-
Notifications
You must be signed in to change notification settings - Fork 188
/
archetype-token.xml
166 lines (147 loc) · 6.25 KB
/
archetype-token.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
<!--
~ Copyright (c) 2020 Evolveum and contributors
~
~ This work is dual-licensed under the Apache License 2.0
~ and European Union Public License. See LICENSE file for details.
-->
<archetype xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3"
xmlns:s="http://midpoint.evolveum.com/xml/ns/public/model/scripting-3"
oid="e7bff8d1-cebd-4fbe-b935-64cfc2f22f52">
<name>token</name>
<documentation>A magic token has some special characteristics:
1. It is held by at most single user at given time.
2. It gives its holder some properties, e.g. the `organizationalUnit` obtains value of
`T holders` for any token T held.
3. On the other hand, it knows who holds it by storing the holder's `name` and `fullName` in
its `description` property.
Note that points 2 and 3 are implemented by induced mappings for this particular archetype.
This means that they work only for active tokens. This is fully in accord with the magical
character of the token: if it's inactive (e.g. disabled) it loses all its powers.
(But what about triggering the changes? They obviously will stop for disabled tokens.)
For a different approach please see the "device" archetype.
</documentation>
<!-- Part 1: Data transfer itself: Mappings that - when evaluated - cause data to flow between objects. -->
<!-- 1a: token -> user -->
<inducement>
<focusMappings>
<mapping>
<documentation>From token to user: putting 'T holders' into organizationalUnit.</documentation>
<strength>strong</strength>
<expression>
<script>
<code>assignmentPath[0].target.name + ' holders'</code>
</script>
</expression>
<target>
<path>organizationalUnit</path>
<set>
<predefined>all</predefined>
</set>
</target>
</mapping>
</focusMappings>
<order>2</order> <!-- executes on token holder -->
<focusType>UserType</focusType>
</inducement>
<!-- 1b: user -> token -->
<inducement>
<focusMappings>
<mapping>
<documentation>From user to token: putting 'Held by ...' into token description.</documentation>
<strength>strong</strength>
<expression>
<script>
<code>import com.evolveum.midpoint.xml.ns._public.common.common_3.UserType
assignee = midpoint.findAssignee(UserType.class)
assignee != null ? 'Held by ' + assignee.name + ' (' + assignee.fullName + ')' : 'Not held'</code>
</script>
</expression>
<target>
<path>description</path>
</target>
</mapping>
</focusMappings>
<order>1</order> <!-- executes on token object -->
</inducement>
<!-- Part 2: Triggering data transfer: Policy rules that cause recomputation of relevant objects when needed. -->
<!-- 2a: token -> user -->
<inducement>
<policyRule>
<documentation>
Recomputes a user when token name is changed. (Note that user is recomputed
automatically when token is assigned or unassigned.)
</documentation>
<policyConstraints>
<modification>
<item>name</item>
</modification>
</policyConstraints>
<policyActions>
<scriptExecution>
<object>
<linkSource/>
</object>
<executeScript>
<s:recompute/>
</executeScript>
</scriptExecution>
</policyActions>
</policyRule>
<order>1</order> <!-- assigned to token object, so executes when token is modified -->
</inducement>
<!-- 2b: user -> token -->
<inducement>
<policyRule>
<documentation>
Recomputes all tokens whose membership has changed.
</documentation>
<policyConstraints>
<alwaysTrue/>
</policyConstraints>
<policyActions>
<scriptExecution>
<object>
<linkTarget>
<changeSituation>changed</changeSituation>
<!-- i.e. all objects that brought this policy rule to the focus -->
<matchesRuleAssignment>true</matchesRuleAssignment>
</linkTarget>
</object>
<executeScript>
<s:recompute/>
</executeScript>
</scriptExecution>
</policyActions>
</policyRule>
<order>1</order> <!-- assigned to token object, so executes when assignment to it is added/modified (i.e. on the user) -->
</inducement>
<inducement>
<policyRule>
<documentation>Recomputes a token when user's name or fullName changes.</documentation>
<policyConstraints>
<or>
<modification>
<item>name</item>
</modification>
<modification>
<item>fullName</item>
</modification>
</or>
</policyConstraints>
<policyActions>
<scriptExecution>
<object>
<linkTarget>
<!-- i.e. all objects that brought this policy rule to the focus -->
<matchesRuleAssignment>true</matchesRuleAssignment>
</linkTarget>
</object>
<executeScript>
<s:recompute/>
</executeScript>
</scriptExecution>
</policyActions>
</policyRule>
<order>2</order> <!-- assigned to the user -->
</inducement>
</archetype>