<div dir="ltr">Hi Pavol,<div>I agree - looks really tricky. Till I'm trying to understand what exactly happens there, could you answer another related question?<br><br><div>I found that there is <notify/> action under policyActions/scriptExecution/executeScript which is configurable in a clear way.</div><div>But found that I can't execute this correctly under a tenant user. To execute notify action we need full access like superuser - see 1st runAsRef. In this case recipientExpression ignores tenancy limitation during user search in the script below. So, we need 2nd runAsRef to run the script by the current logged in user which is a user of the current tenant. In case of static oid of this user things work fine - the script returns only users from this tenant. I simply can't write xml for dynamic case. Could you help?</div><div><br> <policyActions><br> <scriptExecution><br> <runAsRef oid="00000000-0000-0000-0000-000000000002" /><br> <object><br> <currentObject/><br> </object><br> <executeScript xmlns:s="<a href="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">http://midpoint.evolveum.com/xml/ns/public/model/scripting-3</a>"><br> <s:notify><br> <s:handler><br> <generalNotifier><br> <recipientExpression></div><div> <!-- static approach works - oid of current logged in user --><br> <runAsRef oid="d94e7fdc-0935-4b51-9205-6417a598f235" /><br><br></div><div> <!-- but how to arrange dynamic?</div><div> <runAsRef></div><div> <filter><br> <q:ref></div><div> <q:path> ??????????? </q:path><br> <expression><br> <script><br> <code><br> import com.evolveum.midpoint.schema.util.ObjectTypeUtil<br><br> return [ObjectTypeUtil.createOidOnlyObjectRef(<b>actor</b>)]<br> </code><br> </script><br> </expression><br> </q:ref><br> </filter><br> </runAsRef></div><div> --><br><br></div><div> <script><br> <code></div><div> import ....<br> </div><div> HashSet notifyTo = new HashSet()<br><br> // look for admins with tenant-based authorization role assigned<br> ObjectQuery query = midpoint.prismContext.queryFor(UserType.class)<br> .item(UserType.F_ROLE_MEMBERSHIP_REF).ref("00506aa0-b76c-42f8-b82c-43080f76c58a")<br> .build()<br> // if search is running under tenant user (current logged in user) returns users from this tenant only<br> for (UserType user: midpoint.searchObjects(UserType.class, query)) {<br> String email = user.getEmailAddress()<br> if (email != null) {<br> notifyTo.add(email)<br> }<br> }<br><br> return notifyTo<br> </code><br> </script><br> </recipientExpression></div><div><br> <bodyExpression><br> ....<br> </bodyExpression><br><br></div><div> <transport>file</transport><br> </generalNotifier><br> </s:handler><br> </s:notify><br> </executeScript><br> </scriptExecution><br></div> </policyActions> </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 29 Jun 2023 at 14:01, Pavol Mederly via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello Yakov,</p>
<p>this one is highly experimental; and the documentation is
probably waiting for a sponsor (i.e., a customer needing it).<br>
</p>
<p>However, as usual, I'd suggest searching through midPoint test
sources. Each feature (even experimental ones, at least majority
of them) should have some tests created for it.</p>
<p>This one is no exception, although more trickier than usual. It
seems to me that TestRbac.test870AssignRoleScreaming would provide
some hints.<br>
</p>
<p>Regards,<br>
</p>
<pre cols="72">--
Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a></pre>
<div>On 27/06/2023 07:21, Yakov Revyakin via
midPoint wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Any ideas?</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 15 Jun 2023 at 09:54,
Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com" target="_blank">yrevyakin@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi all,<br>
<div>It's not clear it is possible currently to use
<notification> as policy action.</div>
<div><br>
</div>
<div> <policyActions><br>
<notification><br>
<???????><br>
</notification><br>
</policyActions><br>
<br>
Is there any sample how to deal with this?</div>
<div><br>
</div>
<div>Or, maybe, an alternative way? Actually, I'd like to
notify if a transition based on objectState
is triggered. </div>
<div><br>
</div>
<div>Thanks,</div>
<div>Yakov</div>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>