing list<br class="">
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" class="">midPoint@lists.evolveum.com</a><br class="">
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br class="">
<pre wrap="" class="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br class="">
</div>
_______________________________________________<br class="">midPoint mailing list<br class=""><a href="mailto:midPoint@lists.evolveum.com" class="">midPoint@lists.evolveum.com</a><br class="">http://lists.evolveum.com/mailman/listinfo/midpoint<br class=""></div></blockquote></div><br class=""></body></html>