Thank you Patrik and Pascal.<br>I will take a look at this next week.<br><br>Kind regards,<br>Markus<br><br>Sent from Proton Mail mobile<br><br><br><br>-------- Original Message --------<br>On 12 Oct 2023, 14:48, < midpoint-request@lists.evolveum.com> wrote:<blockquote class="protonmail_quote"><br>Send midPoint mailing list submissions to
midpoint@lists.evolveum.com
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.evolveum.com/mailman/listinfo/midpoint
or, via email, send a message with subject or body 'help' to
midpoint-request@lists.evolveum.com
You can reach the person managing the list at
midpoint-owner@lists.evolveum.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of midPoint digest..."
Today's Topics:
1. Re: automatically unassign all roles on disable (Pascal PERICHON)
2. Re: automatically unassign all roles on disable (Patrik Sidler)
----------------------------------------------------------------------
Message: 1
Date: Thu, 12 Oct 2023 12:34:27 +0200
From: Pascal PERICHON <pascal.perichon@u-paris.fr>
To: Markus Calmius via midPoint <midpoint@lists.evolveum.com>
Subject: Re: [midPoint] automatically unassign all roles on disable
Message-ID: <dcf28336-7337-46bb-aa8f-c39614322b8d@u-paris.fr>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Hi,
The documentation was not updated.
Something like that :
/assignmentDelta = midpoint.deltaFor(UserType.class)
/
//for (AssignmentType assign : user.getAssignment()) {
...
/ assignmentDelta =
assignmentDelta.item(UserType.F_ASSIGNMENT).delete(assign)
/
/ ...
/
/}
/
/myDeltas = assignmentDelta.asItemDeltas()
modelContext.getFocusContext().swallowToSecondaryDelta(myDeltas)/
/modelContext.rot()
/
You should call only one time "swallowToSecondaryDelta()": put it out of
the "for" iteration.
Not sure that "assign.clone()" works: maybe (not sure) you should use
only "assign".
Best regards et bon courage :)
Le 12/10/2023 à 11:58, Markus Calmius via midPoint a écrit :
> Hi,
>
> I am trying to figure out how to make sure all roles are unassigned
> when a user is removed or disabled from HR.
> I've found:
> https://docs.evolveum.com/midpoint/reference/concepts/clockwork/scripting-hooks/ which
> contain Example 1 that should do the trick.
> Although, it doesn't quite work on 4.7.2 it seems, I get: "Expression
> error: Groovy Evaluation Failed: No such property: ContainerDelta for
> class: (new)_"
>
> Two questions:
>
> 1. is there an easier way?
> 2. trying to figure out what is wrong is not super easy, it's been
> years since I actually coded. Any guidance is greatly appreciated.
> I assume the createModificationDelete has changed some input
> parameters
>
>
> I'm testing the script in the query playground with one disabled user.
> <expression>
> <script>
> <code>
> import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
> import com.evolveum.midpoint.prism.*;
>
> UserType user = (UserType)
> midpoint.searchObjectByName(UserType.class, '<redacted username>');
> ActivationStatusType administrativeStatus =
> user.getActivation().getEffectiveStatus();
> if (administrativeStatus == ActivationStatusType.DISABLED) {
> for (AssignmentType assign : user.getAssignment()) {
> changed = false;
> assignmentDelta =
> ContainerDelta.createModificationDelete(UserType.F_ASSIGNMENT,
> UserType.class, prismContext, assign.clone());
> modelContext.getFocusContext().swallowToSecondaryDelta(assignmentDelta);
> changed = true;
> }
> if (changed) {
> modelContext.rot(); // this makes Projector to
> recompute the model context
> }
> }
> </code>
> </script>
> </expression>
>
> Thanks in Advance
> Markus
>
> _______________________________________________
> midPoint mailing list
> midPoint@lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231012/1c635090/attachment-0001.htm>
------------------------------
Message: 2
Date: Thu, 12 Oct 2023 12:48:21 +0000
From: Patrik Sidler <patrik.sidler@itconcepts.ch>
To: midPoint General Discussion <midpoint@lists.evolveum.com>
Cc: Markus Calmius <markus.calmius@proton.ch>
Subject: Re: [midPoint] automatically unassign all roles on disable
Message-ID:
<GVAP278MB0231D92E3828F19B64FB5D81EFD3A@GVAP278MB0231.CHEP278.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="utf-8"
Hi Markus,
In our Environment, every user is either internal, external or disabled. We have created an Role for every Type of user.
The Role for Internal and External Employees induces the ArcheType and assigns a policy, that removes all assigned Roles if the Users moves from internal/external to disabled.
