Page tree
Skip to end of metadata
Go to start of metadata

MidPoint 4.2 and later

EXPERIMENTAL

This feature is experimental. It means that it is not intended for production use. The feature is not finished. It is not stable. The implementation may contain bugs, the configuration may change at any moment without any warning and it may not work at all. Use at your own risk. This feature is not covered by midPoint support. In case that you are interested in supporting development of this feature, please consider purchasing midPoint Platform subscription.

Overview

Is it possible to delete an organization in such a way that all its members (users, child orgs, and other objects) will not end up in an inconsistent state? I.e. that their assignments to the particular org will be deleted, instead of becoming hanging?

Yes, using a simple policy rule this can be easily implemented.

An implementation

Implementation of this scenario consists of a single global policy rule.

Global policy rule that ensures unassigning of org being deleted
<globalPolicyRule>
    <focusSelector>
        <type>OrgType</type>
        <!-- finer selection (e.g. based on archetype) can be used here if needed -->
    </focusSelector>
    <name>unassign-children-on-org-deletion</name>
    <documentation>
        Unassigns members when an org is deleted.
    </documentation>
    <policyConstraints>
        <modification>
            <operation>delete</operation>
        </modification>
    </policyConstraints>
    <policyActions>
        <scriptExecution>
            <object>
                <linkSource/> <!-- all objects linked to the current focus -->
            </object>
            <executeScript>
                <s:unassign>
                    <s:filter>
                        <q:ref>
                            <!-- all assignments targeting the current focus -->
                            <q:path>targetRef</q:path>
                            <expression>
                                <script>
                                    <code>
                                        import com.evolveum.midpoint.schema.util.ObjectTypeUtil
                                        ObjectTypeUtil.createObjectRef(focus.oid)
                                    </code>
                                </script>
                            </expression>
                        </q:ref>
                    </s:filter>
                </s:unassign>
            </executeScript>
        </scriptExecution>
    </policyActions>
</globalPolicyRule>

Complete configuration for this scenario is in https://github.com/Evolveum/midpoint/tree/master/model/model-intest/src/test/resources/linked/orgs directory (and associated system configuration file).

Limitations

This scenario works in the majority of cases. More specifically, it assumes that "assigned" is the same as "linked":

  1. All assignments are effective (valid and conditions evaluated to true), so they are reflected in links.
  2. All links are backed by assignments, i.e. there are no links created by inducements or created manually (editing parentOrgRef).

But the scenario can be extended and made more robust, by:

  1. Replacing linkSource specification by custom query looking after assignment/targetRef filters.
  2. Creating additional global policy rule that will clean up the inducements for organization being deleted.
  • No labels