<div dir="ltr">Pavol, no problems. <br><div><br></div><div>I implemented what I needed, but I think the approach is not ideal. I can't change runAsRef dynamically to run expression under a tenant user. So, I filter users programmatically in the script. The code below is a part of the user archetype. The policyRule is triggered by transition of unknown administrativeStatus to enabled/disabled.</div><div> <inducement><br> <policyRule><br> <policyConstraints><br> <transition><br> <stateBefore>false</stateBefore><br> <stateAfter>true</stateAfter><br> <constraints><br> <objectState><br> <filter><br> <q:not><br> <q:equal><br> <q:path>activation/administrativeStatus</q:path><br> </q:equal><br> </q:not><br> </filter><br> </objectState><br> </constraints><br> </transition><br> </policyConstraints><br> <policyActions><br> <scriptExecution><br> <runAsRef oid="00000000-0000-0000-0000-000000000002" /><br> <object><br> <currentObject/><br> </object><br> <executeScript xmlns:s="<a href="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3">http://midpoint.evolveum.com/xml/ns/public/model/scripting-3</a>"><br> <s:notify><br> <s:handler><br> <generalNotifier><br> <recipientExpression><br> <script><br> <code><br> import com.evolveum.midpoint.prism.PrismObjectValue<br> import com.evolveum.midpoint.prism.query.ObjectQuery<br> import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType<br><br> HashSet<String> notifyTo = new HashSet()<br><br> ObjectQuery query = midpoint.prismContext.queryFor(UserType.class)<br> .item(UserType.F_ROLE_MEMBERSHIP_REF).ref("00506aa0-b76c-42f8-b82c-43080f76c58a")<br> .build()<br><br> for (UserType user: midpoint.searchObjects(UserType.class, query)) {<br><br> String email = user.getEmailAddress()<br> if (user.getTenantRef() != null && email != null
&&<br> user.getTenantRef().getOid() == ((UserType)((PrismObjectValue)event.object).asObjectable()).getTenantRef().getOid()) {<br> notifyTo.add(email)<br> }<br> }<br><br> return notifyTo<br> </code><br> </script><br> </recipientExpression><br> <bodyExpression><br> <script><br> <language><a href="http://midpoint.evolveum.com/xml/ns/public/expression/language#velocity">http://midpoint.evolveum.com/xml/ns/public/expression/language#velocity</a></language><br> <code>$event.object acquired a direct Administrative status</code><br> </script><br> </bodyExpression><br> <transport>file</transport><br> <transport>mail</transport><br> </generalNotifier><br> </s:handler><br> </s:notify><br> </executeScript><br> </scriptExecution><br> </policyActions><br> </policyRule><br> <focusType>UserType</focusType><br> </inducement><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 29 Jun 2023 at 16:15, Pavol Mederly via midPoint <<a href="mailto:midpoint@lists.evolveum.com">midpoint@lists.evolveum.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Yakov,</p>
<p>I am sorry, but - in general - we developers do not answer
questions here on the list. I try to give general answers where I
can do that quickly, or where it is well-aligned with my daily
development work.</p>
<p>So, unfortunately, I cannot help you with your further questions.<br>
</p>
<p>I hope someone from the community could do that; ... or, our
professional consultancy services would welcome you :)</p>
<p>Best regards,<br>
</p>
<pre cols="72">--
Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a></pre>
<div>On 29/06/2023 15:06, Yakov Revyakin via
midPoint wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Pavol,
<div>I agree - looks really tricky. Till I'm trying to
understand what exactly happens there, could you answer
another related question?<br>
<br>
<div>I found that there is <notify/> action under
policyActions/scriptExecution/executeScript which is
configurable in a clear way.</div>
<div>But found that I can't execute this correctly under a
tenant user. To execute notify action we need full access
like superuser - see 1st runAsRef. In this case
recipientExpression ignores tenancy limitation during user
search in the script below. So, we need 2nd runAsRef to run
the script by the current logged in user which is a user of
