Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

VariableTypeDescription
inputbooleanlegality: set to true if the object is legal (based on assignment evaluation and enforcement mode). See Assignment
assignedbooleanTrue if there is a valid assignment for this object.
focusExistsbooleanSpecifies whether the focal object (e.g. user) to which the resource object is linked exists. Set to true if the resource object is linked to an existing focal object.
focusFocusTypeContains the complete focal object (e.g. user)
shadowShadowTypeContains a shadow for which is the existence evaluated (may not be present if not yet created)
Note
titleWeak existence mapping

As mappings are concerned the concept of existence of an account is a strange one. Output (target) of the mapping is not directly bound to any property in the shadow. It just reflects the state whether the projection should exist or it should not. Therefore the use of weak mappings is somehow different than in other parts of midPoint. The target property is virtual and it actually never exists - even if the shadow already exists. Therefore weak mappings are applied even if the shadow exists, which may be quite counter-intuitive. But there is an advantage. Weak mappings will not be applied if there is any other non-weak mapping. Therefore such weak mapping may be used to define a normal state of the account. E.g. the account should normally exists all the times, even if it is not legal. And then the other mapping may be used to control other or unusual situations. E.g. we in fact want to delete the account if it is left in illegal state for too long. Like this:

Code Block
            <activation>
                <!-- Explicit existence mapping. Unassigned accounts are disabled, not deleted.
                     The accounts are deleted after 1 month -->
                <existence>
                    <outbound>
                        <name>default existence</name>
                        <strength>weak</strength>
                        <expression>
                            <path>$focusExists</path>
                        </expression>
                    </outbound>
                    <outbound>
                        <name>delayed delete</name>
                        <timeFrom>
                            <referenceTime>
                                <path>$shadow/activation/disableTimestamp</path>
                            </referenceTime>
                            <offset>P1M</offset>
                        </timeFrom>
                        <source>
                            <path>$shadow/activation/administrativeStatus</path>
                        </source>
                        <source>
                            <path>$shadow/activation/disableReason</path>
                        </source>
                        <expression>
                            <value>false</value>
                        </expression>
                        <condition>
                            <script>
                                <code>
                                    import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
                                    import com.evolveum.midpoint.schema.constants.SchemaConstants;
                                    administrativeStatus == ActivationStatusType.DISABLED &amp;&amp; 
                                        // do not delete explicitly disabled accounts
                                        (disableReason == SchemaConstants.MODEL_DISABLE_REASON_DEPROVISION ||
                                         disableReason == SchemaConstants.MODEL_DISABLE_REASON_MAPPED);
                                </code>
                            </script>
                        </condition>
                    </outbound>
                </existence>
                <administrativeStatus>
                    <outbound>
                        <strength>strong</strength>
                        <expression>
                            <script>
                                <code>
                                    import com.evolveum.midpoint.xml.ns._public.common.common_3.ActivationStatusType;
                                    if (legal) {
                                        input;
                                    } else {
                                        ActivationStatusType.DISABLED;
                                    }
                                </code>
                            </script>
                        </expression>
                    </outbound>                
                </administrativeStatus>
            </activation>

In this the "default existence" weak mapping is applied in normal circumstances. This means that the account would exist under normal circumstances. But if the time constraint and condition in "delayed delete" mapping is evaluated to true value then the "delayed delete" mapping is applied instead and the "default existence" is ignored. Which means that the account gets deleted.

Info

Although the existence mapping may technicaly technically have inbound part as well such part is never used.

...