<div dir="ltr">Hi, this sounds like something totally doable in midPoint. I suggest creating mapping in user object template, make activation/effectiveStatus as mapping source and then you can e.g. use assignmentTargetSearch to assign/unassign the role. M. <div><br></div><div>Some similar code we use for end user role:</div><div><div><br></div><div><div> <mapping></div><div> <name>End-User role</name></div><div> <tolerant>true</tolerant></div><div> <strength>strong</strength></div><div> <source></div><div> <c:path>$focus/activation/administrativeStatus</c:path></div><div> </source></div><div> <source></div><div> <c:path>$focus/activation/disableTimestamp</c:path></div><div> </source></div><div> <source></div><div> <c:path>$focus/extension/evidentiary_status</c:path></div><div> </source></div><div> <expression></div><div> <assignmentTargetSearch xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"</div><div> xsi:type="c:SearchObjectRefExpressionEvaluatorType"></div><div> <includeNullInputs>true</includeNullInputs></div><div> <targetType>c:RoleType</targetType></div><div> <oid>00000000-0000-0000-0000-000000000008</oid></div><div> </assignmentTargetSearch></div><div> </expression></div><div> <target></div><div> <c:path>assignment</c:path></div><div> </target></div><div> <condition></div><div> <script xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance">http://www.w3.org/2001/XMLSchema-instance</a>"</div><div> xsi:type="c:ScriptExpressionEvaluatorType"></div><div> <includeNullInputs>true</includeNullInputs></div><div> <code></div><div>// stripped</div><div> <span style="white-space:pre"> </span></code></div><div> </script></div><div> </condition></div><div> <evaluationPhase>beforeAssignments</evaluationPhase></div><div> </mapping></div></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="2" style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p><span style="font-size:14px;font-weight:bold">Martin Lízner</span><br>solution architect<br><br>gsm: [+420] 737 745 571<br>e-mail: <a href="mailto:martin.lizner@ami.cz" target="_blank">martin.lizner@ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;vertical-align:bottom;padding:0px;border:0px solid gray!important"><p>AMI Praha a.s.<br>Pláničkova 11<br>162 00 Praha 6<br>tel.: [+420] 274 783 239<br>web: <a href="http://www.ami.cz/" target="_blank">www.ami.cz</a></p></td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;border-right-width:1px;border-right-style:solid;border-right-color:rgb(204,204,204);padding:0px;border-top-width:0px!important;border-bottom-width:0px!important;border-left-width:0px!important;border-top-style:solid!important;border-bottom-style:solid!important;border-left-style:solid!important;border-top-color:gray!important;border-bottom-color:gray!important;border-left-color:gray!important"> </td><td style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"> </td><td style="color:rgb(0,0,0);font-family:Arial,sans-serif;font-size:11px;margin:8px;border:0px solid gray!important"><p><img src="http://www.ami.cz/images/podpis/ami_logo.gif" alt="" style="border:0px"></p></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="8" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;border:0px solid gray!important"></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="8" style="color:rgb(128,128,128);font-family:Arial,sans-serif;font-size:11px;padding:0px;border:0px solid gray!important"><table style="font-family:Verdana,Arial,Helvetica,sans-serif;border-collapse:collapse;padding:0px;margin:0px;border-width:0px!important;border-style:solid!important;width:482px!important"><tbody><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="color:rgb(0,0,0);font-family:Verdana,Arial,Helvetica,sans-serif;font-size:10px;padding:0px;width:480px;border:0px solid gray!important"><br><a href="http://www.skyidentity.com/" target="_blank"><img src="http://www.ami.cz/images/podpis/AMI-podpis-Sky.png" alt="AMI Praha a.s." style="border:0px;width:480px!important;height:82px!important"></a></td></tr><tr style="padding:0px;margin:0px;border:0px solid gray!important"><td colspan="7" style="font-family:Arial,sans-serif;padding:0px;border:0px solid gray!important"><br></td></tr></tbody></table>Textem tohoto e-mailu podepisující neslibuje uzavřít ani neuzavírá za společnost AMI Praha a.s.<br>jakoukoliv smlouvu. Každá smlouva, pokud bude uzavřena, musí mít výhradně písemnou formu.</td></tr></tbody></table></div><br></div></div></div></div></div></div></div></div></div>
<br><div class="gmail_quote">2017-09-01 16:26 GMT+02:00 Wojciech Staszewski <span dir="ltr"><<a href="mailto:wojciech.staszewski@diagnostyka.pl" target="_blank">wojciech.staszewski@diagnostyka.pl</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello!<br>
<br>
Is there a possibility to auto assign role when I disable user?<br>
And unassign this role on enable user (if the role is assigned)?<br>
<br>
I have a resource (scripted sql connector) where disabled users are members of group called "Disabled", and there is no special activation attribute except this.<br>
<br>
The resource has "enforcement policy: full" and "tolerant: false" (important!).<br>
<br>
The result:<br>
- When I disable user, my groovy script assign the user to the "Disabled" group,<br>
- This group is also visible in the Entitlements, because this is normal group among other groups,<br>
- On reconciliation midPoint removes the user from this group because there is no role assigning it. :)<br>
<br>
Concepts:<br>
<br>
1) make an auto-assigned role: When user has account in the resource and is disabled - assign role "disabled group membership" to this user (and remove it on enable).<br>
<br>
2) in the SearchScript.groovy change the group list selecting SQL to skip "Disabled" group (select ... from ... where ... and groupname <> 'Disabled' ...)<br>
and in the same way the SQL query selecting user group membership. In this case midPoint will not be able to manage this particular group.<br>
<br>
Second method is very easy but it's more like workaround, first sounds like challenge but is more proper (i think).<br>
<br>
Regards,<br>
Wojciech Staszewski<br>
______________________________<wbr>_________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">http://lists.evolveum.com/<wbr>mailman/listinfo/midpoint</a><br>
</blockquote></div><br></div>