the current tenant. In case of static oid of this user
things work fine - the script returns only users from this
tenant. I simply can't write xml for dynamic case. Could you
help?</div>
<div><br>
<policyActions><br>
<scriptExecution><br>
<runAsRef
oid="00000000-0000-0000-0000-000000000002" /><br>
<object><br>
<currentObject/><br>
</object><br>
<executeScript xmlns:s="<a href="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3" target="_blank">http://midpoint.evolveum.com/xml/ns/public/model/scripting-3</a>"><br>
<s:notify><br>
<s:handler><br>
<generalNotifier><br>
<recipientExpression></div>
<div> <!-- static
approach works - oid of current logged in user --><br>
<runAsRef
oid="d94e7fdc-0935-4b51-9205-6417a598f235" /><br>
<br>
</div>
<div> <!-- but how
to arrange dynamic?</div>
<div> <runAsRef></div>
<div>
<filter><br>
<q:ref></div>
<div>
<q:path> ??????????? </q:path><br>
<expression><br>
<script><br>
<code><br>
import com.evolveum.midpoint.schema.util.ObjectTypeUtil<br>
<br>
return [ObjectTypeUtil.createOidOnlyObjectRef(<b>actor</b>)]<br>
</code><br>
</script><br>
</expression><br>
</q:ref><br>
</filter><br>
</runAsRef></div>
<div> --><br>
<br>
</div>
<div> <script><br>
<code></div>
<div> import
....<br>
</div>
<div> HashSet
notifyTo = new HashSet()<br>
<br>
// look for
admins with tenant-based authorization role assigned<br>
ObjectQuery
query = midpoint.prismContext.queryFor(UserType.class)<br>
.item(UserType.F_ROLE_MEMBERSHIP_REF).ref("00506aa0-b76c-42f8-b82c-43080f76c58a")<br>
.build()<br>
// if search
is running under tenant user (current logged in user)
returns users from this tenant only<br>
for
(UserType user: midpoint.searchObjects(UserType.class,
query)) {<br>
String
email = user.getEmailAddress()<br>
if
(email != null) {<br>
notifyTo.add(email)<br>
}<br>
}<br>
<br>
return
notifyTo<br>
</code><br>
</script><br>
</recipientExpression></div>
<div><br>
<bodyExpression><br>
....<br>
</bodyExpression><br>
<br>
</div>
<div>
<transport>file</transport><br>
</generalNotifier><br>
</s:handler><br>
</s:notify><br>
</executeScript><br>
</scriptExecution><br>
</div>
</policyActions> </div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 29 Jun 2023 at 14:01,
Pavol Mederly via midPoint <<a href="mailto:midpoint@lists.evolveum.com" target="_blank">midpoint@lists.evolveum.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hello Yakov,</p>
<p>this one is highly experimental; and the documentation is
probably waiting for a sponsor (i.e., a customer needing
it).<br>
</p>
<p>However, as usual, I'd suggest searching through midPoint
test sources. Each feature (even experimental ones, at
least majority of them) should have some tests created for
it.</p>
<p>This one is no exception, although more trickier than
usual. It seems to me that
TestRbac.test870AssignRoleScreaming would provide some
hints.<br>
</p>
<p>Regards,<br>
</p>
<pre cols="72">--
Pavol Mederly
Software developer
<a href="http://evolveum.com" target="_blank">evolveum.com</a></pre>
<div>On 27/06/2023 07:21, Yakov Revyakin via midPoint wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Any ideas?</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, 15 Jun 2023 at
09:54, Yakov Revyakin <<a href="mailto:yrevyakin@gmail.com" target="_blank">yrevyakin@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Hi all,<br>
<div>It's not clear it is possible currently to use
<notification> as policy action.</div>
<div><br>
</div>
<div> <policyActions><br>
<notification><br>
<???????><br>
</notification><br>
</policyActions><br>
<br>
Is there any sample how to deal with this?</div>
<div><br>
</div>
<div>Or, maybe, an alternative way? Actually, I'd
like to notify if a transition based on
objectState is triggered. </div>
<div><br>
</div>
<div>Thanks,</div>
<div>Yakov</div>
</div>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote>
</div>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
</div>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="https://lists.evolveum.com/mailman/listinfo/midpoint" rel="noreferrer" target="_blank">https://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
</blockquote></div>