Here is the Role we assign to Internal Employees:
<role xmlns=http://midpoint.evolveum.com/xml/ns/public/common/common-3
xmlns:c=http://midpoint.evolveum.com/xml/ns/public/common/common-3
xmlns:icfs=http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3
xmlns:org=http://midpoint.evolveum.com/xml/ns/public/common/org-3
xmlns:q=http://prism.evolveum.com/xml/ns/public/query-3
xmlns:ri=http://midpoint.evolveum.com/xml/ns/public/resource/instance-3
xmlns:t=http://prism.evolveum.com/xml/ns/public/types-3
xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance>
<name>Role for Internal Employee</name>
<description>This role is assigned to all enabled internal Employees</description>
<displayName> Role Internal Employee</displayName>
<indestructible>true</indestructible>
<requestable>false</requestable>
<inducement id="3">
<!--assign ArcheType for Internal Employee-->
<targetRef oid="333c8ef8-f58a-4550-8a31-b68e3a4c320a" relation="org:default" type="c:RoleType"/>
</inducement>
<assignment>
<policyRule>
<name>This assignment is to remove all assignments expect "Archetype Disabled Employee" and "Role Disabled Employee" </name>
<policyConstraints>
<assignment>
<operation>delete</operation>
</assignment>
</policyConstraints>
<policyActions>
<scriptExecution>
<executeScript xmlns:s=http://midpoint.evolveum.com/xml/ns/public/model/scripting-3>
<s:pipeline list="true">
<s:action>
<s:type>execute-script</s:type>
<s:parameter xmlns:qn63=http://midpoint.evolveum.com/xml/ns/public/common/common-3>
<s:name>script</s:name>
<c:value xsi:type="c:ScriptExpressionEvaluatorType">
<c:code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.*
import com.evolveum.midpoint.prism.delta.builder.*
import com.evolveum.midpoint.model.api.*
import static com.evolveum.midpoint.schema.constants.SchemaConstants.C_ORG_TYPE
import javax.xml.namespace.QName
log.info("Check if Assignments to delete because user is no longer an Internal Employee")
def assignmentsToDelete = []
user = midpoint.getObject(UserType.class, input.oid)
for (a in user.assignment) {
<!-- check if assigned role is "Role Disabled Employee" or "Archetype Disabled Employee" -->
if (a.targetRef?.oid != "b72686bd-dcbd-4e9a-a5bb-15988b6a9a26" ||
a.targetRef?.oid != "78c3c3a9-6f8a-4876-9a21-b9a70ec1b8b1") {
def removeAssignment = new AssignmentType()
removeAssignment.id = a.id
assignmentsToDelete.add(removeAssignment.asPrismContainerValue())
}
}
if (!assignmentsToDelete.empty) {
log.info("Assignments to delete because user is no longer InternalEmployee: " + assignmentsToDelete)
def delta = prismContext.deltaFor(UserType.class).item(UserType.F_ASSIGNMENT).delete(assignmentsToDelete).asObjectDelta(user.oid)
midpoint.modifyObject(delta)
}
</c:code>
</c:value>
</s:parameter>
</s:action>
</s:pipeline>
</executeScript>
</scriptExecution>
</policyActions>
</policyRule>
<activation>
<effectiveStatus>enabled</effectiveStatus>
</activation>
</assignment>
</role>
Maybe this code will help to solve your problem.
Best Regards
Patrik
Von: midPoint <midpoint-bounces@lists.evolveum.com> Im Auftrag von Markus Calmius via midPoint
Gesendet: Donnerstag, 12. Oktober 2023 11:59
An: midPoint General Discussion <midpoint@lists.evolveum.com>
Cc: Markus Calmius <markus.calmius@proton.ch>
Betreff: [midPoint] automatically unassign all roles on disable
Hi,
I am trying to figure out how to make sure all roles are unassigned when a user is removed or disabled from HR.
I've found: https://docs.evolveum.com/midpoint/reference/concepts/clockwork/scripting-hooks/ which contain Example 1 that should do the trick.
Although, it doesn't quite work on 4.7.2 it seems, I get: "Expression error: Groovy Evaluation Failed: No such property: ContainerDelta for class: (new)_"
Two questions:
1. is there an easier way?
2. trying to figure out what is wrong is not super easy, it's been years since I actually coded. Any guidance is greatly appreciated. I assume the createModificationDelete has changed some input parameters
I'm testing the script in the query playground with one disabled user.
<expression>
<script>
<code>
import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
import com.evolveum.midpoint.prism.*;
UserType user = (UserType) midpoint.searchObjectByName(UserType.class, '<redacted username>');
ActivationStatusType administrativeStatus = user.getActivation().getEffectiveStatus();
if (administrativeStatus == ActivationStatusType.DISABLED) {
for (AssignmentType assign : user.getAssignment()) {
changed = false;
assignmentDelta = ContainerDelta.createModificationDelete(UserType.F_ASSIGNMENT, UserType.class, prismContext, assign.clone());
modelContext.getFocusContext().swallowToSecondaryDelta(assignmentDelta);
changed = true;
}
if (changed) {
modelContext.rot(); // this makes Projector to recompute the model context
}
}
</code>
</script>
</expression>
Thanks in Advance
Markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20231012/f9283c63/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
midPoint mailing list
midPoint@lists.evolveum.com
https://lists.evolveum.com/mailman/listinfo/midpoint
------------------------------
End of midPoint Digest, Vol 138, Issue 9
****************************************
</div>