That's it. The variable
legal is a special-purpose variable that is available in the activation mappings. It is set to
true if the account is legal. That means if there is a valid assignment for that account or if the account is allowed by any other policy (such as Projection Policy). The
legal variable is set to
false if there is no "habeas corpus" for that account. I.e. the account should not be there. What this mapping does is that it will simply pass the user's administrative status (which is stored in the
input variable) in case that the account is legal. But it will always set the account status to disabled if the account is not legal.
Even more complex logic can be used in activation expressions using the "shadow" implicit variable. Following code fragment will create account only after focus has been fully enabled in midPoint and never delete the account.
<existence> <outbound> <strength>weak</strength> <expression> <variable> <name>effectiveStatus</name> <c:path>$focus/activation/effectiveStatus</c:path> </variable> <c:script> <c:code> import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType; focusExists && (effectiveStatus == ActivationStatusType.ENABLED || shadow != null) </c:code> </c:script> </expression> </outbound> </existence>
There is a complete example in midPoint Integration Tests: